Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6qqWn6eIGG.dll

Overview

General Information

Sample name:6qqWn6eIGG.dll
renamed because original name is a hash value
Original sample name:430599e85618bd750b5bbfb21cb5f857.dll
Analysis ID:1591270
MD5:430599e85618bd750b5bbfb21cb5f857
SHA1:c9ff0c824d324d6047a31eb07da54ba43a0a8b86
SHA256:ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
AI detected suspicious sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5028 cmdline: loaddll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3168 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5980 cmdline: rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4396 cmdline: rundll32.exe C:\Users\user\Desktop\6qqWn6eIGG.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 4832 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 03E8741684A2EA2AA24BAD8DA574435E)
        • tasksche.exe (PID: 5988 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 1FF321DE9E6B8A865048789E18BB4232)
    • rundll32.exe (PID: 6128 cmdline: rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 3176 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 03E8741684A2EA2AA24BAD8DA574435E)
        • tasksche.exe (PID: 5640 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 1FF321DE9E6B8A865048789E18BB4232)
  • mssecsvr.exe (PID: 1172 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 03E8741684A2EA2AA24BAD8DA574435E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6qqWn6eIGG.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    6qqWn6eIGG.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x353d0:$x3: tasksche.exe
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      00000009.00000002.2140985093.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000007.00000000.2117428894.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            00000007.00000002.2769349749.0000000002282000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              Click to see the 6 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              7.2.mssecsvr.exe.1d50084.5.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              7.2.mssecsvr.exe.22738c8.9.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                7.2.mssecsvr.exe.22738c8.9.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0x3136c:$x3: tasksche.exe
                • 0x31344:$x8: C:\%s\qeriuwjhrf
                • 0x17338:$s1: C:\%s\%s
                • 0x31358:$s1: C:\%s\%s
                • 0x2e68c:$s5: \\192.168.56.20\IPC$
                • 0x1ba81:$s6: \\172.16.99.5\IPC$
                • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
                • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
                • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
                7.2.mssecsvr.exe.22738c8.9.unpackWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
                • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
                • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
                • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
                • 0x1d439:$s1: __TREEID__PLACEHOLDER__
                • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
                • 0x1f508:$s1: __TREEID__PLACEHOLDER__
                • 0x20570:$s1: __TREEID__PLACEHOLDER__
                • 0x215d8:$s1: __TREEID__PLACEHOLDER__
                • 0x22640:$s1: __TREEID__PLACEHOLDER__
                • 0x236a8:$s1: __TREEID__PLACEHOLDER__
                • 0x24710:$s1: __TREEID__PLACEHOLDER__
                • 0x25778:$s1: __TREEID__PLACEHOLDER__
                • 0x267e0:$s1: __TREEID__PLACEHOLDER__
                • 0x27848:$s1: __TREEID__PLACEHOLDER__
                • 0x288b0:$s1: __TREEID__PLACEHOLDER__
                • 0x29918:$s1: __TREEID__PLACEHOLDER__
                • 0x2a980:$s1: __TREEID__PLACEHOLDER__
                • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
                • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
                • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
                • 0x2e340:$s1: __TREEID__PLACEHOLDER__
                5.0.mssecsvr.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                  Click to see the 35 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-14T21:03:31.891094+010028033043Unknown Traffic192.168.2.549704103.224.212.21580TCP
                  2025-01-14T21:03:33.492425+010028033043Unknown Traffic192.168.2.549706103.224.212.21580TCP
                  2025-01-14T21:05:39.497573+010028033043Unknown Traffic192.168.2.550614103.224.212.21580TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-14T21:03:30.986998+010028300181A Network Trojan was detected192.168.2.5571781.1.1.153UDP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 6qqWn6eIGG.dllAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0eAvira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef051dAvira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Avira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef05Avira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518bAvira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518b6dAvira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0e72Avira URL Cloud: Label: malware
                  Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0705-398f-94c8-f5d240e73af9Avira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/Rasftuby.cpsmo
                  Multi AV Scanner detection for dropped file
                  Source: C:\WINDOWS\qeriuwjhrf (copy)ReversingLabs: Detection: 96%
                  Source: C:\Windows\tasksche.exeReversingLabs: Detection: 96%
                  Multi AV Scanner detection for submitted file
                  Source: 6qqWn6eIGG.dllVirustotal: Detection: 94%Perma Link
                  Source: 6qqWn6eIGG.dllReversingLabs: Detection: 92%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
                  Machine Learning detection for sample
                  Source: 6qqWn6eIGG.dllJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Connects to many different private IPs (likely to spread or exploit)
                  Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                  Connects to many different private IPs via SMB (likely to spread or exploit)
                  Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                  Source: 6qqWn6eIGG.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: tasksche.exe, 0000000A.00000000.2130160027.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmp, tasksche.exe, 0000000B.00000000.2140206636.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.3363264138.000000000042A000.00000002.00000001.01000000.00000007.sdmp, 6qqWn6eIGG.dll, tasksche.exe.5.dr
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,10_2_00409476
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040DE5E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,10_2_0040DE5E

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.5:57178 -> 1.1.1.1:53
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0703-312f-890a-41fa0d8d0e72 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0703-3312-aefe-653e09ef051d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885011.1575354
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0703-347d-85b7-a8856e518b6d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=a95eefa5-1fa4-4707-a8db-f9d18c124d8c
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0705-398f-94c8-f5d240e73af9 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 103.224.212.215:80
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 103.224.212.215:80
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:50614 -> 103.224.212.215:80
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.162
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.162
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.162
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.162
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.71.100.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.156
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.156
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.156
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.156
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.139.80.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 133.222.94.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.24.227.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0703-312f-890a-41fa0d8d0e72 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0703-3312-aefe-653e09ef051d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736885011.1575354
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0703-347d-85b7-a8856e518b6d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=a95eefa5-1fa4-4707-a8db-f9d18c124d8c
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0705-398f-94c8-f5d240e73af9 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                  Source: global trafficDNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                  Source: mssecsvr.exe, 00000007.00000002.2768575914.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
                  Source: mssecsvr.exe, 00000005.00000002.2132344584.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2132344584.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0e
                  Source: mssecsvr.exe, 00000007.00000002.2768575914.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef05
                  Source: mssecsvr.exe, 00000009.00000002.2141807571.0000000000CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518b
                  Source: 6qqWn6eIGG.dllString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                  Source: mssecsvr.exe, 00000009.00000002.2141807571.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2141807571.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
                  Source: mssecsvr.exe, 00000005.00000002.2132344584.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3
                  Source: mssecsvr.exe, 00000009.00000002.2141807571.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?
                  Source: mssecsvr.exe, 00000009.00000003.2139375248.0000000000D24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/H
                  Source: mssecsvr.exe, 00000007.00000002.2768575914.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/VGV
                  Source: mssecsvr.exe, 00000007.00000002.2768575914.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/oGV?
                  Source: mssecsvr.exe, 00000009.00000002.2141807571.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/w
                  Source: mssecsvr.exe, 00000007.00000002.2767315794.000000000019D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Yara detected Wannacry ransomware
                  Source: Yara matchFile source: 6qqWn6eIGG.dll, type: SAMPLE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.1d50084.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.227e8e8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2140985093.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.2117428894.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2769349749.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000000.2127384895.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.2097891962.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2769091093.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 4832, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 1172, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 3176, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6qqWn6eIGG.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.1d50084.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.1d50084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.1d50084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                  Source: 7.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.227e8e8.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: 7.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040690A: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,10_2_0040690A
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvr.exeJump to behavior
                  Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                  Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_6784656Jump to behavior
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to behavior
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_6785484Jump to behavior
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to behavior
                  Source: C:\Windows\tasksche.exeFile deleted: C:\Windows\__tmp_rar_sfx_access_check_6784656Jump to behavior
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00402F2C10_2_00402F2C
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041B0D910_2_0041B0D9
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041B8B910_2_0041B8B9
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041494610_2_00414946
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041017810_2_00410178
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040498610_2_00404986
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0042924110_2_00429241
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0042727C10_2_0042727C
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040CB2310_2_0040CB23
                  Source: C:\Windows\tasksche.exeCode function: 10_2_004283FC10_2_004283FC
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041AC0410_2_0041AC04
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00416C3F10_2_00416C3F
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00401CC110_2_00401CC1
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041F4D410_2_0041F4D4
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041BCD910_2_0041BCD9
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040C4FF10_2_0040C4FF
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041B4AD10_2_0041B4AD
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00417D7810_2_00417D78
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00427D0410_2_00427D04
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041450F10_2_0041450F
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00415D9A10_2_00415D9A
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040561010_2_00405610
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041462B10_2_0041462B
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00413EE310_2_00413EE3
                  Source: C:\Windows\tasksche.exeCode function: 10_2_004106F410_2_004106F4
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040C75610_2_0040C756
                  Source: C:\Windows\tasksche.exeCode function: 10_2_004277C010_2_004277C0
                  Source: Joe Sandbox ViewDropped File: C:\Windows\eee.exe 95EF1D077176B0DE86FB8BA7BF2AE56A08BF7944B05424A2F6E013ACDF5FD684
                  Source: C:\Windows\tasksche.exeCode function: String function: 0041AAF0 appears 49 times
                  Source: C:\Windows\tasksche.exeCode function: String function: 0041A4DC appears 37 times
                  Source: C:\Windows\tasksche.exeCode function: String function: 0041FA9C appears 38 times
                  Source: eee.exe.10.drStatic PE information: No import functions for PE file found
                  Source: 6qqWn6eIGG.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: 6qqWn6eIGG.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.1d50084.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.1d5f104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.1d50084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.1d50084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.1d5f104.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                  Source: 7.2.mssecsvr.exe.1d5b0a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.227e8e8.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 7.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: classification engineClassification label: mal100.rans.expl.evad.winDLL@20/3@2/100
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00406553 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00406553
                  Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                  Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,7_2_00407C40
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00419BB0 CoCreateInstance,10_2_00419BB0
                  Source: C:\Windows\mssecsvr.exeCode function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,5_2_00407CE0
                  Source: C:\Windows\mssecsvr.exeCode function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                  Source: C:\Windows\mssecsvr.exeCode function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,5_2_00408090
                  Source: C:\Windows\mssecsvr.exeCode function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,7_2_00408090
                  Source: C:\Windows\tasksche.exeFile created: C:\Users\user\New folderJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
                  Source: C:\Windows\tasksche.exeCommand line argument: sfxname10_2_0040FEF0
                  Source: C:\Windows\tasksche.exeCommand line argument: sfxstime10_2_0040FEF0
                  Source: C:\Windows\tasksche.exeCommand line argument: STARTDLG10_2_0040FEF0
                  Source: C:\Windows\tasksche.exeCommand line argument: @CB10_2_00424290
                  Source: 6qqWn6eIGG.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\tasksche.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6qqWn6eIGG.dll,PlayGame
                  Source: 6qqWn6eIGG.dllVirustotal: Detection: 94%
                  Source: 6qqWn6eIGG.dllReversingLabs: Detection: 92%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6qqWn6eIGG.dll,PlayGame
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                  Source: unknownProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",PlayGame
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                  Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
                  Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6qqWn6eIGG.dll,PlayGameJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",PlayGameJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: riched32.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: thumbcache.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: networkexplorer.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: riched32.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: thumbcache.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: networkexplorer.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\tasksche.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Windows\mssecsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeAutomated click: OK
                  Source: C:\Windows\tasksche.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 6qqWn6eIGG.dllStatic file information: File size 5267459 > 1048576
                  Source: 6qqWn6eIGG.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
                  Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: tasksche.exe, 0000000A.00000000.2130160027.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmp, tasksche.exe, 0000000B.00000000.2140206636.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.3363264138.000000000042A000.00000002.00000001.01000000.00000007.sdmp, 6qqWn6eIGG.dll, tasksche.exe.5.dr
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040CEB6 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0040CEB6
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_6784656Jump to behavior
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041FAE1 push ecx; ret 10_2_0041FAF4
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041A4DC push eax; ret 10_2_0041A4FA

                  Persistence and Installation Behavior

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts them
                  Source: C:\Windows\mssecsvr.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvr.exeJump to behavior
                  Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to dropped file
                  Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                  Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                  Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to dropped file
                  Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                  Source: C:\Windows\mssecsvr.exeCode function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
                  Source: C:\Windows\tasksche.exeDropped PE file which has not been started: C:\Windows\eee.exeJump to dropped file
                  Source: C:\Windows\tasksche.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_10-19475
                  Source: C:\Windows\mssecsvr.exe TID: 5428Thread sleep count: 93 > 30Jump to behavior
                  Source: C:\Windows\mssecsvr.exe TID: 5428Thread sleep time: -186000s >= -30000sJump to behavior
                  Source: C:\Windows\mssecsvr.exe TID: 6600Thread sleep count: 129 > 30Jump to behavior
                  Source: C:\Windows\mssecsvr.exe TID: 6600Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Windows\mssecsvr.exe TID: 5428Thread sleep time: -86400000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,10_2_00409476
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040DE5E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,10_2_0040DE5E
                  Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                  Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy'
                  Source: tasksche.exe, 0000000B.00000002.3365130022.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: mssecsvr.exe, 00000005.00000002.2132344584.0000000000A37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@8
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: mssecsvr.exe, 00000005.00000002.2132344584.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2768575914.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2141807571.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2141807571.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: mssecsvr.exe, 00000007.00000002.2768575914.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHy
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ya
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y"
                  Source: tasksche.exe, 0000000A.00000002.3363541837.000000000051C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.7#m
                  Source: tasksche.exe, 0000000B.00000003.2548672865.0000000006B4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:z
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                  Source: tasksche.exe, 0000000B.00000003.2548720488.000000000059E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@@
                  Source: tasksche.exe, 0000000A.00000002.3363541837.000000000051C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+4&l
                  Source: tasksche.exe, 0000000A.00000003.2325295815.000000000058D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c
                  Source: tasksche.exe, 0000000B.00000003.2745700948.0000000006B64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                  Source: tasksche.exe, 0000000B.00000002.3365167883.0000000006B54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: tasksche.exe, 0000000B.00000002.3363501701.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                  Source: tasksche.exe, 0000000B.00000003.2745700948.0000000006B64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: tasksche.exe, 0000000A.00000003.2325295815.000000000058D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Pro
                  Source: tasksche.exe, 0000000A.00000002.3363541837.000000000058D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0uWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevice
                  Source: tasksche.exe, 0000000A.00000003.2325295815.000000000058D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0uWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevice3
                  Source: tasksche.exe, 0000000A.00000002.3363541837.000000000051C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0041E6DE
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040CEB6 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0040CEB6
                  Source: C:\Windows\tasksche.exeCode function: 10_2_004234CE SetUnhandledExceptionFilter,10_2_004234CE
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0041E6DE
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0041FFDB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0041FFDB
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00423F89 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,10_2_00423F89
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1Jump to behavior
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040CA52 cpuid 10_2_0040CA52
                  Source: C:\Windows\tasksche.exeCode function: GetLocaleInfoW,GetNumberFormatW,10_2_0040D155
                  Source: C:\Windows\tasksche.exeCode function: GetLocaleInfoA,10_2_00425EF0
                  Source: C:\Windows\tasksche.exeCode function: 10_2_0040FEF0 OleInitialize,_memset,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,DeleteObject,DeleteObject,DeleteObject,CloseHandle,Sleep,OleUninitialize,10_2_0040FEF0
                  Source: C:\Windows\tasksche.exeCode function: 10_2_00409C06 GetVersionExW,10_2_00409C06

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		4
                  Windows Service                  		1
                  Access Token Manipulation                  		121
                  Masquerading                  		OS Credential Dumping1
                  Network Share Discovery                  		Remote Services1
                  Archive Collected Data                  		12
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Service Execution                  		1
                  DLL Side-Loading                  		4
                  Windows Service                  		21
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  System Time Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Native API                  		Logon Script (Windows)11
                  Process Injection                  		1
                  Access Token Manipulation                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		11
                  Process Injection                  		NTDS21
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture3
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets2
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Obfuscated Files or Information                  		Cached Domain Credentials23
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Rundll32                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Software Packing                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  File Deletion                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591270 Sample: 6qqWn6eIGG.dll Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 44 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->44 46 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->46 48 77026.bodis.com 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 6 other signatures 2->68 9 loaddll32.exe 1 2->9         started        11 mssecsvr.exe 12 2->11         started        signatures3 process4 dnsIp5 15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        20 cmd.exe 1 9->20         started        22 conhost.exe 9->22         started        50 192.168.2.102 unknown unknown 11->50 52 192.168.2.103 unknown unknown 11->52 54 98 other IPs or domains 11->54 72 Connects to many different private IPs via SMB (likely to spread or exploit) 11->72 74 Connects to many different private IPs (likely to spread or exploit) 11->74 signatures6 process7 signatures8 24 mssecsvr.exe 13 15->24         started        56 Drops executables to the windows directory (C:\Windows) and starts them 17->56 27 mssecsvr.exe 13 17->27         started        30 rundll32.exe 1 20->30         started        process9 file10 40 C:\Windows\tasksche.exe, PE32 24->40 dropped 32 tasksche.exe 3 15 24->32         started        42 C:\WINDOWS\qeriuwjhrf (copy), PE32 27->42 dropped 70 Drops executables to the windows directory (C:\Windows) and starts them 27->70 36 tasksche.exe 3 19 27->36         started        signatures11 process12 file13 38 C:\Windows\eee.exe, PE32 32->38 dropped 58 Antivirus detection for dropped file 32->58 60 Multi AV Scanner detection for dropped file 32->60 signatures14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  6qqWn6eIGG.dll94%VirustotalBrowse
                  6qqWn6eIGG.dll92%ReversingLabsWin32.Ransomware.WannaCry
                  6qqWn6eIGG.dll100%AviraTR/AD.DPulsarShellcode.uvbfu
                  6qqWn6eIGG.dll100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Windows\tasksche.exe100%AviraTR/Rasftuby.cpsmo
                  C:\WINDOWS\qeriuwjhrf (copy)97%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Windows\eee.exe10%ReversingLabs
                  C:\Windows\tasksche.exe97%ReversingLabsWin32.Ransomware.WannaCry

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0e100%Avira URL Cloudmalware
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef051d100%Avira URL Cloudmalware
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/100%Avira URL Cloudmalware
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef05100%Avira URL Cloudmalware
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518b100%Avira URL Cloudmalware
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518b6d100%Avira URL Cloudmalware
                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ0%Avira URL Cloudsafe
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0e72100%Avira URL Cloudmalware
                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0705-398f-94c8-f5d240e73af9100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  77026.bodis.com
                  		199.59.243.228
                  		truefalse
                    		high
                    www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                    		103.224.212.215
                    		truefalse
                      		high
                      ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0e72false
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/false
                          		high
                          http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef051dfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518b6dfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0705-398f-94c8-f5d240e73af9false
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0emssecsvr.exe, 00000005.00000002.2132344584.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2132344584.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Hmssecsvr.exe, 00000009.00000003.2139375248.0000000000D24000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/VGVmssecsvr.exe, 00000007.00000002.2768575914.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/mssecsvr.exe, 00000007.00000002.2768575914.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com6qqWn6eIGG.dllfalse
                                		high
                                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518bmssecsvr.exe, 00000009.00000002.2141807571.0000000000CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?mssecsvr.exe, 00000009.00000002.2141807571.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef05mssecsvr.exe, 00000007.00000002.2768575914.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJmssecsvr.exe, 00000007.00000002.2767315794.000000000019D000.00000004.00000010.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/oGV?mssecsvr.exe, 00000007.00000002.2768575914.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/wmssecsvr.exe, 00000009.00000002.2141807571.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3mssecsvr.exe, 00000005.00000002.2132344584.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        128.29.176.167
                                        		unknownUnited States
                                        		5691MITRE-AS-5USfalse
                                        114.118.212.192
                                        		unknownChina
                                        		136958UNICOM-GUANGZHOU-IDCChinaUnicomGuangdongIPnetworkCNfalse
                                        131.113.135.1
                                        		unknownJapan38635KEIO-NETKeioUniversityJPfalse
                                        131.113.135.2
                                        		unknownJapan38635KEIO-NETKeioUniversityJPfalse
                                        96.109.54.1
                                        		unknownUnited States
                                        		7922COMCAST-7922USfalse
                                        76.35.66.204
                                        		unknownUnited States
                                        		18494CENTURYLINK-LEGACY-EMBARQ-WRBGUSfalse
                                        133.222.94.93
                                        		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
                                        2.240.171.1
                                        		unknownGermany
                                        		6805TDDE-ASN1DEfalse
                                        2.240.171.2
                                        		unknownGermany
                                        		6805TDDE-ASN1DEfalse
                                        92.187.212.1
                                        		unknownFrance
                                        		12479UNI2-ASESfalse
                                        207.58.177.56
                                        		unknownUnited States
                                        		30633LEASEWEB-USA-WDCUSfalse
                                        135.71.100.1
                                        		unknownUnited States
                                        		18676AVAYAUSfalse
                                        135.71.100.2
                                        		unknownUnited States
                                        		18676AVAYAUSfalse
                                        94.64.50.1
                                        		unknownGreece
                                        		6799OTENET-GRAthens-GreeceGRfalse
                                        28.125.169.1
                                        		unknownUnited States
                                        		7922COMCAST-7922USfalse
                                        172.73.100.23
                                        		unknownUnited States
                                        		11426TWC-11426-CAROLINASUSfalse
                                        131.217.163.173
                                        		unknownAustralia
                                        		7573UTASTheUniversityofTasmaniaAUfalse
                                        35.61.65.8
                                        		unknownUnited States
                                        		36375UMICH-AS-5USfalse
                                        42.129.113.223
                                        		unknownChina
                                        		4249LILLY-ASUSfalse
                                        114.118.212.1
                                        		unknownChina
                                        		136958UNICOM-GUANGZHOU-IDCChinaUnicomGuangdongIPnetworkCNfalse
                                        128.29.176.1
                                        		unknownUnited States
                                        		5691MITRE-AS-5USfalse

                                        Private

                                        IP
                                        192.168.2.148
                                        192.168.2.149
                                        192.168.2.146
                                        192.168.2.147
                                        192.168.2.140
                                        192.168.2.141
                                        192.168.2.144
                                        192.168.2.145
                                        192.168.2.142
                                        192.168.2.143
                                        192.168.2.159
                                        192.168.2.157
                                        192.168.2.158
                                        192.168.2.151
                                        192.168.2.152
                                        192.168.2.150
                                        192.168.2.155
                                        192.168.2.156
                                        192.168.2.153
                                        192.168.2.154
                                        192.168.2.126
                                        192.168.2.247
                                        192.168.2.127
                                        192.168.2.248
                                        192.168.2.124
                                        192.168.2.245
                                        192.168.2.125
                                        192.168.2.246
                                        192.168.2.128
                                        192.168.2.249
                                        192.168.2.129
                                        192.168.2.240
                                        192.168.2.122
                                        192.168.2.243
                                        192.168.2.123
                                        192.168.2.244
                                        192.168.2.120
                                        192.168.2.241
                                        192.168.2.121
                                        192.168.2.242
                                        192.168.2.97
                                        192.168.2.137
                                        192.168.2.96
                                        192.168.2.138
                                        192.168.2.99
                                        192.168.2.135
                                        192.168.2.98
                                        192.168.2.136
                                        192.168.2.139
                                        192.168.2.250
                                        192.168.2.130
                                        192.168.2.251
                                        192.168.2.91
                                        192.168.2.90
                                        192.168.2.93
                                        192.168.2.133
                                        192.168.2.254
                                        192.168.2.92
                                        192.168.2.134
                                        192.168.2.95
                                        192.168.2.131
                                        192.168.2.252
                                        192.168.2.94
                                        192.168.2.132
                                        192.168.2.253
                                        192.168.2.104
                                        192.168.2.225
                                        192.168.2.105
                                        192.168.2.226
                                        192.168.2.102
                                        192.168.2.223
                                        192.168.2.103
                                        192.168.2.224
                                        192.168.2.108
                                        192.168.2.229
                                        192.168.2.109
                                        192.168.2.106
                                        192.168.2.227
                                        192.168.2.107

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1591270
                                        Start date and time:2025-01-14 21:02:33 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 24s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:14
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:6qqWn6eIGG.dll
                                        renamed because original name is a hash value
                                        Original Sample Name:430599e85618bd750b5bbfb21cb5f857.dll
                                        Detection:MAL
                                        Classification:mal100.rans.expl.evad.winDLL@20/3@2/100
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 75%
                                        • Number of executed functions: 65
                                        • Number of non-executed functions: 92
                                        Cookbook Comments:
                                        • Found application associated with file extension: .dll

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.17.190.73, 13.107.253.45, 4.245.163.56
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        15:03:32API Interceptor1x Sleep call for process: loaddll32.exe modified
                                        15:04:07API Interceptor112x Sleep call for process: mssecsvr.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        133.222.94.93l1sADDB043.elfGet hashmaliciousMiraiBrowse
                                          XvYj8j1YWMGet hashmaliciousMiraiBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            77026.bodis.commlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                            • 199.59.243.228
                                            jgd5ZGl1vA.dllGet hashmaliciousWannacryBrowse
                                            • 199.59.243.228
                                            8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                            • 199.59.243.227
                                            www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.commlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.215
                                            jgd5ZGl1vA.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.215
                                            LisectAVT_2403002A_327.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.215
                                            yrBA01LVo2.exeGet hashmaliciousWannacryBrowse
                                            • 103.224.212.215
                                            lJt3mQqCQl.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.220
                                            xIwkOnjSIa.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.220
                                            IU28r0EZFA.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.220
                                            ViNIRfmQmE.dllGet hashmaliciousWannacryBrowse
                                            • 103.224.212.220

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            MITRE-AS-5USx86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 129.83.88.111
                                            mips.elfGet hashmaliciousUnknownBrowse
                                            • 129.83.24.31
                                            yakuza.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 129.83.131.0
                                            la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                            • 128.29.188.87
                                            SecuriteInfo.com.Linux.Siggen.9999.29695.14613.elfGet hashmaliciousUnknownBrowse
                                            • 129.83.231.164
                                            mirai.m68k.elfGet hashmaliciousMiraiBrowse
                                            • 128.29.160.223
                                            RDEHNTKF1V.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 129.83.143.191
                                            TsDTSDr8mU.elfGet hashmaliciousMiraiBrowse
                                            • 129.83.231.140
                                            IBkWoEFOlH.elfGet hashmaliciousMiraiBrowse
                                            • 128.29.133.159
                                            d0iDboIDfK.elfGet hashmaliciousMiraiBrowse
                                            • 66.170.237.34
                                            KEIO-NETKeioUniversityJPloligang.sh4.elfGet hashmaliciousMiraiBrowse
                                            • 133.27.90.27
                                            sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 131.113.43.127
                                            loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                            • 133.27.108.236
                                            m68k.elfGet hashmaliciousUnknownBrowse
                                            • 133.27.36.214
                                            elitebotnet.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 131.113.178.214
                                            x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 133.27.156.156
                                            i686.elfGet hashmaliciousUnknownBrowse
                                            • 131.113.81.202
                                            la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 131.113.50.136
                                            mips.elfGet hashmaliciousMiraiBrowse
                                            • 131.113.230.69
                                            debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 131.113.229.90
                                            UNICOM-GUANGZHOU-IDCChinaUnicomGuangdongIPnetworkCNhttps://imtcoken.im/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            http://www.toekan.im/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            https://wap.sunblock-pro.com/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            6.elfGet hashmaliciousUnknownBrowse
                                            • 157.255.17.238
                                            http://m.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            https://www.xietaoz.com/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            http://wap.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            https://aqctslc.com/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            http://www.oinsurgente.com/Get hashmaliciousUnknownBrowse
                                            • 58.254.150.48
                                            1.elfGet hashmaliciousUnknownBrowse
                                            • 157.148.104.76

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Windows\eee.exexIwkOnjSIa.dllGet hashmaliciousWannacryBrowse
                                              r2gAjMU8hM.dllGet hashmaliciousWannacryBrowse

                                                Created / dropped Files

                                                C:\WINDOWS\qeriuwjhrf (copy)

                                                Download File
                                                Process:C:\Windows\mssecsvr.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
                                                Category:dropped
                                                Size (bytes):2061938
                                                Entropy (8bit):7.964411648365158
                                                Encrypted:false
                                                SSDEEP:49152:XE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:X4oBhz1aRxcSUDk36SAEdhvm
                                                MD5:1FF321DE9E6B8A865048789E18BB4232
                                                SHA1:67A548CF33D086C224058AB30C631C04F5DAD29D
                                                SHA-256:EAD0300A439BE8EA26ABC28944D1D3EB3B111BA1B3CAD76B3B0F00B26DADD97A
                                                SHA-512:AB57E6BDCE2DD71C49AFFB8C093384E27D2CEC6B4165A0089617098AC30AB00715E0251CC5F96F5710A74215C9EB8804113C177DF7DEEF046D895AC733BBA0BC
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 97%
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\eee.exe

                                                Download File
                                                Process:C:\Windows\tasksche.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1981503
                                                Entropy (8bit):0.38424875875863396
                                                Encrypted:false
                                                SSDEEP:768:2BBHFOA2zoXR5WrrTKMb5D1teJxkrc12hFoDTkN04ARNEMZQZlkayb6SoGC28jjO:23NiTmJurc+iCQNEMZUGakhcjcJdyVu
                                                MD5:1C25F6BB95D52132CEEE2ED6D4DA43D7
                                                SHA1:2BA8D778FCCC55CEEFCA6016A8BA89E6078571B3
                                                SHA-256:95EF1D077176B0DE86FB8BA7BF2AE56A08BF7944B05424A2F6E013ACDF5FD684
                                                SHA-512:BBCA81786BCB8F8DABD1A67D9EEC40D1431385A663EBD30813851905117FA7E67F6B130CBFDB094FED976CD4F22FEADC30E75EBFED0CF4F5C21D30182579D130
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 10%
                                                Joe Sandbox View:
                                                • Filename: xIwkOnjSIa.dll, Detection: malicious, Browse
                                                • Filename: r2gAjMU8hM.dll, Detection: malicious, Browse
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..`_Z.`_Z.`_Z...Z.`_Z...Z1`_Z...Z.`_Z.>\[.`_Z.>[[.`_Z.>Z[.`_Z...Z.`_Z...Z.`_Z.`^Z@`_Z->Z[.`_Z->_[.`_Z(>.Z.`_Z->][.`_ZRich.`_Z........PE..L......Y..........................................@.......................... ............@.........................@...4...t...(........:......................X...Pn..T...............................@...................... ....................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....F.......H..................@..@.reloc..X........ ..................@..B........................................................................................................................................................................................................................................................

                                                C:\Windows\tasksche.exe

                                                Download File
                                                Process:C:\Windows\mssecsvr.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
                                                Category:dropped
                                                Size (bytes):2061938
                                                Entropy (8bit):7.964411648365158
                                                Encrypted:false
                                                SSDEEP:49152:XE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:X4oBhz1aRxcSUDk36SAEdhvm
                                                MD5:1FF321DE9E6B8A865048789E18BB4232
                                                SHA1:67A548CF33D086C224058AB30C631C04F5DAD29D
                                                SHA-256:EAD0300A439BE8EA26ABC28944D1D3EB3B111BA1B3CAD76B3B0F00B26DADD97A
                                                SHA-512:AB57E6BDCE2DD71C49AFFB8C093384E27D2CEC6B4165A0089617098AC30AB00715E0251CC5F96F5710A74215C9EB8804113C177DF7DEEF046D895AC733BBA0BC
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 97%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):4.289820386110604
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                                                • Windows Screen Saver (13104/52) 1.29%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:6qqWn6eIGG.dll
                                                File size:5'267'459 bytes
                                                MD5:430599e85618bd750b5bbfb21cb5f857
                                                SHA1:c9ff0c824d324d6047a31eb07da54ba43a0a8b86
                                                SHA256:ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202
                                                SHA512:579734a994750f09d3cd6feb1d6e5f2793bce1eca37f65cb4fef50c0c908b18248e143a85cbf3d62bf5d0af1e5a4b48faa94dc3e92846e615215276b9322c1f7
                                                SSDEEP:49152:RnpE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1p4oBhz1aRxcSUDk36SAEdhv
                                                TLSH:1336236530A8C0B4C107157444ABCA62F6B67C3917FA694FBF904E7E3E63B96E710B42
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                                File Icon

                                                Icon Hash:7ae282899bbab082

                                                Static PE Info

                                                General

                                                Entrypoint:0x100011e9
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x10000000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                DLL Characteristics:
                                                Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                push ebx
                                                mov ebx, dword ptr [ebp+08h]
                                                push esi
                                                mov esi, dword ptr [ebp+0Ch]
                                                push edi
                                                mov edi, dword ptr [ebp+10h]
                                                test esi, esi
                                                jne 00007F2D78DBC1BBh
                                                cmp dword ptr [10003140h], 00000000h
                                                jmp 00007F2D78DBC1D8h
                                                cmp esi, 01h
                                                je 00007F2D78DBC1B7h
                                                cmp esi, 02h
                                                jne 00007F2D78DBC1D4h
                                                mov eax, dword ptr [10003150h]
                                                test eax, eax
                                                je 00007F2D78DBC1BBh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                test eax, eax
                                                je 00007F2D78DBC1BEh
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F2D78DBC0CAh
                                                test eax, eax
                                                jne 00007F2D78DBC1B6h
                                                xor eax, eax
                                                jmp 00007F2D78DBC200h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F2D78DBBF7Ch
                                                cmp esi, 01h
                                                mov dword ptr [ebp+0Ch], eax
                                                jne 00007F2D78DBC1BEh
                                                test eax, eax
                                                jne 00007F2D78DBC1E9h
                                                push edi
                                                push eax
                                                push ebx
                                                call 00007F2D78DBC0A6h
                                                test esi, esi
                                                je 00007F2D78DBC1B7h
                                                cmp esi, 03h
                                                jne 00007F2D78DBC1D8h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F2D78DBC095h
                                                test eax, eax
                                                jne 00007F2D78DBC1B5h
                                                and dword ptr [ebp+0Ch], eax
                                                cmp dword ptr [ebp+0Ch], 00000000h
                                                je 00007F2D78DBC1C3h
                                                mov eax, dword ptr [10003150h]
                                                test eax, eax
                                                je 00007F2D78DBC1BAh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                mov dword ptr [ebp+0Ch], eax
                                                mov eax, dword ptr [ebp+0Ch]
                                                pop edi
                                                pop esi
                                                pop ebx
                                                pop ebp
                                                retn 000Ch
                                                jmp dword ptr [10002028h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS98 (6.0) build 8168
                                                • [C++] VS98 (6.0) build 8168
                                                • [RES] VS98 (6.0) cvtres build 1720
                                                • [LNK] VS98 (6.0) imp/exp build 8168

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x28c0x10008de9a2cb31e4c74bd008b871d14bfafcFalse0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x20000x1d80x10003dd394f95ab218593f2bc8eb65184db4False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x30000x1540x10009b27c3f254416f775f5a51102ef8fb84False0.016845703125Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 00.085726967663312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x40000x5000600x5010004adff6979da8c24fa58ccf4a4a347623unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x5050000x2ac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                W0x40600x500000dataEnglishUnited States0.8180646896362305

                                                Imports

                                                DLLImport
                                                KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                                MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                                Exports

                                                NameOrdinalAddress
                                                PlayGame10x10001114

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-14T21:03:30.986998+01002830018ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)1192.168.2.5571781.1.1.153UDP
                                                2025-01-14T21:03:31.891094+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549704103.224.212.21580TCP
                                                2025-01-14T21:03:33.492425+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549706103.224.212.21580TCP
                                                2025-01-14T21:05:39.497573+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.550614103.224.212.21580TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 14, 2025 21:03:26.013329029 CET49674443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:26.013333082 CET49675443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:26.138344049 CET49673443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:31.298609972 CET4970480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:31.304099083 CET8049704103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:31.304179907 CET4970480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:31.304311037 CET4970480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:31.309050083 CET8049704103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:31.891025066 CET8049704103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:31.891062021 CET8049704103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:31.891093969 CET4970480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:31.891132116 CET4970480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:31.894610882 CET4970480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:31.899449110 CET8049704103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:32.297739029 CET4970580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:32.302623034 CET8049705199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:32.302715063 CET4970580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:32.302917004 CET4970580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:32.307775021 CET8049705199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:32.756167889 CET8049705199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:32.756186008 CET8049705199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:32.756278992 CET4970580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:32.760621071 CET4970580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:32.760654926 CET4970580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:32.878357887 CET4970680192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:32.883413076 CET8049706103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:32.883493900 CET4970680192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:32.883703947 CET4970680192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:32.888495922 CET8049706103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:33.492301941 CET8049706103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:33.492424965 CET4970680192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:33.492439032 CET8049706103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:33.492477894 CET4970680192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:33.495501995 CET4970680192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:33.500324011 CET8049706103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:33.502010107 CET4970780192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:33.506863117 CET8049707199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:33.506932974 CET4970780192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:33.507039070 CET4970780192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:33.511807919 CET8049707199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:33.894761086 CET4970880192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:33.899663925 CET8049708103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:33.899774075 CET4970880192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:33.899924040 CET4970880192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:33.904664993 CET8049708103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:33.970993996 CET8049707199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:33.971010923 CET8049707199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:33.971122980 CET4970780192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:33.977402925 CET4970780192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:33.977428913 CET4970780192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:34.020008087 CET49709445192.168.2.5135.71.100.162
                                                Jan 14, 2025 21:03:34.024924040 CET44549709135.71.100.162192.168.2.5
                                                Jan 14, 2025 21:03:34.024992943 CET49709445192.168.2.5135.71.100.162
                                                Jan 14, 2025 21:03:34.026576996 CET49709445192.168.2.5135.71.100.162
                                                Jan 14, 2025 21:03:34.026958942 CET49710445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.031408072 CET44549709135.71.100.162192.168.2.5
                                                Jan 14, 2025 21:03:34.031456947 CET49709445192.168.2.5135.71.100.162
                                                Jan 14, 2025 21:03:34.031826019 CET44549710135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:34.031883001 CET49710445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.031985044 CET49710445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.036984921 CET44549710135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:34.037029028 CET49710445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.038573980 CET49711445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.043447018 CET44549711135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:34.043540955 CET49711445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.043585062 CET49711445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:34.048393965 CET44549711135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:34.504657984 CET8049708103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:34.504755020 CET8049708103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:34.504820108 CET4970880192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:34.507343054 CET4970880192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:03:34.509680986 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:34.512427092 CET8049708103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:03:34.514749050 CET8049721199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:34.514962912 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:34.515021086 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:34.519846916 CET8049721199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:34.988173008 CET8049721199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:34.988190889 CET8049721199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:34.988367081 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:34.998570919 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:34.999339104 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:35.003720999 CET8049721199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:03:35.003896952 CET4972180192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:03:35.622654915 CET49675443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:35.622656107 CET49674443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:35.747639894 CET49673443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:36.014646053 CET49735445192.168.2.5162.139.80.156
                                                Jan 14, 2025 21:03:36.019582987 CET44549735162.139.80.156192.168.2.5
                                                Jan 14, 2025 21:03:36.019665003 CET49735445192.168.2.5162.139.80.156
                                                Jan 14, 2025 21:03:36.019725084 CET49735445192.168.2.5162.139.80.156
                                                Jan 14, 2025 21:03:36.020987034 CET49736445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.025172949 CET44549735162.139.80.156192.168.2.5
                                                Jan 14, 2025 21:03:36.025232077 CET49735445192.168.2.5162.139.80.156
                                                Jan 14, 2025 21:03:36.025746107 CET44549736162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:36.026186943 CET49736445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.026237965 CET49736445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.027335882 CET49737445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.031234980 CET44549736162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:36.031280041 CET49736445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.032143116 CET44549737162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:36.032258034 CET49737445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.032258034 CET49737445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:36.037046909 CET44549737162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:37.385175943 CET4434970323.1.237.91192.168.2.5
                                                Jan 14, 2025 21:03:37.385253906 CET49703443192.168.2.523.1.237.91
                                                Jan 14, 2025 21:03:38.030200005 CET49760445192.168.2.5133.222.94.93
                                                Jan 14, 2025 21:03:38.035093069 CET44549760133.222.94.93192.168.2.5
                                                Jan 14, 2025 21:03:38.035171986 CET49760445192.168.2.5133.222.94.93
                                                Jan 14, 2025 21:03:38.035209894 CET49760445192.168.2.5133.222.94.93
                                                Jan 14, 2025 21:03:38.035423994 CET49761445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.040210009 CET44549760133.222.94.93192.168.2.5
                                                Jan 14, 2025 21:03:38.040271044 CET49760445192.168.2.5133.222.94.93
                                                Jan 14, 2025 21:03:38.040307045 CET44549761133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:03:38.040374994 CET49761445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.040412903 CET49761445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.041331053 CET49762445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.045449018 CET44549761133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:03:38.045515060 CET49761445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.046112061 CET44549762133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:03:38.046174049 CET49762445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.046253920 CET49762445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:38.051007032 CET44549762133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:03:40.046027899 CET49784445192.168.2.5185.24.227.69
                                                Jan 14, 2025 21:03:40.050877094 CET44549784185.24.227.69192.168.2.5
                                                Jan 14, 2025 21:03:40.050947905 CET49784445192.168.2.5185.24.227.69
                                                Jan 14, 2025 21:03:40.051028013 CET49784445192.168.2.5185.24.227.69
                                                Jan 14, 2025 21:03:40.051337004 CET49785445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.056054115 CET44549784185.24.227.69192.168.2.5
                                                Jan 14, 2025 21:03:40.056112051 CET49784445192.168.2.5185.24.227.69
                                                Jan 14, 2025 21:03:40.056166887 CET44549785185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:03:40.056334019 CET49785445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.056334019 CET49785445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.058434963 CET49786445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.061300039 CET44549785185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:03:40.063158989 CET49785445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.063232899 CET44549786185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:03:40.063333035 CET49786445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.063617945 CET49786445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:03:40.068419933 CET44549786185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:03:42.279853106 CET49808445192.168.2.52.240.171.60
                                                Jan 14, 2025 21:03:42.284759998 CET445498082.240.171.60192.168.2.5
                                                Jan 14, 2025 21:03:42.284867048 CET49808445192.168.2.52.240.171.60
                                                Jan 14, 2025 21:03:42.284953117 CET49808445192.168.2.52.240.171.60
                                                Jan 14, 2025 21:03:42.285150051 CET49810445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.289937019 CET445498082.240.171.60192.168.2.5
                                                Jan 14, 2025 21:03:42.289973974 CET445498102.240.171.1192.168.2.5
                                                Jan 14, 2025 21:03:42.290035963 CET49808445192.168.2.52.240.171.60
                                                Jan 14, 2025 21:03:42.290057898 CET49810445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.290174007 CET49810445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.291342974 CET49811445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.295207977 CET445498102.240.171.1192.168.2.5
                                                Jan 14, 2025 21:03:42.295295954 CET49810445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.296222925 CET445498112.240.171.1192.168.2.5
                                                Jan 14, 2025 21:03:42.296725988 CET49811445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.296725988 CET49811445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:03:42.301578045 CET445498112.240.171.1192.168.2.5
                                                Jan 14, 2025 21:03:44.233764887 CET49839445192.168.2.5160.40.25.54
                                                Jan 14, 2025 21:03:44.238687038 CET44549839160.40.25.54192.168.2.5
                                                Jan 14, 2025 21:03:44.238807917 CET49839445192.168.2.5160.40.25.54
                                                Jan 14, 2025 21:03:44.238862038 CET49839445192.168.2.5160.40.25.54
                                                Jan 14, 2025 21:03:44.239083052 CET49840445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.243768930 CET44549839160.40.25.54192.168.2.5
                                                Jan 14, 2025 21:03:44.243832111 CET49839445192.168.2.5160.40.25.54
                                                Jan 14, 2025 21:03:44.243870020 CET44549840160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:03:44.243926048 CET49840445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.243993044 CET49840445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.245039940 CET49842445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.249074936 CET44549840160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:03:44.249892950 CET44549842160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:03:44.249959946 CET49840445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.249974012 CET49842445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.250046968 CET49842445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:03:44.254892111 CET44549842160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:03:46.248163939 CET49878445192.168.2.576.35.66.204
                                                Jan 14, 2025 21:03:46.253063917 CET4454987876.35.66.204192.168.2.5
                                                Jan 14, 2025 21:03:46.253158092 CET49878445192.168.2.576.35.66.204
                                                Jan 14, 2025 21:03:46.253247023 CET49878445192.168.2.576.35.66.204
                                                Jan 14, 2025 21:03:46.253474951 CET49879445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.258330107 CET4454987876.35.66.204192.168.2.5
                                                Jan 14, 2025 21:03:46.258347034 CET4454987976.35.66.1192.168.2.5
                                                Jan 14, 2025 21:03:46.258403063 CET49878445192.168.2.576.35.66.204
                                                Jan 14, 2025 21:03:46.258445978 CET49879445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.258538961 CET49879445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.259037018 CET49880445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.263452053 CET4454987976.35.66.1192.168.2.5
                                                Jan 14, 2025 21:03:46.263524055 CET49879445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.263816118 CET4454988076.35.66.1192.168.2.5
                                                Jan 14, 2025 21:03:46.263870955 CET49880445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.263951063 CET49880445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:03:46.268716097 CET4454988076.35.66.1192.168.2.5
                                                Jan 14, 2025 21:03:48.263799906 CET49913445192.168.2.5131.113.135.72
                                                Jan 14, 2025 21:03:48.268654108 CET44549913131.113.135.72192.168.2.5
                                                Jan 14, 2025 21:03:48.268734932 CET49913445192.168.2.5131.113.135.72
                                                Jan 14, 2025 21:03:48.268807888 CET49913445192.168.2.5131.113.135.72
                                                Jan 14, 2025 21:03:48.269004107 CET49914445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.273770094 CET44549913131.113.135.72192.168.2.5
                                                Jan 14, 2025 21:03:48.273813963 CET44549914131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:03:48.273833036 CET49913445192.168.2.5131.113.135.72
                                                Jan 14, 2025 21:03:48.273896933 CET49914445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.273941040 CET49914445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.274333000 CET49915445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.278902054 CET44549914131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:03:48.278963089 CET49914445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.279131889 CET44549915131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:03:48.279194117 CET49915445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.279422998 CET49915445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:03:48.284193039 CET44549915131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:03:50.271850109 CET49948445192.168.2.535.61.65.8
                                                Jan 14, 2025 21:03:50.277369976 CET4454994835.61.65.8192.168.2.5
                                                Jan 14, 2025 21:03:50.277652025 CET49948445192.168.2.535.61.65.8
                                                Jan 14, 2025 21:03:50.277719975 CET49948445192.168.2.535.61.65.8
                                                Jan 14, 2025 21:03:50.277920008 CET49950445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.283035040 CET4454994835.61.65.8192.168.2.5
                                                Jan 14, 2025 21:03:50.283374071 CET4454995035.61.65.1192.168.2.5
                                                Jan 14, 2025 21:03:50.283432007 CET49948445192.168.2.535.61.65.8
                                                Jan 14, 2025 21:03:50.283473015 CET49950445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.287326097 CET49950445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.287595034 CET49951445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.293073893 CET4454995035.61.65.1192.168.2.5
                                                Jan 14, 2025 21:03:50.294595003 CET4454995135.61.65.1192.168.2.5
                                                Jan 14, 2025 21:03:50.294672012 CET49950445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.294722080 CET49951445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.303584099 CET49951445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:03:50.308907986 CET4454995135.61.65.1192.168.2.5
                                                Jan 14, 2025 21:03:52.279982090 CET49985445192.168.2.5114.118.212.192
                                                Jan 14, 2025 21:03:52.284786940 CET44549985114.118.212.192192.168.2.5
                                                Jan 14, 2025 21:03:52.284905910 CET49985445192.168.2.5114.118.212.192
                                                Jan 14, 2025 21:03:52.285027981 CET49985445192.168.2.5114.118.212.192
                                                Jan 14, 2025 21:03:52.285351992 CET49986445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.289944887 CET44549985114.118.212.192192.168.2.5
                                                Jan 14, 2025 21:03:52.290045023 CET49985445192.168.2.5114.118.212.192
                                                Jan 14, 2025 21:03:52.290364981 CET44549986114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:03:52.290446997 CET49986445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.290493965 CET49986445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.290884972 CET49987445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.295460939 CET44549986114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:03:52.295543909 CET49986445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.295664072 CET44549987114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:03:52.295722008 CET49987445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.295773983 CET49987445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:03:52.300589085 CET44549987114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:03:54.295092106 CET50016445192.168.2.528.125.169.77
                                                Jan 14, 2025 21:03:54.300173998 CET4455001628.125.169.77192.168.2.5
                                                Jan 14, 2025 21:03:54.300369978 CET50016445192.168.2.528.125.169.77
                                                Jan 14, 2025 21:03:54.300508976 CET50016445192.168.2.528.125.169.77
                                                Jan 14, 2025 21:03:54.300658941 CET50017445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.305572033 CET4455001628.125.169.77192.168.2.5
                                                Jan 14, 2025 21:03:54.305608034 CET4455001728.125.169.1192.168.2.5
                                                Jan 14, 2025 21:03:54.305645943 CET50016445192.168.2.528.125.169.77
                                                Jan 14, 2025 21:03:54.305689096 CET50017445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.305783033 CET50017445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.306122065 CET50018445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.310877085 CET4455001728.125.169.1192.168.2.5
                                                Jan 14, 2025 21:03:54.310934067 CET4455001828.125.169.1192.168.2.5
                                                Jan 14, 2025 21:03:54.310945034 CET50017445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.311001062 CET50018445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.311021090 CET50018445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:03:54.315812111 CET4455001828.125.169.1192.168.2.5
                                                Jan 14, 2025 21:03:55.424937010 CET44549711135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:55.427856922 CET49711445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:55.427907944 CET49711445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:55.427954912 CET49711445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:55.432749987 CET44549711135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:55.432761908 CET44549711135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:56.318275928 CET50054445192.168.2.594.64.50.15
                                                Jan 14, 2025 21:03:56.323137045 CET4455005494.64.50.15192.168.2.5
                                                Jan 14, 2025 21:03:56.323244095 CET50054445192.168.2.594.64.50.15
                                                Jan 14, 2025 21:03:56.325623989 CET50054445192.168.2.594.64.50.15
                                                Jan 14, 2025 21:03:56.327413082 CET50055445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.330529928 CET4455005494.64.50.15192.168.2.5
                                                Jan 14, 2025 21:03:56.330583096 CET50054445192.168.2.594.64.50.15
                                                Jan 14, 2025 21:03:56.332252026 CET4455005594.64.50.1192.168.2.5
                                                Jan 14, 2025 21:03:56.332308054 CET50055445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.332348108 CET50055445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.332598925 CET50057445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.337491035 CET4455005594.64.50.1192.168.2.5
                                                Jan 14, 2025 21:03:56.337502956 CET4455005794.64.50.1192.168.2.5
                                                Jan 14, 2025 21:03:56.337654114 CET50055445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.337735891 CET50057445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.337774992 CET50057445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:03:56.342502117 CET4455005794.64.50.1192.168.2.5
                                                Jan 14, 2025 21:03:57.393837929 CET44549737162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:57.393990040 CET49737445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:57.393990040 CET49737445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:57.394051075 CET49737445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:03:57.398849010 CET44549737162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:57.398897886 CET44549737162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:03:58.326683998 CET50091445192.168.2.5179.12.193.116
                                                Jan 14, 2025 21:03:58.331543922 CET44550091179.12.193.116192.168.2.5
                                                Jan 14, 2025 21:03:58.332506895 CET50091445192.168.2.5179.12.193.116
                                                Jan 14, 2025 21:03:58.332508087 CET50091445192.168.2.5179.12.193.116
                                                Jan 14, 2025 21:03:58.332664967 CET50092445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:03:58.337434053 CET44550092179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:03:58.337554932 CET44550091179.12.193.116192.168.2.5
                                                Jan 14, 2025 21:03:58.337641001 CET50091445192.168.2.5179.12.193.116
                                                Jan 14, 2025 21:03:58.337717056 CET50092445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:03:58.337958097 CET50093445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:03:58.342787981 CET44550092179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:03:58.342803001 CET44550093179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:03:58.342880964 CET50092445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:03:58.342891932 CET50093445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:03:58.342925072 CET50093445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:03:58.347747087 CET44550093179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:03:58.435686111 CET50098445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:58.440710068 CET44550098135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:58.442977905 CET50098445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:58.443049908 CET50098445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:03:58.448353052 CET44550098135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:03:59.393856049 CET44549762133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:03:59.393913031 CET49762445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:59.393964052 CET49762445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:59.394094944 CET49762445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:03:59.398704052 CET44549762133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:03:59.398804903 CET44549762133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:04:00.341927052 CET50117445192.168.2.542.129.113.223
                                                Jan 14, 2025 21:04:00.404294968 CET50118445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:04:01.274517059 CET4455011742.129.113.223192.168.2.5
                                                Jan 14, 2025 21:04:01.274529934 CET44550118162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:04:01.274596930 CET50117445192.168.2.542.129.113.223
                                                Jan 14, 2025 21:04:01.274656057 CET50118445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:04:01.274816990 CET50118445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:04:01.274822950 CET50117445192.168.2.542.129.113.223
                                                Jan 14, 2025 21:04:01.275109053 CET50119445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.285070896 CET44550118162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:04:01.285093069 CET4455011942.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:01.285120010 CET4455011742.129.113.223192.168.2.5
                                                Jan 14, 2025 21:04:01.285193920 CET50117445192.168.2.542.129.113.223
                                                Jan 14, 2025 21:04:01.285209894 CET50119445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.285289049 CET50119445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.287014961 CET50120445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.294281006 CET4455011942.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:01.294333935 CET50119445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.296350002 CET4455012042.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:01.296411991 CET50120445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.296451092 CET50120445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:01.301884890 CET4455012042.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:01.426338911 CET44549786185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:01.426446915 CET49786445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:01.436839104 CET49786445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:01.436929941 CET49786445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:01.441643953 CET44549786185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:01.441656113 CET44549786185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:02.357681036 CET50126445192.168.2.5146.94.210.4
                                                Jan 14, 2025 21:04:02.363048077 CET44550126146.94.210.4192.168.2.5
                                                Jan 14, 2025 21:04:02.363152981 CET50126445192.168.2.5146.94.210.4
                                                Jan 14, 2025 21:04:02.363261938 CET50126445192.168.2.5146.94.210.4
                                                Jan 14, 2025 21:04:02.363343000 CET50127445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.368992090 CET44550126146.94.210.4192.168.2.5
                                                Jan 14, 2025 21:04:02.369075060 CET44550127146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:02.369092941 CET50126445192.168.2.5146.94.210.4
                                                Jan 14, 2025 21:04:02.369153976 CET50127445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.369235039 CET50127445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.369494915 CET50128445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.375158072 CET44550127146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:02.375191927 CET44550128146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:02.375233889 CET50127445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.375287056 CET50128445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.375308037 CET50128445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:02.380158901 CET44550128146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:02.404280901 CET50129445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:04:02.409662962 CET44550129133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:04:02.409758091 CET50129445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:04:02.409826994 CET50129445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:04:02.415177107 CET44550129133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:04:03.660235882 CET445498112.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:03.660295010 CET49811445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:03.660357952 CET49811445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:03.660434008 CET49811445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:03.665088892 CET445498112.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:03.665163994 CET445498112.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:04.381685019 CET50143445192.168.2.5165.250.181.187
                                                Jan 14, 2025 21:04:04.386584044 CET44550143165.250.181.187192.168.2.5
                                                Jan 14, 2025 21:04:04.386689901 CET50143445192.168.2.5165.250.181.187
                                                Jan 14, 2025 21:04:04.386878014 CET50143445192.168.2.5165.250.181.187
                                                Jan 14, 2025 21:04:04.387001038 CET50144445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.391964912 CET44550144165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:04.391983032 CET44550143165.250.181.187192.168.2.5
                                                Jan 14, 2025 21:04:04.392038107 CET50144445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.392071962 CET50143445192.168.2.5165.250.181.187
                                                Jan 14, 2025 21:04:04.393068075 CET50144445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.393229961 CET50145445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.397954941 CET44550144165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:04.398055077 CET50144445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.398077965 CET44550145165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:04.398127079 CET50145445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.400497913 CET50145445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:04.405267954 CET44550145165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:04.452758074 CET50147445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:04.459018946 CET44550147185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:04.459099054 CET50147445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:04.459647894 CET50147445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:04.465861082 CET44550147185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:05.634088993 CET44549842160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:05.634157896 CET49842445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:05.634196997 CET49842445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:05.634274006 CET49842445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:05.639414072 CET44549842160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:05.639425993 CET44549842160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:06.389112949 CET50159445192.168.2.5194.41.210.252
                                                Jan 14, 2025 21:04:06.393951893 CET44550159194.41.210.252192.168.2.5
                                                Jan 14, 2025 21:04:06.396861076 CET50159445192.168.2.5194.41.210.252
                                                Jan 14, 2025 21:04:06.396970987 CET50159445192.168.2.5194.41.210.252
                                                Jan 14, 2025 21:04:06.397213936 CET50160445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.401793003 CET44550159194.41.210.252192.168.2.5
                                                Jan 14, 2025 21:04:06.401983976 CET44550160194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:06.402046919 CET50159445192.168.2.5194.41.210.252
                                                Jan 14, 2025 21:04:06.402131081 CET50160445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.402131081 CET50160445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.402446985 CET50161445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.407210112 CET44550161194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:06.407805920 CET44550160194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:06.407917976 CET50160445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.407923937 CET50161445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.407989979 CET50161445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:06.412796974 CET44550161194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:06.670131922 CET50165445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:06.674920082 CET445501652.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:06.675002098 CET50165445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:06.675048113 CET50165445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:06.679904938 CET445501652.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:07.633934021 CET4454988076.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:07.634021997 CET49880445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:07.634021997 CET49880445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:07.634067059 CET49880445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:07.638853073 CET4454988076.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:07.638874054 CET4454988076.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:08.404829025 CET50176445192.168.2.5204.215.189.78
                                                Jan 14, 2025 21:04:08.409708023 CET44550176204.215.189.78192.168.2.5
                                                Jan 14, 2025 21:04:08.409780979 CET50176445192.168.2.5204.215.189.78
                                                Jan 14, 2025 21:04:08.409802914 CET50176445192.168.2.5204.215.189.78
                                                Jan 14, 2025 21:04:08.409991026 CET50177445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.414769888 CET44550177204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:08.414869070 CET50177445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.414869070 CET50177445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.414880037 CET44550176204.215.189.78192.168.2.5
                                                Jan 14, 2025 21:04:08.414930105 CET50176445192.168.2.5204.215.189.78
                                                Jan 14, 2025 21:04:08.415236950 CET50178445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.419886112 CET44550177204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:08.419934034 CET50177445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.419998884 CET44550178204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:08.420061111 CET50178445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.420123100 CET50178445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:08.424834013 CET44550178204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:08.639364958 CET50181445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:08.644153118 CET44550181160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:08.645061970 CET50181445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:08.645061970 CET50181445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:08.649884939 CET44550181160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:09.773047924 CET44549915131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:09.773112059 CET49915445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:09.773245096 CET49915445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:09.773422956 CET49915445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:09.780157089 CET44549915131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:09.780270100 CET44549915131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:10.281925917 CET50192445192.168.2.596.109.54.136
                                                Jan 14, 2025 21:04:10.286752939 CET4455019296.109.54.136192.168.2.5
                                                Jan 14, 2025 21:04:10.287012100 CET50192445192.168.2.596.109.54.136
                                                Jan 14, 2025 21:04:10.288122892 CET50192445192.168.2.596.109.54.136
                                                Jan 14, 2025 21:04:10.288441896 CET50193445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.292951107 CET4455019296.109.54.136192.168.2.5
                                                Jan 14, 2025 21:04:10.293051004 CET50192445192.168.2.596.109.54.136
                                                Jan 14, 2025 21:04:10.293226004 CET4455019396.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:10.293351889 CET50193445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.293628931 CET50193445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.293899059 CET50194445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.298671007 CET4455019496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:10.298732996 CET50194445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.299161911 CET4455019396.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:10.299336910 CET50193445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.300374031 CET50194445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:10.305191994 CET4455019496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:10.639126062 CET50195445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:10.644356966 CET4455019576.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:10.644462109 CET50195445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:10.644489050 CET50195445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:10.649528027 CET4455019576.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:11.647970915 CET4454995135.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:11.648051977 CET49951445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:11.648153067 CET49951445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:11.648196936 CET49951445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:11.653090000 CET4454995135.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:11.653537035 CET4454995135.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:12.029756069 CET50205445192.168.2.534.226.78.128
                                                Jan 14, 2025 21:04:12.034595966 CET4455020534.226.78.128192.168.2.5
                                                Jan 14, 2025 21:04:12.034708023 CET50205445192.168.2.534.226.78.128
                                                Jan 14, 2025 21:04:12.034749985 CET50205445192.168.2.534.226.78.128
                                                Jan 14, 2025 21:04:12.034971952 CET50206445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.039720058 CET4455020534.226.78.128192.168.2.5
                                                Jan 14, 2025 21:04:12.039777994 CET50205445192.168.2.534.226.78.128
                                                Jan 14, 2025 21:04:12.039830923 CET4455020634.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:12.039896011 CET50206445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.039913893 CET50206445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.040169954 CET50207445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.044827938 CET4455020634.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:12.045012951 CET50206445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.045093060 CET4455020734.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:12.045166969 CET50207445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.045212984 CET50207445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:12.050024986 CET4455020734.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:12.780268908 CET50213445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:12.785078049 CET44550213131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:12.785312891 CET50213445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:12.785342932 CET50213445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:12.790095091 CET44550213131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:13.663769960 CET44549987114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:04:13.663872004 CET49987445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:13.663917065 CET49987445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:13.663954973 CET49987445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:13.669204950 CET44549987114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:04:13.669259071 CET44549987114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:04:13.670979977 CET50219445192.168.2.562.93.61.140
                                                Jan 14, 2025 21:04:13.675796986 CET4455021962.93.61.140192.168.2.5
                                                Jan 14, 2025 21:04:13.675862074 CET50219445192.168.2.562.93.61.140
                                                Jan 14, 2025 21:04:13.675995111 CET50219445192.168.2.562.93.61.140
                                                Jan 14, 2025 21:04:13.676129103 CET50220445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.680803061 CET4455021962.93.61.140192.168.2.5
                                                Jan 14, 2025 21:04:13.680866003 CET50219445192.168.2.562.93.61.140
                                                Jan 14, 2025 21:04:13.680928946 CET4455022062.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:13.680991888 CET50220445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.681041002 CET50220445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.681339979 CET50221445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.685985088 CET4455022062.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:13.686041117 CET50220445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.686199903 CET4455022162.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:13.686266899 CET50221445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.686291933 CET50221445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:13.691099882 CET4455022162.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:14.654263973 CET50228445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:14.659292936 CET4455022835.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:14.659424067 CET50228445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:14.659621954 CET50228445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:14.664458036 CET4455022835.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:15.203282118 CET50233445192.168.2.5141.56.77.160
                                                Jan 14, 2025 21:04:15.208116055 CET44550233141.56.77.160192.168.2.5
                                                Jan 14, 2025 21:04:15.208209038 CET50233445192.168.2.5141.56.77.160
                                                Jan 14, 2025 21:04:15.208265066 CET50233445192.168.2.5141.56.77.160
                                                Jan 14, 2025 21:04:15.208417892 CET50234445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.213109970 CET44550233141.56.77.160192.168.2.5
                                                Jan 14, 2025 21:04:15.213190079 CET44550234141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:15.213192940 CET50233445192.168.2.5141.56.77.160
                                                Jan 14, 2025 21:04:15.213248968 CET50234445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.213310957 CET50234445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.213706017 CET50235445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.218343019 CET44550234141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:15.218419075 CET50234445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.218502998 CET44550235141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:15.218556881 CET50235445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.218579054 CET50235445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:15.223356962 CET44550235141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:15.695194006 CET4455001828.125.169.1192.168.2.5
                                                Jan 14, 2025 21:04:15.695276976 CET50018445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:15.735903978 CET50018445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:15.735903978 CET50018445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:15.740747929 CET4455001828.125.169.1192.168.2.5
                                                Jan 14, 2025 21:04:15.740761042 CET4455001828.125.169.1192.168.2.5
                                                Jan 14, 2025 21:04:16.623707056 CET50243445192.168.2.5172.73.100.23
                                                Jan 14, 2025 21:04:16.628470898 CET44550243172.73.100.23192.168.2.5
                                                Jan 14, 2025 21:04:16.628540993 CET50243445192.168.2.5172.73.100.23
                                                Jan 14, 2025 21:04:16.628587008 CET50243445192.168.2.5172.73.100.23
                                                Jan 14, 2025 21:04:16.628757000 CET50244445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.633493900 CET44550243172.73.100.23192.168.2.5
                                                Jan 14, 2025 21:04:16.633543015 CET44550244172.73.100.1192.168.2.5
                                                Jan 14, 2025 21:04:16.633570910 CET50243445192.168.2.5172.73.100.23
                                                Jan 14, 2025 21:04:16.633619070 CET50244445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.633718967 CET50244445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.634052038 CET50245445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.638648987 CET44550244172.73.100.1192.168.2.5
                                                Jan 14, 2025 21:04:16.638724089 CET50244445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.638812065 CET44550245172.73.100.1192.168.2.5
                                                Jan 14, 2025 21:04:16.638870001 CET50245445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.638906956 CET50245445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:16.643671989 CET44550245172.73.100.1192.168.2.5
                                                Jan 14, 2025 21:04:16.670346975 CET50246445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:16.675174952 CET44550246114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:04:16.675252914 CET50246445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:16.675303936 CET50246445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:16.680143118 CET44550246114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:04:17.728013992 CET4455005794.64.50.1192.168.2.5
                                                Jan 14, 2025 21:04:17.728108883 CET50057445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:17.728179932 CET50057445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:17.728245020 CET50057445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:17.732964039 CET4455005794.64.50.1192.168.2.5
                                                Jan 14, 2025 21:04:17.732988119 CET4455005794.64.50.1192.168.2.5
                                                Jan 14, 2025 21:04:17.951531887 CET50256445192.168.2.592.187.212.47
                                                Jan 14, 2025 21:04:17.956363916 CET4455025692.187.212.47192.168.2.5
                                                Jan 14, 2025 21:04:17.956613064 CET50256445192.168.2.592.187.212.47
                                                Jan 14, 2025 21:04:17.956655979 CET50256445192.168.2.592.187.212.47
                                                Jan 14, 2025 21:04:17.957046986 CET50257445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.961677074 CET4455025692.187.212.47192.168.2.5
                                                Jan 14, 2025 21:04:17.961771011 CET50256445192.168.2.592.187.212.47
                                                Jan 14, 2025 21:04:17.961869001 CET4455025792.187.212.1192.168.2.5
                                                Jan 14, 2025 21:04:17.961951971 CET50257445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.962028980 CET50257445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.962444067 CET50258445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.967238903 CET4455025892.187.212.1192.168.2.5
                                                Jan 14, 2025 21:04:17.967346907 CET50258445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.967367887 CET50258445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.968209028 CET4455025792.187.212.1192.168.2.5
                                                Jan 14, 2025 21:04:17.969162941 CET4455025792.187.212.1192.168.2.5
                                                Jan 14, 2025 21:04:17.969221115 CET50257445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:17.972127914 CET4455025892.187.212.1192.168.2.5
                                                Jan 14, 2025 21:04:18.747997999 CET50264445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:18.753103971 CET4455026428.125.169.1192.168.2.5
                                                Jan 14, 2025 21:04:18.753173113 CET50264445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:18.753196955 CET50264445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:18.758121014 CET4455026428.125.169.1192.168.2.5
                                                Jan 14, 2025 21:04:19.201852083 CET50269445192.168.2.5184.102.23.157
                                                Jan 14, 2025 21:04:19.206718922 CET44550269184.102.23.157192.168.2.5
                                                Jan 14, 2025 21:04:19.206847906 CET50269445192.168.2.5184.102.23.157
                                                Jan 14, 2025 21:04:19.206979990 CET50269445192.168.2.5184.102.23.157
                                                Jan 14, 2025 21:04:19.207190037 CET50270445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.212003946 CET44550270184.102.23.1192.168.2.5
                                                Jan 14, 2025 21:04:19.212090969 CET50270445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.213241100 CET44550269184.102.23.157192.168.2.5
                                                Jan 14, 2025 21:04:19.213301897 CET50269445192.168.2.5184.102.23.157
                                                Jan 14, 2025 21:04:19.217195988 CET50270445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.217823029 CET50271445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.222110033 CET44550270184.102.23.1192.168.2.5
                                                Jan 14, 2025 21:04:19.222162962 CET50270445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.222589970 CET44550271184.102.23.1192.168.2.5
                                                Jan 14, 2025 21:04:19.222651005 CET50271445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.222738981 CET50271445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:19.227479935 CET44550271184.102.23.1192.168.2.5
                                                Jan 14, 2025 21:04:19.708538055 CET44550093179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:04:19.708663940 CET50093445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:19.708718061 CET50093445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:19.708780050 CET50093445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:19.713490009 CET44550093179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:04:19.713550091 CET44550093179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:04:19.833621979 CET44550098135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:04:19.833745003 CET50098445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:04:19.833807945 CET50098445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:04:19.833875895 CET50098445192.168.2.5135.71.100.1
                                                Jan 14, 2025 21:04:19.838660002 CET44550098135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:04:19.838682890 CET44550098135.71.100.1192.168.2.5
                                                Jan 14, 2025 21:04:19.888756037 CET50274445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.893619061 CET44550274135.71.100.2192.168.2.5
                                                Jan 14, 2025 21:04:19.893734932 CET50274445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.893745899 CET50274445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.894129038 CET50275445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.898619890 CET44550274135.71.100.2192.168.2.5
                                                Jan 14, 2025 21:04:19.898668051 CET50274445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.898935080 CET44550275135.71.100.2192.168.2.5
                                                Jan 14, 2025 21:04:19.898998976 CET50275445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.899054050 CET50275445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:19.903795958 CET44550275135.71.100.2192.168.2.5
                                                Jan 14, 2025 21:04:20.358385086 CET50280445192.168.2.5207.58.177.56
                                                Jan 14, 2025 21:04:20.363385916 CET44550280207.58.177.56192.168.2.5
                                                Jan 14, 2025 21:04:20.363553047 CET50280445192.168.2.5207.58.177.56
                                                Jan 14, 2025 21:04:20.363553047 CET50280445192.168.2.5207.58.177.56
                                                Jan 14, 2025 21:04:20.363678932 CET50281445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.368556023 CET44550281207.58.177.1192.168.2.5
                                                Jan 14, 2025 21:04:20.368607998 CET44550280207.58.177.56192.168.2.5
                                                Jan 14, 2025 21:04:20.368618965 CET50281445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.368635893 CET50281445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.368655920 CET50280445192.168.2.5207.58.177.56
                                                Jan 14, 2025 21:04:20.368896008 CET50282445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.373619080 CET44550281207.58.177.1192.168.2.5
                                                Jan 14, 2025 21:04:20.373672962 CET50281445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.373733044 CET44550282207.58.177.1192.168.2.5
                                                Jan 14, 2025 21:04:20.373949051 CET50282445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.374005079 CET50282445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:20.378772020 CET44550282207.58.177.1192.168.2.5
                                                Jan 14, 2025 21:04:20.732631922 CET50286445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:20.737546921 CET4455028694.64.50.1192.168.2.5
                                                Jan 14, 2025 21:04:20.737607002 CET50286445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:20.737644911 CET50286445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:20.742850065 CET4455028694.64.50.1192.168.2.5
                                                Jan 14, 2025 21:04:21.667334080 CET50289445192.168.2.5114.238.159.196
                                                Jan 14, 2025 21:04:21.672205925 CET44550289114.238.159.196192.168.2.5
                                                Jan 14, 2025 21:04:21.672278881 CET50289445192.168.2.5114.238.159.196
                                                Jan 14, 2025 21:04:21.672369957 CET50289445192.168.2.5114.238.159.196
                                                Jan 14, 2025 21:04:21.672521114 CET50290445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.677316904 CET44550289114.238.159.196192.168.2.5
                                                Jan 14, 2025 21:04:21.677330017 CET44550290114.238.159.1192.168.2.5
                                                Jan 14, 2025 21:04:21.677370071 CET50289445192.168.2.5114.238.159.196
                                                Jan 14, 2025 21:04:21.677402973 CET50290445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.677484989 CET50290445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.682307005 CET44550290114.238.159.1192.168.2.5
                                                Jan 14, 2025 21:04:21.682364941 CET50290445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.722404957 CET50291445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.727322102 CET44550291114.238.159.1192.168.2.5
                                                Jan 14, 2025 21:04:21.727390051 CET50291445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.729120970 CET50291445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:21.733983994 CET44550291114.238.159.1192.168.2.5
                                                Jan 14, 2025 21:04:22.498667955 CET50297445192.168.2.5183.211.102.207
                                                Jan 14, 2025 21:04:22.503511906 CET44550297183.211.102.207192.168.2.5
                                                Jan 14, 2025 21:04:22.503575087 CET50297445192.168.2.5183.211.102.207
                                                Jan 14, 2025 21:04:22.503598928 CET50297445192.168.2.5183.211.102.207
                                                Jan 14, 2025 21:04:22.503788948 CET50298445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.508555889 CET44550298183.211.102.1192.168.2.5
                                                Jan 14, 2025 21:04:22.508570910 CET44550297183.211.102.207192.168.2.5
                                                Jan 14, 2025 21:04:22.508614063 CET50298445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.508626938 CET50298445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.508662939 CET50297445192.168.2.5183.211.102.207
                                                Jan 14, 2025 21:04:22.508898973 CET50299445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.513550997 CET44550298183.211.102.1192.168.2.5
                                                Jan 14, 2025 21:04:22.513614893 CET50298445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.513695002 CET44550299183.211.102.1192.168.2.5
                                                Jan 14, 2025 21:04:22.513751030 CET50299445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.513807058 CET50299445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:22.518582106 CET44550299183.211.102.1192.168.2.5
                                                Jan 14, 2025 21:04:22.644392014 CET4455012042.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:22.647300005 CET50120445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:22.647334099 CET50120445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:22.647377968 CET50120445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:22.649974108 CET44550118162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:04:22.650039911 CET50118445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:04:22.650141954 CET50118445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:04:22.650259018 CET50118445192.168.2.5162.139.80.1
                                                Jan 14, 2025 21:04:22.654484987 CET4455012042.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:22.654975891 CET4455012042.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:22.657798052 CET44550118162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:04:22.660614967 CET44550118162.139.80.1192.168.2.5
                                                Jan 14, 2025 21:04:22.701622963 CET50305445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.707442045 CET44550305162.139.80.2192.168.2.5
                                                Jan 14, 2025 21:04:22.711503983 CET50305445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.711524010 CET50305445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.716757059 CET50306445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:22.716814995 CET44550305162.139.80.2192.168.2.5
                                                Jan 14, 2025 21:04:22.718930960 CET50305445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.723875999 CET44550306179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:04:22.727216959 CET50307445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.727272034 CET50306445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:22.727313042 CET50306445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:22.732145071 CET44550307162.139.80.2192.168.2.5
                                                Jan 14, 2025 21:04:22.732156038 CET44550306179.12.193.1192.168.2.5
                                                Jan 14, 2025 21:04:22.732254982 CET50307445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.732254982 CET50307445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:22.737083912 CET44550307162.139.80.2192.168.2.5
                                                Jan 14, 2025 21:04:23.436635017 CET50310445192.168.2.5185.1.71.234
                                                Jan 14, 2025 21:04:23.441445112 CET44550310185.1.71.234192.168.2.5
                                                Jan 14, 2025 21:04:23.441512108 CET50310445192.168.2.5185.1.71.234
                                                Jan 14, 2025 21:04:23.441545010 CET50310445192.168.2.5185.1.71.234
                                                Jan 14, 2025 21:04:23.441706896 CET50313445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.446753979 CET44550313185.1.71.1192.168.2.5
                                                Jan 14, 2025 21:04:23.446768999 CET44550310185.1.71.234192.168.2.5
                                                Jan 14, 2025 21:04:23.446826935 CET50310445192.168.2.5185.1.71.234
                                                Jan 14, 2025 21:04:23.446893930 CET50313445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.446893930 CET50313445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.447196007 CET50314445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.451791048 CET44550313185.1.71.1192.168.2.5
                                                Jan 14, 2025 21:04:23.451862097 CET50313445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.452058077 CET44550314185.1.71.1192.168.2.5
                                                Jan 14, 2025 21:04:23.452125072 CET50314445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.452158928 CET50314445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:23.456913948 CET44550314185.1.71.1192.168.2.5
                                                Jan 14, 2025 21:04:23.755491972 CET44550128146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:23.755554914 CET50128445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:23.755615950 CET50128445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:23.755651951 CET50128445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:23.760488033 CET44550128146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:23.760499001 CET44550128146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:23.804713964 CET44550129133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:04:23.804779053 CET50129445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:04:23.804996014 CET50129445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:04:23.805047035 CET50129445192.168.2.5133.222.94.1
                                                Jan 14, 2025 21:04:23.809958935 CET44550129133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:04:23.809992075 CET44550129133.222.94.1192.168.2.5
                                                Jan 14, 2025 21:04:23.874675989 CET50317445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.879641056 CET44550317133.222.94.2192.168.2.5
                                                Jan 14, 2025 21:04:23.879743099 CET50317445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.879993916 CET50317445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.880935907 CET50318445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.885283947 CET44550317133.222.94.2192.168.2.5
                                                Jan 14, 2025 21:04:23.885337114 CET50317445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.886707067 CET44550318133.222.94.2192.168.2.5
                                                Jan 14, 2025 21:04:23.886770010 CET50318445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.886868000 CET50318445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:23.891741037 CET44550318133.222.94.2192.168.2.5
                                                Jan 14, 2025 21:04:24.319118977 CET50319445192.168.2.5131.217.163.173
                                                Jan 14, 2025 21:04:24.325109005 CET44550319131.217.163.173192.168.2.5
                                                Jan 14, 2025 21:04:24.325176954 CET50319445192.168.2.5131.217.163.173
                                                Jan 14, 2025 21:04:24.328531981 CET50319445192.168.2.5131.217.163.173
                                                Jan 14, 2025 21:04:24.328977108 CET50320445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.334667921 CET44550319131.217.163.173192.168.2.5
                                                Jan 14, 2025 21:04:24.334743023 CET50319445192.168.2.5131.217.163.173
                                                Jan 14, 2025 21:04:24.334990978 CET44550320131.217.163.1192.168.2.5
                                                Jan 14, 2025 21:04:24.335048914 CET50320445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.336790085 CET50320445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.342864037 CET44550320131.217.163.1192.168.2.5
                                                Jan 14, 2025 21:04:24.342917919 CET50320445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.432569981 CET50321445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.437407017 CET44550321131.217.163.1192.168.2.5
                                                Jan 14, 2025 21:04:24.437500000 CET50321445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.437535048 CET50321445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:24.442266941 CET44550321131.217.163.1192.168.2.5
                                                Jan 14, 2025 21:04:25.139085054 CET50327445192.168.2.5197.14.245.6
                                                Jan 14, 2025 21:04:25.143873930 CET44550327197.14.245.6192.168.2.5
                                                Jan 14, 2025 21:04:25.144002914 CET50327445192.168.2.5197.14.245.6
                                                Jan 14, 2025 21:04:25.144089937 CET50327445192.168.2.5197.14.245.6
                                                Jan 14, 2025 21:04:25.144319057 CET50328445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.148919106 CET44550327197.14.245.6192.168.2.5
                                                Jan 14, 2025 21:04:25.149005890 CET50327445192.168.2.5197.14.245.6
                                                Jan 14, 2025 21:04:25.149065018 CET44550328197.14.245.1192.168.2.5
                                                Jan 14, 2025 21:04:25.149131060 CET50328445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.149175882 CET50328445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.149580956 CET50329445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.154278994 CET44550328197.14.245.1192.168.2.5
                                                Jan 14, 2025 21:04:25.154346943 CET50328445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.154364109 CET44550329197.14.245.1192.168.2.5
                                                Jan 14, 2025 21:04:25.154428005 CET50329445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.154690027 CET50329445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:25.159441948 CET44550329197.14.245.1192.168.2.5
                                                Jan 14, 2025 21:04:25.654309034 CET50335445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:25.659626007 CET4455033542.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:25.663198948 CET50335445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:25.663228989 CET50335445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:25.668361902 CET4455033542.129.113.1192.168.2.5
                                                Jan 14, 2025 21:04:25.769470930 CET44550145165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:25.769571066 CET50145445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:25.769597054 CET50145445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:25.769646883 CET50145445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:25.774631023 CET44550145165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:25.774774075 CET44550145165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:25.837863922 CET44550147185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:25.837965965 CET50147445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:25.838022947 CET50147445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:25.838109016 CET50147445192.168.2.5185.24.227.1
                                                Jan 14, 2025 21:04:25.844991922 CET44550147185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:25.845006943 CET44550147185.24.227.1192.168.2.5
                                                Jan 14, 2025 21:04:25.904618979 CET50336445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.904885054 CET50337445192.168.2.5128.29.176.167
                                                Jan 14, 2025 21:04:25.911186934 CET44550336185.24.227.2192.168.2.5
                                                Jan 14, 2025 21:04:25.911216021 CET44550337128.29.176.167192.168.2.5
                                                Jan 14, 2025 21:04:25.911281109 CET50336445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.911307096 CET50337445192.168.2.5128.29.176.167
                                                Jan 14, 2025 21:04:25.911416054 CET50336445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.911557913 CET50337445192.168.2.5128.29.176.167
                                                Jan 14, 2025 21:04:25.911725044 CET50338445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.911919117 CET50339445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.916291952 CET44550336185.24.227.2192.168.2.5
                                                Jan 14, 2025 21:04:25.916424990 CET44550336185.24.227.2192.168.2.5
                                                Jan 14, 2025 21:04:25.916475058 CET50336445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.916505098 CET44550338128.29.176.1192.168.2.5
                                                Jan 14, 2025 21:04:25.916517019 CET44550337128.29.176.167192.168.2.5
                                                Jan 14, 2025 21:04:25.916575909 CET50337445192.168.2.5128.29.176.167
                                                Jan 14, 2025 21:04:25.916661978 CET50338445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.916661978 CET50338445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.916702032 CET44550339185.24.227.2192.168.2.5
                                                Jan 14, 2025 21:04:25.916861057 CET50339445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.916861057 CET50339445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:25.917033911 CET50340445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.923382044 CET44550338128.29.176.1192.168.2.5
                                                Jan 14, 2025 21:04:25.923440933 CET50338445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.924351931 CET44550339185.24.227.2192.168.2.5
                                                Jan 14, 2025 21:04:25.924369097 CET44550340128.29.176.1192.168.2.5
                                                Jan 14, 2025 21:04:25.924427032 CET50340445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.924458027 CET50340445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:25.930938959 CET44550340128.29.176.1192.168.2.5
                                                Jan 14, 2025 21:04:26.765175104 CET50347445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:26.770034075 CET44550347146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:26.770121098 CET50347445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:26.770147085 CET50347445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:26.774909973 CET44550347146.94.210.1192.168.2.5
                                                Jan 14, 2025 21:04:27.753793955 CET44550161194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:27.755178928 CET50161445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:27.755222082 CET50161445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:27.755280972 CET50161445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:27.760242939 CET44550161194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:27.760360956 CET44550161194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:28.036813974 CET445501652.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:28.040874958 CET50165445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:28.040957928 CET50165445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:28.041014910 CET50165445192.168.2.52.240.171.1
                                                Jan 14, 2025 21:04:28.045762062 CET445501652.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:28.045829058 CET445501652.240.171.1192.168.2.5
                                                Jan 14, 2025 21:04:28.110297918 CET50361445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.115183115 CET445503612.240.171.2192.168.2.5
                                                Jan 14, 2025 21:04:28.116894960 CET50361445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.116961956 CET50361445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.117422104 CET50362445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.121895075 CET445503612.240.171.2192.168.2.5
                                                Jan 14, 2025 21:04:28.121962070 CET50361445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.122200966 CET445503622.240.171.2192.168.2.5
                                                Jan 14, 2025 21:04:28.122261047 CET50362445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.122303963 CET50362445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:28.127065897 CET445503622.240.171.2192.168.2.5
                                                Jan 14, 2025 21:04:28.779571056 CET50365445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:28.784496069 CET44550365165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:28.784569979 CET50365445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:28.784615040 CET50365445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:28.789398909 CET44550365165.250.181.1192.168.2.5
                                                Jan 14, 2025 21:04:29.789206982 CET44550178204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:29.789345980 CET50178445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:29.792488098 CET50178445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:29.792572021 CET50178445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:29.797245979 CET44550178204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:29.797264099 CET44550178204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:30.003983021 CET44550181160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:30.004045010 CET50181445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:30.004092932 CET50181445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:30.004152060 CET50181445192.168.2.5160.40.25.1
                                                Jan 14, 2025 21:04:30.008830070 CET44550181160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:30.008908033 CET44550181160.40.25.1192.168.2.5
                                                Jan 14, 2025 21:04:30.064002991 CET50373445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.068895102 CET44550373160.40.25.2192.168.2.5
                                                Jan 14, 2025 21:04:30.068958044 CET50373445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.069789886 CET50373445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.071958065 CET50375445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.074634075 CET44550373160.40.25.2192.168.2.5
                                                Jan 14, 2025 21:04:30.074686050 CET50373445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.076775074 CET44550375160.40.25.2192.168.2.5
                                                Jan 14, 2025 21:04:30.076833963 CET50375445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.077681065 CET50375445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:30.082525969 CET44550375160.40.25.2192.168.2.5
                                                Jan 14, 2025 21:04:30.763792038 CET50382445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:30.768754959 CET44550382194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:30.768857002 CET50382445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:30.768934965 CET50382445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:30.773730993 CET44550382194.41.210.1192.168.2.5
                                                Jan 14, 2025 21:04:31.675805092 CET4455019496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:31.675915003 CET50194445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:31.675967932 CET50194445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:31.676343918 CET50194445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:31.680731058 CET4455019496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:31.681080103 CET4455019496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:32.025346041 CET4455019576.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:32.025562048 CET50195445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:32.025629997 CET50195445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:32.025666952 CET50195445192.168.2.576.35.66.1
                                                Jan 14, 2025 21:04:32.030354023 CET4455019576.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:32.030422926 CET4455019576.35.66.1192.168.2.5
                                                Jan 14, 2025 21:04:32.091801882 CET50396445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.096630096 CET4455039676.35.66.2192.168.2.5
                                                Jan 14, 2025 21:04:32.096738100 CET50396445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.096788883 CET50396445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.097136021 CET50397445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.101782084 CET4455039676.35.66.2192.168.2.5
                                                Jan 14, 2025 21:04:32.101843119 CET50396445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.101888895 CET4455039776.35.66.2192.168.2.5
                                                Jan 14, 2025 21:04:32.101948023 CET50397445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.101989031 CET50397445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:32.106735945 CET4455039776.35.66.2192.168.2.5
                                                Jan 14, 2025 21:04:32.799155951 CET50406445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:32.803947926 CET44550406204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:32.804034948 CET50406445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:32.804071903 CET50406445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:32.808794975 CET44550406204.215.189.1192.168.2.5
                                                Jan 14, 2025 21:04:33.394820929 CET4455020734.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:33.394922018 CET50207445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:33.394972086 CET50207445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:33.395020962 CET50207445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:33.399753094 CET4455020734.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:33.399806023 CET4455020734.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:34.254703045 CET44550213131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:34.254796982 CET50213445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:34.254839897 CET50213445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:34.254880905 CET50213445192.168.2.5131.113.135.1
                                                Jan 14, 2025 21:04:34.259656906 CET44550213131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:34.259711027 CET44550213131.113.135.1192.168.2.5
                                                Jan 14, 2025 21:04:34.311113119 CET50436445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.407625914 CET44550436131.113.135.2192.168.2.5
                                                Jan 14, 2025 21:04:34.407756090 CET50436445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.407892942 CET50436445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.408319950 CET50437445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.413983107 CET44550437131.113.135.2192.168.2.5
                                                Jan 14, 2025 21:04:34.414067030 CET50437445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.414103031 CET44550436131.113.135.2192.168.2.5
                                                Jan 14, 2025 21:04:34.414113045 CET50437445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.414149046 CET50436445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:34.418862104 CET44550437131.113.135.2192.168.2.5
                                                Jan 14, 2025 21:04:34.685713053 CET50444445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:34.691082001 CET4455044496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:34.691180944 CET50444445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:34.691200972 CET50444445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:34.696074963 CET4455044496.109.54.1192.168.2.5
                                                Jan 14, 2025 21:04:35.035370111 CET4455022162.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:35.035516977 CET50221445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:35.035543919 CET50221445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:35.035609961 CET50221445192.168.2.562.93.61.1
                                                Jan 14, 2025 21:04:35.040494919 CET4455022162.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:35.040558100 CET4455022162.93.61.1192.168.2.5
                                                Jan 14, 2025 21:04:36.006702900 CET4455022835.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:36.006778955 CET50228445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:36.006845951 CET50228445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:36.006896973 CET50228445192.168.2.535.61.65.1
                                                Jan 14, 2025 21:04:36.012609005 CET4455022835.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:36.012639999 CET4455022835.61.65.1192.168.2.5
                                                Jan 14, 2025 21:04:36.060578108 CET50488445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.066373110 CET4455048835.61.65.2192.168.2.5
                                                Jan 14, 2025 21:04:36.066456079 CET50488445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.066543102 CET50488445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.066837072 CET50489445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.072459936 CET4455048835.61.65.2192.168.2.5
                                                Jan 14, 2025 21:04:36.072545052 CET50488445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.072675943 CET4455048935.61.65.2192.168.2.5
                                                Jan 14, 2025 21:04:36.072773933 CET50489445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.072906017 CET50489445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:04:36.079608917 CET4455048935.61.65.2192.168.2.5
                                                Jan 14, 2025 21:04:36.404602051 CET50506445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:36.410557032 CET4455050634.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:36.410748005 CET50506445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:36.410892963 CET50506445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:36.416663885 CET4455050634.226.78.1192.168.2.5
                                                Jan 14, 2025 21:04:36.585709095 CET44550235141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:36.585823059 CET50235445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:36.585881948 CET50235445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:36.585923910 CET50235445192.168.2.5141.56.77.1
                                                Jan 14, 2025 21:04:36.594249964 CET44550235141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:36.594261885 CET44550235141.56.77.1192.168.2.5
                                                Jan 14, 2025 21:04:37.990421057 CET44550245172.73.100.1192.168.2.5
                                                Jan 14, 2025 21:04:37.990508080 CET50245445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:38.055159092 CET44550246114.118.212.1192.168.2.5
                                                Jan 14, 2025 21:04:38.055218935 CET50246445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:38.830076933 CET50275445192.168.2.5135.71.100.2
                                                Jan 14, 2025 21:04:38.830197096 CET50437445192.168.2.5131.113.135.2
                                                Jan 14, 2025 21:04:38.830234051 CET50362445192.168.2.52.240.171.2
                                                Jan 14, 2025 21:04:38.830260992 CET50318445192.168.2.5133.222.94.2
                                                Jan 14, 2025 21:04:38.830353975 CET50245445192.168.2.5172.73.100.1
                                                Jan 14, 2025 21:04:38.830379009 CET50246445192.168.2.5114.118.212.1
                                                Jan 14, 2025 21:04:38.830404043 CET50258445192.168.2.592.187.212.1
                                                Jan 14, 2025 21:04:38.830435991 CET50264445192.168.2.528.125.169.1
                                                Jan 14, 2025 21:04:38.830519915 CET50271445192.168.2.5184.102.23.1
                                                Jan 14, 2025 21:04:38.830527067 CET50282445192.168.2.5207.58.177.1
                                                Jan 14, 2025 21:04:38.830528975 CET50286445192.168.2.594.64.50.1
                                                Jan 14, 2025 21:04:38.830591917 CET50291445192.168.2.5114.238.159.1
                                                Jan 14, 2025 21:04:38.830609083 CET50306445192.168.2.5179.12.193.1
                                                Jan 14, 2025 21:04:38.830630064 CET50299445192.168.2.5183.211.102.1
                                                Jan 14, 2025 21:04:38.830656052 CET50314445192.168.2.5185.1.71.1
                                                Jan 14, 2025 21:04:38.830671072 CET50307445192.168.2.5162.139.80.2
                                                Jan 14, 2025 21:04:38.830699921 CET50321445192.168.2.5131.217.163.1
                                                Jan 14, 2025 21:04:38.830753088 CET50335445192.168.2.542.129.113.1
                                                Jan 14, 2025 21:04:38.830758095 CET50329445192.168.2.5197.14.245.1
                                                Jan 14, 2025 21:04:38.830771923 CET50339445192.168.2.5185.24.227.2
                                                Jan 14, 2025 21:04:38.830797911 CET50340445192.168.2.5128.29.176.1
                                                Jan 14, 2025 21:04:38.830818892 CET50347445192.168.2.5146.94.210.1
                                                Jan 14, 2025 21:04:38.830848932 CET50375445192.168.2.5160.40.25.2
                                                Jan 14, 2025 21:04:38.830913067 CET50365445192.168.2.5165.250.181.1
                                                Jan 14, 2025 21:04:38.830931902 CET50382445192.168.2.5194.41.210.1
                                                Jan 14, 2025 21:04:38.830960989 CET50406445192.168.2.5204.215.189.1
                                                Jan 14, 2025 21:04:38.830985069 CET50397445192.168.2.576.35.66.2
                                                Jan 14, 2025 21:04:38.831022024 CET50444445192.168.2.596.109.54.1
                                                Jan 14, 2025 21:04:38.831073046 CET50506445192.168.2.534.226.78.1
                                                Jan 14, 2025 21:04:38.831151009 CET50489445192.168.2.535.61.65.2
                                                Jan 14, 2025 21:05:38.884409904 CET5061480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:05:38.889245033 CET8050614103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:05:38.889326096 CET5061480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:05:38.893014908 CET5061480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:05:38.897794962 CET8050614103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:05:39.497503996 CET8050614103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:05:39.497572899 CET5061480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:05:39.497607946 CET8050614103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:05:39.497653008 CET5061480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:05:39.500302076 CET5061480192.168.2.5103.224.212.215
                                                Jan 14, 2025 21:05:39.501585007 CET5061580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:05:39.505073071 CET8050614103.224.212.215192.168.2.5
                                                Jan 14, 2025 21:05:39.506459951 CET8050615199.59.243.228192.168.2.5
                                                Jan 14, 2025 21:05:39.506558895 CET5061580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:05:39.506653070 CET5061580192.168.2.5199.59.243.228
                                                Jan 14, 2025 21:05:39.511478901 CET8050615199.59.243.228192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 14, 2025 21:03:30.986998081 CET5717853192.168.2.51.1.1.1
                                                Jan 14, 2025 21:03:31.292540073 CET53571781.1.1.1192.168.2.5
                                                Jan 14, 2025 21:03:31.896061897 CET5845953192.168.2.51.1.1.1
                                                Jan 14, 2025 21:03:32.296783924 CET53584591.1.1.1192.168.2.5
                                                Jan 14, 2025 21:03:45.379348993 CET137137192.168.2.5192.168.2.255
                                                Jan 14, 2025 21:03:46.122761965 CET137137192.168.2.5192.168.2.255
                                                Jan 14, 2025 21:03:46.888365030 CET137137192.168.2.5192.168.2.255
                                                Jan 14, 2025 21:03:53.229017973 CET137137192.168.2.5192.168.2.255
                                                Jan 14, 2025 21:03:53.982120991 CET137137192.168.2.5192.168.2.255
                                                Jan 14, 2025 21:03:54.747746944 CET137137192.168.2.5192.168.2.255

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 14, 2025 21:03:30.986998081 CET192.168.2.51.1.1.10x7a8fStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)false
                                                Jan 14, 2025 21:03:31.896061897 CET192.168.2.51.1.1.10x3bdcStandard query (0)ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 14, 2025 21:03:31.292540073 CET1.1.1.1192.168.2.50x7a8fNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com103.224.212.215A (IP address)IN (0x0001)false
                                                Jan 14, 2025 21:03:32.296783924 CET1.1.1.1192.168.2.50x3bdcNo error (0)ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com77026.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                Jan 14, 2025 21:03:32.296783924 CET1.1.1.1192.168.2.50x3bdcNo error (0)77026.bodis.com199.59.243.228A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549704103.224.212.215804832C:\Windows\mssecsvr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:03:31.304311037 CET100OUTGET / HTTP/1.1
                                                Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Cache-Control: no-cache
                                                Jan 14, 2025 21:03:31.891025066 CET365INHTTP/1.1 302 Found
                                                date: Tue, 14 Jan 2025 20:03:31 GMT
                                                server: Apache
                                                set-cookie: __tad=1736885011.1575354; expires=Fri, 12-Jan-2035 20:03:31 GMT; Max-Age=315360000
                                                location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-312f-890a-41fa0d8d0e72
                                                content-length: 2
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 0a 0a
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.549705199.59.243.228804832C:\Windows\mssecsvr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:03:32.302917004 CET169OUTGET /?subid1=20250115-0703-312f-890a-41fa0d8d0e72 HTTP/1.1
                                                Cache-Control: no-cache
                                                Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Connection: Keep-Alive
                                                Jan 14, 2025 21:03:32.756167889 CET1236INHTTP/1.1 200 OK
                                                date: Tue, 14 Jan 2025 20:03:32 GMT
                                                content-type: text/html; charset=utf-8
                                                content-length: 1262
                                                x-request-id: a95eefa5-1fa4-4707-a8db-f9d18c124d8c
                                                cache-control: no-store, max-age=0
                                                accept-ch: sec-ch-prefers-color-scheme
                                                critical-ch: sec-ch-prefers-color-scheme
                                                vary: sec-ch-prefers-color-scheme
                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ueEqTjsal6nWT9I6K4bLnl4LG1k2QJnO2S6s8MEvqdx6FArrz5F31qbj86iRV2snvMZ4jHyp5nHvGMo/gkqjrA==
                                                set-cookie: parking_session=a95eefa5-1fa4-4707-a8db-f9d18c124d8c; expires=Tue, 14 Jan 2025 20:18:32 GMT; path=/
                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 65 45 71 54 6a 73 61 6c 36 6e 57 54 39 49 36 4b 34 62 4c 6e 6c 34 4c 47 31 6b 32 51 4a 6e 4f 32 53 36 73 38 4d 45 76 71 64 78 36 46 41 72 72 7a 35 46 33 31 71 62 6a 38 36 69 52 56 32 73 6e 76 4d 5a 34 6a 48 79 70 35 6e 48 76 47 4d 6f 2f 67 6b 71 6a 72 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ueEqTjsal6nWT9I6K4bLnl4LG1k2QJnO2S6s8MEvqdx6FArrz5F31qbj86iRV2snvMZ4jHyp5nHvGMo/gkqjrA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                Jan 14, 2025 21:03:32.756186008 CET696INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTk1ZWVmYTUtMWZhNC00NzA3LWE4ZGItZjlkMThjMTI0ZDhjIiwicGFnZV90aW1lIjoxNzM2ODg1MDEyLCJwYWdlX3VybCI6I


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.549706103.224.212.215801172C:\Windows\mssecsvr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:03:32.883703947 CET100OUTGET / HTTP/1.1
                                                Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Cache-Control: no-cache
                                                Jan 14, 2025 21:03:33.492301941 CET365INHTTP/1.1 302 Found
                                                date: Tue, 14 Jan 2025 20:03:33 GMT
                                                server: Apache
                                                set-cookie: __tad=1736885013.6451044; expires=Fri, 12-Jan-2035 20:03:33 GMT; Max-Age=315360000
                                                location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-3312-aefe-653e09ef051d
                                                content-length: 2
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 0a 0a
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.549707199.59.243.228801172C:\Windows\mssecsvr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:03:33.507039070 CET169OUTGET /?subid1=20250115-0703-3312-aefe-653e09ef051d HTTP/1.1
                                                Cache-Control: no-cache
                                                Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Connection: Keep-Alive
                                                Jan 14, 2025 21:03:33.970993996 CET1236INHTTP/1.1 200 OK
                                                date: Tue, 14 Jan 2025 20:03:33 GMT
                                                content-type: text/html; charset=utf-8
                                                content-length: 1262
                                                x-request-id: 1b552dfd-00c2-4498-b795-b004aca9d862
                                                cache-control: no-store, max-age=0
                                                accept-ch: sec-ch-prefers-color-scheme
                                                critical-ch: sec-ch-prefers-color-scheme
                                                vary: sec-ch-prefers-color-scheme
                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r7m1muzUIpXtZEUEmbLCogsr62ykkrFl3ZUDq3KncEFaL3g1RiUFN4QslCefVoNCUX4xRZU+mMESNgmYklqL0w==
                                                set-cookie: parking_session=1b552dfd-00c2-4498-b795-b004aca9d862; expires=Tue, 14 Jan 2025 20:18:33 GMT; path=/
                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 37 6d 31 6d 75 7a 55 49 70 58 74 5a 45 55 45 6d 62 4c 43 6f 67 73 72 36 32 79 6b 6b 72 46 6c 33 5a 55 44 71 33 4b 6e 63 45 46 61 4c 33 67 31 52 69 55 46 4e 34 51 73 6c 43 65 66 56 6f 4e 43 55 58 34 78 52 5a 55 2b 6d 4d 45 53 4e 67 6d 59 6b 6c 71 4c 30 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r7m1muzUIpXtZEUEmbLCogsr62ykkrFl3ZUDq3KncEFaL3g1RiUFN4QslCefVoNCUX4xRZU+mMESNgmYklqL0w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                Jan 14, 2025 21:03:33.971010923 CET696INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWI1NTJkZmQtMDBjMi00NDk4LWI3OTUtYjAwNGFjYTlkODYyIiwicGFnZV90aW1lIjoxNzM2ODg1MDEzLCJwYWdlX3VybCI6I


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.549708103.224.212.215803176C:\Windows\mssecsvr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:03:33.899924040 CET134OUTGET / HTTP/1.1
                                                Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Cache-Control: no-cache
                                                Cookie: __tad=1736885011.1575354
                                                Jan 14, 2025 21:03:34.504657984 CET269INHTTP/1.1 302 Found
                                                date: Tue, 14 Jan 2025 20:03:34 GMT
                                                server: Apache
                                                location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0703-347d-85b7-a8856e518b6d
                                                content-length: 2
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 0a 0a
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.549721199.59.243.228803176C:\Windows\mssecsvr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:03:34.515021086 CET231OUTGET /?subid1=20250115-0703-347d-85b7-a8856e518b6d HTTP/1.1
                                                Cache-Control: no-cache
                                                Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Connection: Keep-Alive
                                                Cookie: parking_session=a95eefa5-1fa4-4707-a8db-f9d18c124d8c
                                                Jan 14, 2025 21:03:34.988173008 CET1236INHTTP/1.1 200 OK
                                                date: Tue, 14 Jan 2025 20:03:34 GMT
                                                content-type: text/html; charset=utf-8
                                                content-length: 1262
                                                x-request-id: d7310a90-b393-4a45-b77f-a7ae66bc5be8
                                                cache-control: no-store, max-age=0
                                                accept-ch: sec-ch-prefers-color-scheme
                                                critical-ch: sec-ch-prefers-color-scheme
                                                vary: sec-ch-prefers-color-scheme
                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_b9UsJldHW3ZOjZqfXnketC9P+B5JFNjgZwDTmeM9XnOQ8Ply7KOJFJEulHE2+UuwBYPWUXhkR0aCr2wZ3c+I4A==
                                                set-cookie: parking_session=a95eefa5-1fa4-4707-a8db-f9d18c124d8c; expires=Tue, 14 Jan 2025 20:18:34 GMT
                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 39 55 73 4a 6c 64 48 57 33 5a 4f 6a 5a 71 66 58 6e 6b 65 74 43 39 50 2b 42 35 4a 46 4e 6a 67 5a 77 44 54 6d 65 4d 39 58 6e 4f 51 38 50 6c 79 37 4b 4f 4a 46 4a 45 75 6c 48 45 32 2b 55 75 77 42 59 50 57 55 58 68 6b 52 30 61 43 72 32 77 5a 33 63 2b 49 34 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_b9UsJldHW3ZOjZqfXnketC9P+B5JFNjgZwDTmeM9XnOQ8Ply7KOJFJEulHE2+UuwBYPWUXhkR0aCr2wZ3c+I4A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
                                                Jan 14, 2025 21:03:34.988190889 CET688INData Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65
                                                Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTk1ZWVmYTUtMWZhNC00NzA3LWE4ZGItZjlkMThjMTI0ZDhjIiwicGFnZV90aW1lIjoxNzM2ODg1MDE0LCJwYWdlX3VybCI6Imh0dHA6L


                                                Session IDSource IPSource PortDestination IPDestination Port
                                                6192.168.2.550614103.224.212.21580
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:05:38.893014908 CET100OUTGET / HTTP/1.1
                                                Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Cache-Control: no-cache
                                                Jan 14, 2025 21:05:39.497503996 CET365INHTTP/1.1 302 Found
                                                date: Tue, 14 Jan 2025 20:05:39 GMT
                                                server: Apache
                                                set-cookie: __tad=1736885139.4094942; expires=Fri, 12-Jan-2035 20:05:39 GMT; Max-Age=315360000
                                                location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0705-398f-94c8-f5d240e73af9
                                                content-length: 2
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 0a 0a
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination Port
                                                7192.168.2.550615199.59.243.22880
                                                TimestampBytes transferredDirectionData
                                                Jan 14, 2025 21:05:39.506653070 CET169OUTGET /?subid1=20250115-0705-398f-94c8-f5d240e73af9 HTTP/1.1
                                                Cache-Control: no-cache
                                                Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                Connection: Keep-Alive


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:15:03:29
                                                Start date:14/01/2025
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll"
                                                Imagebase:0x360000
                                                File size:126'464 bytes
                                                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:15:03:29
                                                Start date:14/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:15:03:29
                                                Start date:14/01/2025
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:15:03:29
                                                Start date:14/01/2025
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\6qqWn6eIGG.dll,PlayGame
                                                Imagebase:0x180000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:15:03:29
                                                Start date:14/01/2025
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",#1
                                                Imagebase:0x180000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:15:03:30
                                                Start date:14/01/2025
                                                Path:C:\Windows\mssecsvr.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\WINDOWS\mssecsvr.exe
                                                Imagebase:0x400000
                                                File size:2'281'472 bytes
                                                MD5 hash:03E8741684A2EA2AA24BAD8DA574435E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2097891962.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:15:03:31
                                                Start date:14/01/2025
                                                Path:C:\Windows\mssecsvr.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\WINDOWS\mssecsvr.exe -m security
                                                Imagebase:0x400000
                                                File size:2'281'472 bytes
                                                MD5 hash:03E8741684A2EA2AA24BAD8DA574435E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2117428894.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2769349749.0000000002282000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2769091093.0000000001D5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:15:03:32
                                                Start date:14/01/2025
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe "C:\Users\user\Desktop\6qqWn6eIGG.dll",PlayGame
                                                Imagebase:0x180000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:15:03:32
                                                Start date:14/01/2025
                                                Path:C:\Windows\mssecsvr.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\WINDOWS\mssecsvr.exe
                                                Imagebase:0x400000
                                                File size:2'281'472 bytes
                                                MD5 hash:03E8741684A2EA2AA24BAD8DA574435E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2140985093.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2127384895.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:15:03:33
                                                Start date:14/01/2025
                                                Path:C:\Windows\tasksche.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\WINDOWS\tasksche.exe /i
                                                Imagebase:0x400000
                                                File size:2'061'938 bytes
                                                MD5 hash:1FF321DE9E6B8A865048789E18BB4232
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 97%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:11
                                                Start time:15:03:34
                                                Start date:14/01/2025
                                                Path:C:\Windows\tasksche.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\WINDOWS\tasksche.exe /i
                                                Imagebase:0x400000
                                                File size:2'061'938 bytes
                                                MD5 hash:1FF321DE9E6B8A865048789E18BB4232
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:71.7%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:63.2%
                                                  Total number of Nodes:38
                                                  Total number of Limit Nodes:9
                                                  execution_graph 63 409a16 __set_app_type __p__fmode __p__commode 64 409a85 63->64 65 409a99 64->65 66 409a8d __setusermatherr 64->66 75 409b8c _controlfp 65->75 66->65 68 409a9e _initterm __getmainargs _initterm 69 409af2 GetStartupInfoA 68->69 71 409b26 GetModuleHandleA 69->71 76 408140 InternetOpenA InternetOpenUrlA 71->76 75->68 77 4081a7 InternetCloseHandle InternetCloseHandle 76->77 80 408090 GetModuleFileNameA __p___argc 77->80 79 4081b2 exit _XcptFilter 81 4080b0 80->81 82 4080b9 OpenSCManagerA 80->82 91 407f20 81->91 83 408101 StartServiceCtrlDispatcherA 82->83 84 4080cf OpenServiceA 82->84 83->79 86 4080fc CloseServiceHandle 84->86 87 4080ee 84->87 86->83 96 407fa0 ChangeServiceConfig2A 87->96 90 4080f6 CloseServiceHandle 90->86 108 407c40 sprintf OpenSCManagerA 91->108 93 407f25 97 407ce0 GetModuleHandleW 93->97 96->90 98 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 97->98 99 407f08 97->99 98->99 100 407d49 98->100 99->79 100->99 101 407d69 FindResourceA 100->101 101->99 102 407d84 LoadResource 101->102 102->99 103 407d94 LockResource 102->103 103->99 104 407da7 SizeofResource 103->104 104->99 105 407db9 sprintf sprintf MoveFileExA CreateFileA 104->105 105->99 106 407e54 WriteFile CloseHandle CreateProcessA 105->106 106->99 107 407ef2 CloseHandle CloseHandle 106->107 107->99 109 407c74 CreateServiceA 108->109 110 407cca 108->110 111 407cbb CloseServiceHandle 109->111 112 407cad StartServiceA CloseServiceHandle 109->112 110->93 111->93 112->111

                                                  Callgraph

                                                  Executed Functions

                                                  Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                  • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                  • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                  • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                  • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                  • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                  • sprintf.MSVCRT ref: 00407E01
                                                  • sprintf.MSVCRT ref: 00407E18
                                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                                  • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                                  • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                                                  • CloseHandle.KERNELBASE(00000000), ref: 00407E68
                                                  • CreateProcessA.KERNELBASE ref: 00407EE8
                                                  • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                                  • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2131424080.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2131359183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131489482.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131624058.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131742561.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                                                  • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                  • API String ID: 4281112323-1507730452
                                                  • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                  • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                  • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                  • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                  Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2131424080.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2131359183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131489482.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131624058.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131742561.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                  • String ID:
                                                  • API String ID: 801014965-0
                                                  • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                  • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                  • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                  • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                                  Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                  • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                  • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                    • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                    • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                  Strings
                                                  • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2131424080.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2131359183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131489482.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131624058.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131742561.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                  • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                  • API String ID: 774561529-2614457033
                                                  • Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                  • Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
                                                  • Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                  • Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

                                                  Non-executed Functions

                                                  Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • sprintf.MSVCRT ref: 00407C56
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                  • CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2131424080.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2131359183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131489482.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131624058.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131742561.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                  • String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
                                                  • API String ID: 3340711343-2450984573
                                                  • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                  • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                  • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                  • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                  Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                  • __p___argc.MSVCRT ref: 004080A5
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                  • OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2131424080.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2131359183.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131489482.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131532047.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131624058.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.2131742561.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                  • String ID: mssecsvc2.1
                                                  • API String ID: 4274534310-2839763450
                                                  • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                  • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                  • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                  • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

                                                  Execution Graph

                                                  Execution Coverage:34.8%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:36
                                                  Total number of Limit Nodes:2

                                                  Callgraph

                                                  Executed Functions

                                                  Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                  • __p___argc.MSVCRT ref: 004080A5
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                                  • OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2767523817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000007.00000002.2767481491.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767557127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767919214.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767993709.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2768267765.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                                  • String ID: mssecsvc2.1
                                                  • API String ID: 4274534310-2839763450
                                                  • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                  • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                                  • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                                  • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                                                  Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                                  • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                                  • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                                    • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                                    • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                                  Strings
                                                  • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2767523817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000007.00000002.2767481491.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767557127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767919214.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767993709.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2768267765.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                                  • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                                  • API String ID: 774561529-2614457033
                                                  • Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                  • Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
                                                  • Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                                  • Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

                                                  Non-executed Functions

                                                  Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • sprintf.MSVCRT ref: 00407C56
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                                  • CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2767523817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000007.00000002.2767481491.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767557127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767919214.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767993709.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2768267765.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                                  • String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
                                                  • API String ID: 3340711343-2450984573
                                                  • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                  • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                                  • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                                  • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                                  Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 15 407ce0-407cfb GetModuleHandleW 16 407d01-407d43 GetProcAddress * 4 15->16 17 407f08-407f14 15->17 16->17 18 407d49-407d4f 16->18 18->17 19 407d55-407d5b 18->19 19->17 20 407d61-407d63 19->20 20->17 21 407d69-407d7e FindResourceA 20->21 21->17 22 407d84-407d8e LoadResource 21->22 22->17 23 407d94-407da1 LockResource 22->23 23->17 24 407da7-407db3 SizeofResource 23->24 24->17 25 407db9-407e4e sprintf * 2 MoveFileExA 24->25 25->17 27 407e54-407ef0 25->27 27->17 31 407ef2-407f01 27->31 31->17
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
                                                  • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                                  • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                                  • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                                  • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                                  • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                                  • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                                  • sprintf.MSVCRT ref: 00407E01
                                                  • sprintf.MSVCRT ref: 00407E18
                                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2767523817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000007.00000002.2767481491.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767557127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767919214.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767993709.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2768267765.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
                                                  • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                                  • API String ID: 4072214828-1507730452
                                                  • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                  • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                                  • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                                  • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                                  Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2767523817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000007.00000002.2767481491.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767557127.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767582548.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767855355.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767919214.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2767993709.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000007.00000002.2768267765.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                  • String ID:
                                                  • API String ID: 801014965-0
                                                  • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                  • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                                  • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                                  • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

                                                  Execution Graph

                                                  Execution Coverage:10%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:3.2%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:34
                                                  execution_graph 23871 41e9ce 23872 41e9da ___lock_fhandle 23871->23872 23873 41eadc ___lock_fhandle 23872->23873 23874 41a506 ___free_lc_time 67 API calls 23872->23874 23878 41e9f2 23872->23878 23874->23878 23875 41a506 ___free_lc_time 67 API calls 23876 41ea00 23875->23876 23877 41ea0e 23876->23877 23879 41a506 ___free_lc_time 67 API calls 23876->23879 23880 41ea1c 23877->23880 23881 41a506 ___free_lc_time 67 API calls 23877->23881 23878->23875 23878->23876 23879->23877 23882 41ea2a 23880->23882 23884 41a506 ___free_lc_time 67 API calls 23880->23884 23881->23880 23883 41ea38 23882->23883 23885 41a506 ___free_lc_time 67 API calls 23882->23885 23886 41ea46 23883->23886 23887 41a506 ___free_lc_time 67 API calls 23883->23887 23884->23882 23885->23883 23888 41ea57 23886->23888 23889 41a506 ___free_lc_time 67 API calls 23886->23889 23887->23886 23890 41efa3 __lock 67 API calls 23888->23890 23889->23888 23891 41ea5f 23890->23891 23892 41ea84 23891->23892 23893 41ea6b InterlockedDecrement 23891->23893 23907 41eae8 23892->23907 23893->23892 23894 41ea76 23893->23894 23894->23892 23897 41a506 ___free_lc_time 67 API calls 23894->23897 23897->23892 23898 41efa3 __lock 67 API calls 23899 41ea98 23898->23899 23900 41eac9 23899->23900 23902 42223c ___removelocaleref 8 API calls 23899->23902 23910 41eaf4 23900->23910 23905 41eaad 23902->23905 23904 41a506 ___free_lc_time 67 API calls 23904->23873 23905->23900 23906 422064 ___freetlocinfo 67 API calls 23905->23906 23906->23900 23913 41eec9 LeaveCriticalSection 23907->23913 23909 41ea91 23909->23898 23914 41eec9 LeaveCriticalSection 23910->23914 23912 41ead6 23912->23904 23913->23909 23914->23912 23919 41c7db 23922 41c7cb 23919->23922 23921 41c7e8 ctype 23925 420ed3 23922->23925 23924 41c7d9 23924->23921 23926 420edf ___lock_fhandle 23925->23926 23927 41efa3 __lock 67 API calls 23926->23927 23930 420ee6 23927->23930 23928 420f1f 23935 420f3a 23928->23935 23930->23928 23931 420f16 23930->23931 23934 41a506 ___free_lc_time 67 API calls 23930->23934 23933 41a506 ___free_lc_time 67 API calls 23931->23933 23932 420f30 ___lock_fhandle 23932->23924 23933->23928 23934->23931 23938 41eec9 LeaveCriticalSection 23935->23938 23937 420f41 23937->23932 23938->23937 22468 40ddff 22469 40de0c __write_nolock 22468->22469 22470 40c3bf ctype 104 API calls 22469->22470 22471 40de20 22470->22471 22472 40bc16 _swprintf 101 API calls 22471->22472 22473 40de32 SetDlgItemTextW 22472->22473 22476 40d116 PeekMessageW 22473->22476 22477 40d131 GetMessageW TranslateMessage DispatchMessageW 22476->22477 22478 40d152 22476->22478 22477->22478 20386 40f58d 20387 40f597 __EH_prolog __write_nolock 20386->20387 20555 4060ee 20387->20555 20390 40f5d9 20396 40f5e3 20390->20396 20397 40f648 20390->20397 20418 40f5c2 20390->20418 20391 40fc0e 20392 40fc32 20391->20392 20393 40fc23 SendMessageW 20391->20393 20394 40fc4b 20392->20394 20395 40fc3b SendDlgItemMessageW 20392->20395 20393->20392 20640 40dbc1 20394->20640 20395->20394 20401 40f5e6 20396->20401 20405 40f624 20396->20405 20398 40f650 20397->20398 20399 40f6ce GetDlgItemTextW 20397->20399 20402 40c3bf ctype 104 API calls 20398->20402 20404 40f702 20399->20404 20399->20405 20410 40c3bf ctype 104 API calls 20401->20410 20401->20418 20407 40f671 SetDlgItemTextW 20402->20407 20406 40f719 GetDlgItem 20404->20406 20553 40f70a 20404->20553 20409 40faa5 EndDialog 20405->20409 20405->20418 20411 40f753 SetFocus 20406->20411 20412 40f72d SendMessageW SendMessageW 20406->20412 20413 40f67d 20407->20413 20409->20418 20415 40f600 20410->20415 20416 40f764 20411->20416 20435 40f770 20411->20435 20412->20411 20413->20418 20423 40f689 GetMessageW 20413->20423 20414 40fc82 GetDlgItem 20419 40fc98 20414->20419 20420 40fc9e SetWindowTextW 20414->20420 20561 4050e8 SHGetMalloc 20415->20561 20422 40c3bf ctype 104 API calls 20416->20422 20417 40fda7 EndDialog 20417->20418 20419->20420 20660 419cb2 GetClassNameW 20420->20660 20429 40f76e 20422->20429 20423->20418 20430 40f69e IsDialogMessageW 20423->20430 20424 40fbb1 20431 40c3bf ctype 104 API calls 20424->20431 20428 40f60f SetDlgItemTextW 20428->20418 20565 40d298 GetDlgItem 20429->20565 20430->20413 20433 40f6ad TranslateMessage DispatchMessageW 20430->20433 20434 40fbc2 SetDlgItemTextW 20431->20434 20433->20413 20438 40fbd5 20434->20438 20441 40c3bf ctype 104 API calls 20435->20441 20442 40c3bf ctype 104 API calls 20438->20442 20439 40fce1 20445 40fd15 20439->20445 20449 40c3bf ctype 104 API calls 20439->20449 20440 40f7c4 20446 40f7d8 20440->20446 20574 40da8c 20440->20574 20443 40f7a2 20441->20443 20447 40fbfa 20442->20447 20448 40bc16 _swprintf 101 API calls 20443->20448 20444 40e857 154 API calls 20444->20439 20459 40e857 154 API calls 20445->20459 20511 40fdc1 _wcscat 20445->20511 20580 40935f 20446->20580 20452 40c3bf ctype 104 API calls 20447->20452 20448->20429 20453 40fcf3 SetDlgItemTextW 20449->20453 20455 40fc01 MessageBoxW 20452->20455 20456 40c3bf ctype 104 API calls 20453->20456 20455->20418 20463 40fd07 SetDlgItemTextW 20456->20463 20457 40f7f7 20586 419c88 SetCurrentDirectoryW 20457->20586 20458 40f7ec GetLastError 20458->20457 20465 40fd31 20459->20465 20460 40fe6a 20461 40fe73 EnableWindow 20460->20461 20462 40fe7d 20460->20462 20461->20462 20468 40fe97 20462->20468 20704 4060ab GetDlgItem EnableWindow 20462->20704 20463->20445 20467 40fd65 20465->20467 20471 40fd42 20465->20471 20466 40f80c 20469 40f81e 20466->20469 20470 40f813 GetLastError 20466->20470 20473 40fdb4 20467->20473 20474 40fd6d SetForegroundWindow 20467->20474 20475 40fec2 20468->20475 20486 40feb4 SendMessageW 20468->20486 20487 40febc PostMessageW 20468->20487 20481 40f89b 20469->20481 20483 40f82f GetTickCount 20469->20483 20526 40f87f ctype 20469->20526 20470->20469 20689 419a9d ShowWindow 20471->20689 20479 40e857 154 API calls 20473->20479 20474->20473 20478 40fd7c 20474->20478 20475->20418 20488 40c3bf ctype 104 API calls 20475->20488 20477 40fe8e 20705 4060ab GetDlgItem EnableWindow 20477->20705 20478->20473 20485 40fd84 DialogBoxParamW 20478->20485 20479->20511 20480 40fab4 20595 4060c9 GetDlgItem ShowWindow 20480->20595 20493 40f8b6 GetModuleFileNameW 20481->20493 20494 40fa4c 20481->20494 20490 40bc16 _swprintf 101 API calls 20483->20490 20485->20473 20491 40fda0 20485->20491 20486->20475 20487->20475 20492 40fed4 SetDlgItemTextW 20488->20492 20489 41a506 ___free_lc_time 67 API calls 20499 40fd64 20489->20499 20501 40f848 20490->20501 20491->20417 20492->20418 20682 40cffa 20493->20682 20498 40c3bf ctype 104 API calls 20494->20498 20495 40fe4a 20502 419a9d 89 API calls 20495->20502 20497 40fac6 20596 4060c9 GetDlgItem ShowWindow 20497->20596 20505 40fa56 20498->20505 20499->20467 20587 408923 20501->20587 20503 40fe67 20502->20503 20503->20460 20509 40bc16 _swprintf 101 API calls 20505->20509 20507 40c3bf ctype 104 API calls 20507->20511 20508 40facf 20512 40c3bf ctype 104 API calls 20508->20512 20514 40fa74 20509->20514 20510 40bc16 _swprintf 101 API calls 20515 40f908 CreateFileMappingW 20510->20515 20511->20460 20511->20495 20511->20507 20516 40fad9 SetDlgItemTextW 20512->20516 20525 40c3bf ctype 104 API calls 20514->20525 20517 40f967 GetCommandLineW 20515->20517 20518 40f9cb ShellExecuteExW 20515->20518 20597 4060c9 GetDlgItem ShowWindow 20516->20597 20523 40f977 20517->20523 20521 40f9e8 ctype 20518->20521 20519 40f86d 20522 40f874 GetLastError 20519->20522 20519->20526 20536 40fa22 20521->20536 20537 40f9fd WaitForInputIdle 20521->20537 20522->20526 20686 40d212 SHGetMalloc SHGetSpecialFolderLocation SHGetPathFromIDListW 20523->20686 20524 40faeb SetDlgItemTextW GetDlgItem 20528 40fb23 20524->20528 20529 40fb09 GetWindowLongW SetWindowLongW 20524->20529 20530 40fa8f MessageBoxW 20525->20530 20526->20480 20526->20481 20598 40e857 20528->20598 20529->20528 20530->20405 20533 40d212 3 API calls 20534 40f99f 20533->20534 20538 40d212 3 API calls 20534->20538 20544 40fa35 UnmapViewOfFile CloseHandle 20536->20544 20545 40fa47 20536->20545 20540 40fa0d 20537->20540 20541 40f9ab MapViewOfFile 20538->20541 20539 40e857 154 API calls 20542 40fb3f 20539->20542 20540->20536 20543 40fa14 Sleep 20540->20543 20546 40f9c8 ___crtGetEnvironmentStringsA 20541->20546 20628 40e2d7 20542->20628 20543->20536 20543->20540 20544->20545 20545->20405 20545->20494 20546->20518 20549 40e857 154 API calls 20552 40fb65 20549->20552 20550 40fb8b 20688 4060ab GetDlgItem EnableWindow 20550->20688 20552->20550 20554 40e857 154 API calls 20552->20554 20553->20417 20553->20424 20554->20550 20556 4060f7 20555->20556 20557 40611b 20555->20557 20558 406119 20556->20558 20706 40c15c 20556->20706 20726 40bbef 20557->20726 20558->20390 20558->20391 20558->20418 20562 405103 SHBrowseForFolderW 20561->20562 20563 4050ff 20561->20563 20562->20563 20564 405140 SHGetPathFromIDListW 20562->20564 20563->20418 20563->20428 20564->20563 20566 40d2c8 20565->20566 20567 40d2fa SendMessageW SendMessageW 20565->20567 20732 41918b 20566->20732 20569 40d34a SendMessageW SendMessageW SendMessageW 20567->20569 20570 40d32e 20567->20570 20572 40d394 SendMessageW 20569->20572 20573 40d376 SendMessageW 20569->20573 20570->20569 20572->20440 20573->20572 20576 40da99 __write_nolock 20574->20576 20575 40db11 20575->20446 20576->20575 20577 40dabe RegCreateKeyExW 20576->20577 20577->20575 20578 40dae4 _wcslen 20577->20578 20579 40daec RegSetValueExW RegCloseKey 20578->20579 20579->20575 20583 40936c __write_nolock _wcsncpy 20580->20583 20581 40941e 20581->20457 20581->20458 20582 4093fb 20582->20581 20735 4092c9 20582->20735 20583->20581 20583->20582 20585 4092c9 9 API calls 20583->20585 20585->20583 20586->20466 20588 408930 __write_nolock 20587->20588 20589 408997 CreateFileW 20588->20589 20590 408991 20588->20590 20589->20590 20591 4089df 20590->20591 20592 40a3dc 2 API calls 20590->20592 20591->20519 20593 4089c4 20592->20593 20593->20591 20594 4089c8 CreateFileW 20593->20594 20594->20591 20595->20497 20596->20508 20597->20524 20599 40e861 __EH_prolog __write_nolock 20598->20599 20600 40f431 20599->20600 20770 40d781 20599->20770 20600->20539 20603 40d781 ExpandEnvironmentStringsW 20618 40e896 _wcscat _wcslen _wcsrchr _wcscpy 20603->20618 20604 40ebb2 SetWindowTextW 20604->20618 20607 41a594 _realloc 72 API calls 20607->20618 20608 40ec50 RegOpenKeyExW 20609 40ec6c RegQueryValueExW RegCloseKey 20608->20609 20608->20618 20609->20618 20612 40e99e SetFileAttributesW 20614 40ea5c GetFileAttributesW 20612->20614 20616 40e999 _memset _wcslen 20612->20616 20613 41a506 ___free_lc_time 67 API calls 20613->20618 20614->20616 20617 40ea6a DeleteFileW 20614->20617 20616->20612 20616->20618 20620 40960e 7 API calls 20616->20620 20622 40bc16 _swprintf 101 API calls 20616->20622 20627 40ea38 SHFileOperationW 20616->20627 20787 40aa7d 20616->20787 20617->20616 20618->20600 20618->20603 20618->20604 20618->20607 20618->20608 20618->20613 20618->20616 20624 40eda7 SendMessageW 20618->20624 20774 411e60 CompareStringW 20618->20774 20775 40db16 20618->20775 20782 419c9b GetCurrentDirectoryW 20618->20782 20783 40960e 20618->20783 20792 409449 20618->20792 20795 40d92d 20618->20795 20620->20616 20623 40ea9c GetFileAttributesW 20622->20623 20623->20616 20625 40eaad MoveFileW 20623->20625 20624->20618 20625->20616 20626 40eac5 MoveFileExW 20625->20626 20626->20616 20627->20614 20629 40e2e1 _wcscpy __EH_prolog __write_nolock 20628->20629 20814 410d16 20629->20814 20631 40e312 _wcscpy 20818 40537e 20631->20818 20633 40e330 20822 407150 20633->20822 20637 40e383 20837 407074 20637->20837 20641 40dbce __write_nolock 20640->20641 22378 419e56 20641->22378 20644 40dbdb GetWindow 20645 40dcb1 GetDlgItem SendMessageW 20644->20645 20648 40dbf8 20644->20648 20659 419c9b GetCurrentDirectoryW 20645->20659 20646 40dc0d GetClassNameW 22383 411e60 CompareStringW 20646->22383 20648->20645 20648->20646 20649 40dc35 GetWindowLongW 20648->20649 20650 40dc96 GetWindow 20648->20650 20649->20650 20651 40dc45 SendMessageW 20649->20651 20650->20645 20650->20648 20651->20650 20652 40dc57 GetObjectW 20651->20652 22384 419e13 20652->22384 20654 419dd0 3 API calls 20655 40dc6c 20654->20655 20655->20654 22388 419ea0 20655->22388 20658 40dc8f DeleteObject 20658->20650 20659->20414 20661 419cd3 20660->20661 20662 419cf8 20660->20662 22405 411e60 CompareStringW 20661->22405 20664 40fcb0 20662->20664 20665 419cfd SHAutoComplete 20662->20665 20668 40e75f 20664->20668 20665->20664 20666 419ce6 20666->20662 20667 419cea FindWindowExW 20666->20667 20667->20662 20669 40e769 __EH_prolog __write_nolock 20668->20669 20670 401822 133 API calls 20669->20670 20671 40e78b 20670->20671 22406 401a1a 20671->22406 20676 41cf3e _malloc 67 API calls 20678 40e7d1 ___crtGetEnvironmentStringsA 20676->20678 20677 40e804 20680 40e813 20677->20680 20681 401228 ctype 131 API calls 20677->20681 20678->20677 20679 41a506 ___free_lc_time 67 API calls 20678->20679 20679->20677 20680->20439 20680->20444 20681->20680 20683 40d003 20682->20683 20685 40d01c 20682->20685 20684 40cfb9 124 API calls 20683->20684 20684->20685 20685->20510 20687 40d248 20686->20687 20687->20533 20688->20553 22454 419a36 LoadCursorW RegisterClassExW 20689->22454 20691 419ac7 GetWindowRect GetParent MapWindowPoints 20692 419b04 GetParent CreateWindowExW 20691->20692 20693 419afd DestroyWindow 20691->20693 20694 419b86 20692->20694 20697 419b49 20692->20697 20693->20692 20695 419b8a ShowWindow UpdateWindow 20694->20695 20696 419b9c 20694->20696 20695->20696 20703 40fd59 20696->20703 22461 4192d0 GetTickCount GetTickCount 20696->22461 20697->20703 22455 41947d 20697->22455 20701 419b68 ShowWindow SetWindowTextW 20702 41a506 ___free_lc_time 67 API calls 20701->20702 20702->20703 20703->20489 20704->20477 20705->20468 20729 40c075 20706->20729 20708 40c17b GetWindowRect GetClientRect 20709 40c258 20708->20709 20710 40c1bf 20708->20710 20712 40c2a1 GetSystemMetrics GetWindow 20709->20712 20713 40c263 GetWindowTextW 20709->20713 20711 40c29c 20710->20711 20715 40c212 GetWindowLongW 20710->20715 20711->20712 20717 40c2c5 20712->20717 20714 40bf1d ctype 102 API calls 20713->20714 20718 40c28a SetWindowTextW 20714->20718 20719 40c232 SetWindowPos GetWindowRect 20715->20719 20720 40c22b 20715->20720 20716 40c3a1 20716->20558 20717->20716 20721 40c2d2 GetWindowTextW 20717->20721 20722 40bf1d ctype 102 API calls 20717->20722 20723 40c383 GetWindow 20717->20723 20724 40c319 GetWindowRect SetWindowPos 20717->20724 20718->20712 20719->20709 20720->20719 20721->20717 20725 40c303 SetWindowTextW 20722->20725 20723->20716 20723->20717 20724->20723 20725->20717 20727 40bc13 20726->20727 20728 40bbf5 GetWindowLongW SetWindowLongW 20726->20728 20727->20558 20728->20727 20730 40bf1d ctype 102 API calls 20729->20730 20731 40c09c _wcschr 20730->20731 20731->20708 20733 40d2d3 ShowWindow SendMessageW SendMessageW 20732->20733 20734 419195 DestroyWindow 20732->20734 20733->20567 20734->20733 20736 4092d6 __write_nolock 20735->20736 20737 4092ff 20736->20737 20738 4092f6 CreateDirectoryW 20736->20738 20749 4092a5 20737->20749 20738->20737 20740 40932e 20738->20740 20743 409334 20740->20743 20744 40933d 20740->20744 20742 409341 GetLastError 20742->20744 20752 40908d 20743->20752 20744->20581 20745 40a3dc 2 API calls 20747 40931b 20745->20747 20747->20742 20748 40931f CreateDirectoryW 20747->20748 20748->20740 20748->20742 20760 409041 20749->20760 20753 41aaf0 __write_nolock 20752->20753 20754 40909a SetFileAttributesW 20753->20754 20755 4090b3 20754->20755 20756 4090dc 20754->20756 20757 40a3dc 2 API calls 20755->20757 20756->20744 20758 4090c7 20757->20758 20758->20756 20759 4090cb SetFileAttributesW 20758->20759 20759->20756 20768 41aaf0 20760->20768 20763 409062 20765 40a3dc 2 API calls 20763->20765 20764 409085 20764->20742 20764->20745 20766 409076 20765->20766 20766->20764 20767 40907a GetFileAttributesW 20766->20767 20767->20764 20769 40904e GetFileAttributesW 20768->20769 20769->20763 20769->20764 20772 40d78e __write_nolock 20770->20772 20771 40d845 20771->20618 20772->20771 20773 40d822 ExpandEnvironmentStringsW 20772->20773 20773->20771 20774->20618 20777 40db23 __write_nolock 20775->20777 20776 40dbbd GetDlgItem SetWindowTextW SendMessageW 20776->20618 20777->20776 20778 40db3f RegOpenKeyExW 20777->20778 20778->20776 20779 40db5c RegQueryValueExW 20778->20779 20780 40dbb4 RegCloseKey 20779->20780 20781 40db88 20779->20781 20780->20776 20781->20780 20782->20618 20785 40961f 20783->20785 20784 409476 7 API calls 20784->20785 20785->20784 20786 4096af 20785->20786 20786->20618 20788 40a0ea CharUpperW 20787->20788 20789 40aa92 20788->20789 20790 40bc16 _swprintf 101 API calls 20789->20790 20791 40aaa9 _wcslen _wcschr _wcsncpy 20789->20791 20790->20791 20791->20616 20793 409454 FindClose 20792->20793 20794 40945b 20792->20794 20793->20794 20794->20618 20796 40d93a __write_nolock 20795->20796 20797 41cf3e _malloc 67 API calls 20796->20797 20798 40d946 20797->20798 20802 40d957 _wcscat _wcslen _wcscpy 20798->20802 20803 4063ce 20798->20803 20800 40d781 ExpandEnvironmentStringsW 20800->20802 20801 40d9f7 20801->20618 20802->20800 20802->20801 20808 40635c 20803->20808 20805 4063d6 20806 4062fd RaiseException 20805->20806 20807 4063df 20806->20807 20807->20802 20811 401b9b 20808->20811 20810 406366 20810->20805 20812 41170e ctype 119 API calls 20811->20812 20813 401bb7 20812->20813 20813->20810 20815 410d23 _wcslen 20814->20815 20843 4011a7 20815->20843 20817 410d3b _wcscpy 20817->20631 20819 410d16 _wcslen 20818->20819 20820 4011a7 125 API calls 20819->20820 20821 410d3b _wcscpy 20820->20821 20821->20633 20823 40715a __EH_prolog 20822->20823 20853 41a89a 20823->20853 20827 4071b1 20828 4083c0 20827->20828 20829 4083cd __write_nolock 20828->20829 20830 408434 20829->20830 20954 4096bc 20829->20954 20834 408499 20830->20834 20835 4096bc 8 API calls 20830->20835 20931 40820b 20830->20931 20832 4084dd 20832->20637 20834->20832 20836 406376 ctype 119 API calls 20834->20836 20835->20830 20836->20832 20838 40707e __EH_prolog 20837->20838 20839 4155ef 131 API calls 20838->20839 20841 40709b ctype 20838->20841 20839->20841 20840 401001 ctype 131 API calls 20842 4070ae 20840->20842 20841->20840 20842->20549 20844 4011b9 20843->20844 20850 401211 20843->20850 20845 4011e2 20844->20845 20846 406423 ctype 119 API calls 20844->20846 20847 41a594 _realloc 72 API calls 20845->20847 20849 4011d8 20846->20849 20848 401202 20847->20848 20848->20850 20852 4063ce 120 API calls 20848->20852 20851 4063ce 120 API calls 20849->20851 20850->20817 20851->20845 20852->20850 20855 41a8a4 20853->20855 20854 41cf3e _malloc 67 API calls 20854->20855 20855->20854 20856 40719d 20855->20856 20857 41fc9b __calloc_impl 6 API calls 20855->20857 20861 41a8c0 20855->20861 20856->20827 20865 41768a 20856->20865 20857->20855 20858 41a8e6 20871 4125fa 20858->20871 20861->20858 20863 41c9cf __cinit 74 API calls 20861->20863 20862 41c77f __CxxThrowException@8 RaiseException 20864 41a8fe 20862->20864 20863->20858 20866 417694 __EH_prolog 20865->20866 20880 411072 20866->20880 20874 41d728 20871->20874 20875 41d748 _strlen 20874->20875 20879 412606 20874->20879 20876 41cf3e _malloc 67 API calls 20875->20876 20875->20879 20877 41d75b 20876->20877 20878 422896 _strcpy_s 67 API calls 20877->20878 20877->20879 20878->20879 20879->20862 20900 41a4dc 20880->20900 20882 41107c EnterCriticalSection 20883 41109f 20882->20883 20890 4110ba 20882->20890 20884 41a89a 75 API calls 20883->20884 20889 4110a5 20884->20889 20885 4110d0 20888 41a89a 75 API calls 20885->20888 20886 4110ff LeaveCriticalSection 20887 41110b 20886->20887 20896 4157db 20887->20896 20891 4110d6 20888->20891 20889->20890 20901 410f29 20889->20901 20890->20885 20890->20886 20893 4110ee LeaveCriticalSection 20891->20893 20895 410f29 123 API calls 20891->20895 20893->20887 20895->20893 20897 4157e8 _memset 20896->20897 20909 415724 20897->20909 20900->20882 20902 410f3b InitializeCriticalSection CreateSemaphoreW CreateEventW 20901->20902 20904 410f92 20902->20904 20905 410fb1 20904->20905 20906 406423 ctype 119 API calls 20904->20906 20905->20890 20907 410fa6 20906->20907 20908 406371 ctype RaiseException 20907->20908 20908->20905 20910 415730 _memset 20909->20910 20913 4152cd 20910->20913 20914 4152da 20913->20914 20915 41530d 20913->20915 20914->20915 20919 414f64 20914->20919 20916 41533a 20915->20916 20918 414f64 67 API calls 20915->20918 20916->20827 20918->20915 20922 413e66 20919->20922 20927 4129eb 20922->20927 20925 4129eb ctype 67 API calls 20926 413e79 20925->20926 20928 4129f1 20927->20928 20930 4129f7 20927->20930 20929 41a506 ___free_lc_time 67 API calls 20928->20929 20929->20930 20930->20925 20932 408215 __EH_prolog __write_nolock 20931->20932 20960 401822 20932->20960 20934 408232 20966 4088fd 20934->20966 20940 40825e 20941 408262 20940->20941 20952 408286 _wcscpy 20940->20952 20942 40826d 21091 401228 20942->21091 20944 408313 20950 4096bc 8 API calls 20950->20952 20952->20942 20952->20944 20952->20950 21105 40a8a1 20952->21105 20955 4096d1 20954->20955 20959 4096d5 20955->20959 22366 409476 20955->22366 20957 4096e5 20958 4096ea FindClose 20957->20958 20957->20959 20958->20959 20959->20829 20961 40182c __EH_prolog 20960->20961 20962 41a89a 75 API calls 20961->20962 20965 4018b7 _memset 20961->20965 20963 4018a4 20962->20963 20964 40a026 126 API calls 20963->20964 20963->20965 20964->20965 20965->20934 20967 408908 20966->20967 20968 408249 20967->20968 21114 406510 20967->21114 20968->20942 20970 401417 20968->20970 20971 401421 __EH_prolog 20970->20971 20997 408e7b 125 API calls 20971->20997 20972 401449 _wcscpy 20972->20940 20973 401444 20973->20972 20974 401465 20973->20974 21120 406760 20973->21120 20977 40158e 20974->20977 20985 40159e 20974->20985 20978 406376 ctype 119 API calls 20977->20978 20978->20972 20980 40369f 156 API calls 20980->20985 20985->20972 20985->20980 20986 4015fb 20985->20986 20986->20972 20989 401625 20986->20989 20989->20972 20994 408bae 122 API calls 20997->20973 21092 401232 __EH_prolog 21091->21092 21098 401261 ctype 21092->21098 22340 409ffc 21092->22340 21093 4129eb ctype 67 API calls 21095 401274 21093->21095 21096 4129eb ctype 67 API calls 21095->21096 21097 40127f 21096->21097 21098->21093 21117 406459 21114->21117 21116 40651b 21116->20968 21118 40639f 119 API calls 21117->21118 21119 40646b 21118->21119 21119->21116 21123 401106 21120->21123 21124 401118 21123->21124 21130 40116f 21123->21130 21125 401141 21124->21125 21126 406423 ctype 119 API calls 21124->21126 21130->20994 22341 40a00c _memset 22340->22341 22342 4129eb ctype 67 API calls 22341->22342 22343 40a01a ctype 22342->22343 22343->21098 22367 409483 __write_nolock 22366->22367 22368 409505 FindNextFileW 22367->22368 22369 40949b FindFirstFileW 22367->22369 22370 409512 GetLastError 22368->22370 22371 409528 22368->22371 22372 4094b2 22369->22372 22377 4094e9 ___inittime 22369->22377 22370->22371 22371->22377 22373 40a3dc 2 API calls 22372->22373 22374 4094c2 22373->22374 22375 4094c6 FindFirstFileW 22374->22375 22376 4094de GetLastError 22374->22376 22375->22376 22375->22377 22376->22377 22377->20957 22379 419dd0 3 API calls 22378->22379 22380 419e5d 22379->22380 22381 40dbd3 22380->22381 22382 419e13 3 API calls 22380->22382 22381->20644 22381->20645 22382->22381 22383->20648 22385 419e42 22384->22385 22386 419e1c GetDC 22384->22386 22385->20655 22386->22385 22387 419e2b GetDeviceCaps ReleaseDC 22386->22387 22387->22385 22401 419e75 GetDC GetDeviceCaps ReleaseDC 22388->22401 22390 419eab 22391 419ec2 GetObjectW 22390->22391 22392 419eaf 22390->22392 22394 419ee7 22391->22394 22395 419ee9 CoCreateInstance 22391->22395 22402 419d0b GetDC CreateCompatibleDC CreateCompatibleDC GetObjectW 22392->22402 22394->22395 22396 40dc7c SendMessageW 22395->22396 22397 419f0b _memset 22395->22397 22396->20650 22396->20658 22397->22396 22398 419f81 CreateDIBSection 22397->22398 22398->22396 22399 419fce 22398->22399 22399->22396 22400 41a022 DeleteObject 22399->22400 22400->22396 22401->22390 22403 419d52 22402->22403 22404 419d55 9 API calls 22402->22404 22403->22404 22404->22396 22405->20666 22407 4088fd 119 API calls 22406->22407 22408 401a26 22407->22408 22409 401417 156 API calls 22408->22409 22414 401a2a 22408->22414 22410 401a37 22409->22410 22411 406376 ctype 119 API calls 22410->22411 22410->22414 22412 401a46 22411->22412 22413 408a32 121 API calls 22412->22413 22413->22414 22415 401768 22414->22415 22416 401772 __EH_prolog 22415->22416 22417 40117b 122 API calls 22416->22417 22422 401783 22416->22422 22418 401793 22417->22418 22419 40179e 22418->22419 22421 4017c4 22418->22421 22420 40369f 156 API calls 22419->22420 22420->22422 22426 403767 22421->22426 22422->20676 22422->20678 22429 40376d 22426->22429 22427 40369f 156 API calls 22427->22429 22428 4017e2 22428->22422 22430 4012ea 22428->22430 22429->22427 22429->22428 22431 4012f4 __EH_prolog 22430->22431 22432 402c8b 195 API calls 22431->22432 22433 401316 22432->22433 22434 40131a 22433->22434 22435 40132f 22433->22435 22438 41a506 ___free_lc_time 67 API calls 22434->22438 22446 401327 22434->22446 22447 4012b5 22435->22447 22438->22446 22441 411b3c MultiByteToWideChar 22442 401353 _wcslen 22441->22442 22443 4012d0 125 API calls 22442->22443 22444 40139f 22443->22444 22445 41a506 ___free_lc_time 67 API calls 22444->22445 22444->22446 22445->22446 22446->22422 22448 401106 125 API calls 22447->22448 22449 4012bf 22448->22449 22450 4012d0 22449->22450 22451 4012e2 22450->22451 22452 4012d9 22450->22452 22451->22441 22451->22442 22453 4011a7 125 API calls 22452->22453 22453->22451 22454->20691 22456 41948e _wcslen 22455->22456 22457 41cf3e _malloc 67 API calls 22456->22457 22459 419498 22457->22459 22458 4195f5 22458->20701 22458->20703 22459->22458 22460 411e81 CompareStringW 22459->22460 22460->22459 22464 4192f5 22461->22464 22462 41934a VariantInit 22463 41937a 22462->22463 22463->20703 22464->22462 22465 41930e PeekMessageW 22464->22465 22466 419341 GetTickCount 22465->22466 22467 419320 TranslateMessage DispatchMessageW GetMessageW 22465->22467 22466->22464 22467->22466 23185 42108f 23192 4253be 23185->23192 23188 4210a2 23189 41a506 ___free_lc_time 67 API calls 23188->23189 23191 4210ad 23189->23191 23205 4252e4 23192->23205 23194 421094 23194->23188 23195 425195 23194->23195 23196 4251a1 ___lock_fhandle 23195->23196 23197 41efa3 __lock 67 API calls 23196->23197 23201 4251ad 23197->23201 23198 425216 23246 42522b 23198->23246 23200 425222 ___lock_fhandle 23200->23188 23201->23198 23202 4251eb DeleteCriticalSection 23201->23202 23233 426fb6 23201->23233 23204 41a506 ___free_lc_time 67 API calls 23202->23204 23204->23201 23206 4252f0 ___lock_fhandle 23205->23206 23207 41efa3 __lock 67 API calls 23206->23207 23214 4252ff 23207->23214 23208 425397 23223 4253b5 23208->23223 23211 4253a3 ___lock_fhandle 23211->23194 23213 42529c 105 API calls __fflush_nolock 23213->23214 23214->23208 23214->23213 23215 4210f0 23214->23215 23220 425386 23214->23220 23216 421113 EnterCriticalSection 23215->23216 23217 4210fd 23215->23217 23216->23214 23218 41efa3 __lock 67 API calls 23217->23218 23219 421106 23218->23219 23219->23214 23226 42115e 23220->23226 23222 425394 23222->23214 23232 41eec9 LeaveCriticalSection 23223->23232 23225 4253bc 23225->23211 23227 421181 LeaveCriticalSection 23226->23227 23228 42116e 23226->23228 23227->23222 23231 41eec9 LeaveCriticalSection 23228->23231 23230 42117e 23230->23222 23231->23230 23232->23225 23234 426fc2 ___lock_fhandle 23233->23234 23235 426ff3 23234->23235 23236 426fd6 23234->23236 23243 426feb ___lock_fhandle 23235->23243 23249 4210af 23235->23249 23237 41edae __write_nolock 67 API calls 23236->23237 23239 426fdb 23237->23239 23241 420103 __write_nolock 6 API calls 23239->23241 23241->23243 23243->23201 23493 41eec9 LeaveCriticalSection 23246->23493 23248 425232 23248->23200 23250 4210e3 EnterCriticalSection 23249->23250 23251 4210c1 23249->23251 23253 4210d9 23250->23253 23251->23250 23252 4210c9 23251->23252 23254 41efa3 __lock 67 API calls 23252->23254 23255 426f3f 23253->23255 23254->23253 23256 426f53 23255->23256 23257 426f6f 23255->23257 23259 41edae __write_nolock 67 API calls 23256->23259 23258 426f68 23257->23258 23274 425234 23257->23274 23271 42702a 23258->23271 23261 426f58 23259->23261 23263 420103 __write_nolock 6 API calls 23261->23263 23263->23258 23269 426f8f 23269->23258 23270 41a506 ___free_lc_time 67 API calls 23269->23270 23270->23258 23486 421122 23271->23486 23273 427030 23273->23243 23275 42524d 23274->23275 23276 42526f 23274->23276 23275->23276 23277 424df7 __fileno 67 API calls 23275->23277 23280 4291a9 23276->23280 23278 425268 23277->23278 23313 424c6e 23278->23313 23281 426f83 23280->23281 23282 4291b9 23280->23282 23284 424df7 23281->23284 23282->23281 23283 41a506 ___free_lc_time 67 API calls 23282->23283 23283->23281 23285 424e1b 23284->23285 23286 424e06 23284->23286 23290 4271af 23285->23290 23287 41edae __write_nolock 67 API calls 23286->23287 23288 424e0b 23287->23288 23289 420103 __write_nolock 6 API calls 23288->23289 23289->23285 23291 4271bb ___lock_fhandle 23290->23291 23292 4271c3 23291->23292 23293 4271de 23291->23293 23295 41edc1 __write_nolock 67 API calls 23292->23295 23294 4271ec 23293->23294 23300 42722d 23293->23300 23297 41edc1 __write_nolock 67 API calls 23294->23297 23296 4271c8 23295->23296 23298 41edae __write_nolock 67 API calls 23296->23298 23299 4271f1 23297->23299 23301 4271d0 ___lock_fhandle 23298->23301 23302 41edae __write_nolock 67 API calls 23299->23302 23303 426846 ___lock_fhandle 68 API calls 23300->23303 23301->23269 23305 4271f8 23302->23305 23304 427233 23303->23304 23306 427240 23304->23306 23307 42724e 23304->23307 23308 420103 __write_nolock 6 API calls 23305->23308 23458 427113 23306->23458 23310 41edae __write_nolock 67 API calls 23307->23310 23308->23301 23311 427248 23310->23311 23473 427272 23311->23473 23314 424c7a ___lock_fhandle 23313->23314 23315 424c82 23314->23315 23316 424c9d 23314->23316 23338 41edc1 23315->23338 23318 424cab 23316->23318 23322 424cec 23316->23322 23319 41edc1 __write_nolock 67 API calls 23318->23319 23321 424cb0 23319->23321 23324 41edae __write_nolock 67 API calls 23321->23324 23341 426846 23322->23341 23323 41edae __write_nolock 67 API calls 23326 424c8f ___lock_fhandle 23323->23326 23327 424cb7 23324->23327 23326->23276 23329 420103 __write_nolock 6 API calls 23327->23329 23328 424cf2 23330 424d15 23328->23330 23331 424cff 23328->23331 23329->23326 23333 41edae __write_nolock 67 API calls 23330->23333 23351 42453b 23331->23351 23334 424d1a 23333->23334 23335 41edc1 __write_nolock 67 API calls 23334->23335 23336 424d0d 23335->23336 23410 424d40 23336->23410 23339 41e93b __getptd_noexit 67 API calls 23338->23339 23340 41edc6 23339->23340 23340->23323 23342 426852 ___lock_fhandle 23341->23342 23343 4268ad 23342->23343 23346 41efa3 __lock 67 API calls 23342->23346 23344 4268b2 EnterCriticalSection 23343->23344 23345 4268cf ___lock_fhandle 23343->23345 23344->23345 23345->23328 23347 42687e 23346->23347 23348 426895 23347->23348 23350 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 23347->23350 23413 4268dd 23348->23413 23350->23348 23352 42454a __write_nolock 23351->23352 23353 4245a3 23352->23353 23354 42457c 23352->23354 23382 424571 23352->23382 23358 42460b 23353->23358 23359 4245e5 23353->23359 23355 41edc1 __write_nolock 67 API calls 23354->23355 23357 424581 23355->23357 23356 41e6de __write_nolock 5 API calls 23360 424c6c 23356->23360 23362 41edae __write_nolock 67 API calls 23357->23362 23361 42461f 23358->23361 23417 42439d 23358->23417 23363 41edc1 __write_nolock 67 API calls 23359->23363 23360->23336 23427 424d93 23361->23427 23365 424588 23362->23365 23367 4245ea 23363->23367 23368 420103 __write_nolock 6 API calls 23365->23368 23370 41edae __write_nolock 67 API calls 23367->23370 23368->23382 23369 42462a 23371 4248d0 23369->23371 23376 41e9b4 __getptd 67 API calls 23369->23376 23372 4245f3 23370->23372 23374 4248e0 23371->23374 23375 424b9f WriteFile 23371->23375 23373 420103 __write_nolock 6 API calls 23372->23373 23373->23382 23378 4249be 23374->23378 23397 4248f4 23374->23397 23377 424bd2 GetLastError 23375->23377 23400 4248b2 23375->23400 23379 424645 GetConsoleMode 23376->23379 23377->23400 23402 4249cd 23378->23402 23403 424a9e 23378->23403 23379->23371 23381 424670 23379->23381 23380 424c1d 23380->23382 23384 41edae __write_nolock 67 API calls 23380->23384 23381->23371 23383 424682 GetConsoleCP 23381->23383 23382->23356 23383->23400 23407 4246a5 23383->23407 23386 424c40 23384->23386 23385 424bf0 23388 424bfb 23385->23388 23389 424c0f 23385->23389 23391 41edc1 __write_nolock 67 API calls 23386->23391 23387 424b04 WideCharToMultiByte 23387->23377 23393 424b3b WriteFile 23387->23393 23392 41edae __write_nolock 67 API calls 23388->23392 23439 41edd4 23389->23439 23390 424962 WriteFile 23390->23377 23390->23397 23391->23382 23398 424c00 23392->23398 23396 424b72 GetLastError 23393->23396 23393->23403 23394 424a42 WriteFile 23394->23377 23394->23402 23396->23403 23397->23380 23397->23390 23397->23400 23401 41edc1 __write_nolock 67 API calls 23398->23401 23400->23380 23400->23382 23400->23385 23401->23382 23402->23380 23402->23394 23402->23400 23403->23380 23403->23387 23403->23393 23403->23400 23404 424751 WideCharToMultiByte 23404->23400 23406 424782 WriteFile 23404->23406 23405 4250e5 79 API calls __fassign 23405->23407 23406->23377 23406->23407 23407->23377 23407->23400 23407->23404 23407->23405 23408 42690d 11 API calls __putwch_nolock 23407->23408 23409 4247d6 WriteFile 23407->23409 23436 4227cb 23407->23436 23408->23407 23409->23377 23409->23407 23457 4268e6 LeaveCriticalSection 23410->23457 23412 424d48 23412->23326 23416 41eec9 LeaveCriticalSection 23413->23416 23415 4268e4 23415->23343 23416->23415 23444 4267cf 23417->23444 23419 4243bb 23420 4243c3 23419->23420 23421 4243d4 SetFilePointer 23419->23421 23423 41edae __write_nolock 67 API calls 23420->23423 23422 4243ec GetLastError 23421->23422 23425 4243c8 23421->23425 23424 4243f6 23422->23424 23422->23425 23423->23425 23426 41edd4 __dosmaperr 67 API calls 23424->23426 23425->23361 23426->23425 23428 424da0 23427->23428 23429 424daf 23427->23429 23430 41edae __write_nolock 67 API calls 23428->23430 23431 424dd3 23429->23431 23432 41edae __write_nolock 67 API calls 23429->23432 23433 424da5 23430->23433 23431->23369 23434 424dc3 23432->23434 23433->23369 23435 420103 __write_nolock 6 API calls 23434->23435 23435->23431 23437 422793 __isleadbyte_l 77 API calls 23436->23437 23438 4227da 23437->23438 23438->23407 23440 41edc1 __write_nolock 67 API calls 23439->23440 23441 41eddf __dosmaperr 23440->23441 23442 41edae __write_nolock 67 API calls 23441->23442 23443 41edf2 23442->23443 23443->23382 23445 4267f4 23444->23445 23446 4267dc 23444->23446 23448 41edc1 __write_nolock 67 API calls 23445->23448 23454 426839 23445->23454 23447 41edc1 __write_nolock 67 API calls 23446->23447 23449 4267e1 23447->23449 23450 426822 23448->23450 23451 41edae __write_nolock 67 API calls 23449->23451 23453 41edae __write_nolock 67 API calls 23450->23453 23452 4267e9 23451->23452 23452->23419 23455 426829 23453->23455 23454->23419 23456 420103 __write_nolock 6 API calls 23455->23456 23456->23454 23457->23412 23459 4267cf __lseeki64_nolock 67 API calls 23458->23459 23461 427123 23459->23461 23460 427179 23476 426749 23460->23476 23461->23460 23462 427157 23461->23462 23464 4267cf __lseeki64_nolock 67 API calls 23461->23464 23462->23460 23465 4267cf __lseeki64_nolock 67 API calls 23462->23465 23468 42714e 23464->23468 23469 427163 CloseHandle 23465->23469 23467 4271a3 23467->23311 23471 4267cf __lseeki64_nolock 67 API calls 23468->23471 23469->23460 23472 42716f GetLastError 23469->23472 23470 41edd4 __dosmaperr 67 API calls 23470->23467 23471->23462 23472->23460 23485 4268e6 LeaveCriticalSection 23473->23485 23475 42727a 23475->23301 23477 4267b5 23476->23477 23478 42675a 23476->23478 23479 41edae __write_nolock 67 API calls 23477->23479 23478->23477 23483 426785 23478->23483 23480 4267ba 23479->23480 23481 41edc1 __write_nolock 67 API calls 23480->23481 23482 4267ab 23481->23482 23482->23467 23482->23470 23483->23482 23484 4267a5 SetStdHandle 23483->23484 23484->23482 23485->23475 23487 421152 LeaveCriticalSection 23486->23487 23488 421133 23486->23488 23487->23273 23488->23487 23489 42113a 23488->23489 23492 41eec9 LeaveCriticalSection 23489->23492 23491 42114f 23491->23273 23492->23491 23493->23248 22751 41c618 22752 41c631 22751->22752 22753 41c63c 22751->22753 22756 41ec8a 22753->22756 22755 41c641 ___lock_fhandle 22757 41ec96 ___lock_fhandle 22756->22757 22758 41e9b4 __getptd 67 API calls 22757->22758 22760 41ec9b 22758->22760 22762 423f89 22760->22762 22761 41ecbd ___lock_fhandle 22761->22755 22763 423fa8 22762->22763 22766 423faf 22762->22766 22765 42179d __NMSG_WRITE 67 API calls 22763->22765 22765->22766 22774 42553a 22766->22774 22767 423fc0 _memset 22770 424098 22767->22770 22772 424058 SetUnhandledExceptionFilter UnhandledExceptionFilter 22767->22772 22798 42171b 22770->22798 22772->22770 22775 41e768 __decode_pointer 6 API calls 22774->22775 22776 423fb5 22775->22776 22776->22767 22777 425547 22776->22777 22780 425553 ___lock_fhandle 22777->22780 22778 4255af 22779 425590 22778->22779 22783 4255be 22778->22783 22784 41e768 __decode_pointer 6 API calls 22779->22784 22780->22778 22780->22779 22781 42557a 22780->22781 22786 425576 22780->22786 22782 41e93b __getptd_noexit 67 API calls 22781->22782 22787 42557f _siglookup 22782->22787 22785 41edae __write_nolock 67 API calls 22783->22785 22784->22787 22788 4255c3 22785->22788 22786->22781 22786->22783 22790 425625 22787->22790 22791 42171b _raise 67 API calls 22787->22791 22797 425588 ___lock_fhandle 22787->22797 22789 420103 __write_nolock 6 API calls 22788->22789 22789->22797 22792 41efa3 __lock 67 API calls 22790->22792 22793 425630 22790->22793 22791->22790 22792->22793 22794 41e75f _doexit 6 API calls 22793->22794 22795 425665 22793->22795 22794->22795 22801 4256bb 22795->22801 22797->22767 22799 4215d9 _doexit 67 API calls 22798->22799 22800 42172c RtlUnwind 22799->22800 22800->22761 22802 4256c1 22801->22802 22803 4256c8 22801->22803 22805 41eec9 LeaveCriticalSection 22802->22805 22803->22797 22805->22803 19433 41d89d 19472 41fa9c 19433->19472 19435 41d8a9 GetStartupInfoA 19436 41d8cc 19435->19436 19473 41edf7 HeapCreate 19436->19473 19439 41d91c 19475 41eafd GetModuleHandleW 19439->19475 19443 41d92d __RTC_Initialize 19509 423b05 19443->19509 19444 41d874 _fast_error_exit 67 API calls 19444->19443 19446 41d93b 19447 41d947 GetCommandLineA 19446->19447 19448 421495 __amsg_exit 67 API calls 19446->19448 19524 4239ce 19447->19524 19450 41d946 19448->19450 19450->19447 19454 41d96c 19563 42369b 19454->19563 19455 421495 __amsg_exit 67 API calls 19455->19454 19458 41d97d 19578 421554 19458->19578 19460 421495 __amsg_exit 67 API calls 19460->19458 19461 41d984 19462 41d98f 19461->19462 19463 421495 __amsg_exit 67 API calls 19461->19463 19584 42363c 19462->19584 19463->19462 19472->19435 19474 41d910 19473->19474 19474->19439 19635 41d874 19474->19635 19476 41eb11 19475->19476 19477 41eb18 19475->19477 19649 421465 19476->19649 19479 41ec80 19477->19479 19480 41eb22 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 19477->19480 19688 41e817 19479->19688 19482 41eb6b TlsAlloc 19480->19482 19485 41d922 19482->19485 19486 41ebb9 TlsSetValue 19482->19486 19485->19443 19485->19444 19486->19485 19487 41ebca 19486->19487 19653 42174f 19487->19653 19490 41e6ed __encode_pointer 6 API calls 19491 41ebda 19490->19491 19492 41e6ed __encode_pointer 6 API calls 19491->19492 19493 41ebea 19492->19493 19494 41e6ed __encode_pointer 6 API calls 19493->19494 19495 41ebfa 19494->19495 19496 41e6ed __encode_pointer 6 API calls 19495->19496 19497 41ec0a 19496->19497 19660 41ee27 19497->19660 19500 41e768 __decode_pointer 6 API calls 19501 41ec2b 19500->19501 19501->19479 19664 421328 19501->19664 19504 41e768 __decode_pointer 6 API calls 19505 41ec5e 19504->19505 19505->19479 19506 41ec65 19505->19506 19670 41e854 19506->19670 19508 41ec6d GetCurrentThreadId 19508->19485 19740 41fa9c 19509->19740 19511 423b11 GetStartupInfoA 19512 421328 __calloc_crt 67 API calls 19511->19512 19519 423b32 19512->19519 19513 423d50 ___lock_fhandle 19513->19446 19514 423ccd GetStdHandle 19518 423c97 19514->19518 19515 421328 __calloc_crt 67 API calls 19515->19519 19516 423d32 SetHandleCount 19516->19513 19517 423cdf GetFileType 19517->19518 19518->19513 19518->19514 19518->19516 19518->19517 19522 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 19518->19522 19519->19513 19519->19515 19519->19518 19521 423c1a 19519->19521 19520 423c43 GetFileType 19520->19521 19521->19513 19521->19518 19521->19520 19523 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 19521->19523 19522->19518 19523->19521 19525 423a0b 19524->19525 19526 4239ec GetEnvironmentStringsW 19524->19526 19528 4239f4 19525->19528 19529 423aa4 19525->19529 19527 423a00 GetLastError 19526->19527 19526->19528 19527->19525 19530 423a27 GetEnvironmentStringsW 19528->19530 19533 423a36 19528->19533 19531 423aad GetEnvironmentStrings 19529->19531 19536 41d957 19529->19536 19530->19533 19530->19536 19531->19536 19537 423abd 19531->19537 19532 423a4b WideCharToMultiByte 19534 423a6a 19532->19534 19535 423a99 FreeEnvironmentStringsW 19532->19535 19533->19532 19533->19533 19540 4212e3 __malloc_crt 67 API calls 19534->19540 19535->19536 19550 423913 19536->19550 19537->19537 19538 423acb 19537->19538 19539 4212e3 __malloc_crt 67 API calls 19538->19539 19541 423ad7 19539->19541 19542 423a70 19540->19542 19543 423aea ___crtGetEnvironmentStringsA 19541->19543 19544 423ade FreeEnvironmentStringsA 19541->19544 19542->19535 19545 423a78 WideCharToMultiByte 19542->19545 19548 423af4 FreeEnvironmentStringsA 19543->19548 19544->19536 19546 423a92 19545->19546 19547 423a8a 19545->19547 19546->19535 19549 41a506 ___free_lc_time 67 API calls 19547->19549 19548->19536 19549->19546 19551 423928 19550->19551 19552 42392d GetModuleFileNameA 19550->19552 19747 422046 19551->19747 19554 423954 19552->19554 19741 423779 19554->19741 19556 41d961 19556->19454 19556->19455 19558 423990 19559 4212e3 __malloc_crt 67 API calls 19558->19559 19560 423996 19559->19560 19560->19556 19561 423779 _parse_cmdline 77 API calls 19560->19561 19562 4239b0 19561->19562 19562->19556 19564 4236a4 19563->19564 19566 4236a9 _strlen 19563->19566 19565 422046 ___initmbctable 111 API calls 19564->19565 19565->19566 19567 421328 __calloc_crt 67 API calls 19566->19567 19570 41d972 19566->19570 19573 4236de _strlen 19567->19573 19568 42373c 19569 41a506 ___free_lc_time 67 API calls 19568->19569 19569->19570 19570->19458 19570->19460 19571 421328 __calloc_crt 67 API calls 19571->19573 19572 423762 19574 41a506 ___free_lc_time 67 API calls 19572->19574 19573->19568 19573->19570 19573->19571 19573->19572 19575 422896 _strcpy_s 67 API calls 19573->19575 19576 423723 19573->19576 19574->19570 19575->19573 19576->19573 19577 41ffdb __invoke_watson 10 API calls 19576->19577 19577->19576 19580 421562 __IsNonwritableInCurrentImage 19578->19580 20177 4233d9 19580->20177 19581 421580 __initterm_e 19582 41c9cf __cinit 74 API calls 19581->19582 19583 42159f __IsNonwritableInCurrentImage __initterm 19581->19583 19582->19583 19583->19461 19585 42364a 19584->19585 19588 42364f 19584->19588 19586 422046 ___initmbctable 111 API calls 19585->19586 19586->19588 19587 41d995 19590 40fef0 19587->19590 19588->19587 19589 426731 _parse_cmdline 77 API calls 19588->19589 19589->19588 20181 410e1c GetModuleHandleW 19590->20181 19594 40ff16 _memset 19595 40ff27 GetCommandLineW 19594->19595 19596 40ffa2 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 19595->19596 19597 40ff36 19595->19597 20199 40bc16 19596->20199 20188 40d64b 19597->20188 19603 40ff44 OpenFileMappingW 19607 40ff91 CloseHandle 19603->19607 19608 40ff5d MapViewOfFile 19603->19608 19604 40ff9c 20195 40d5f7 SetEnvironmentVariableW 19604->20195 19606 410051 20203 40c3a8 19606->20203 19607->19596 19610 40ff8a UnmapViewOfFile 19608->19610 19611 40ff6e ___crtGetEnvironmentStringsA 19608->19611 19610->19607 19612 40d5f7 2 API calls 19611->19612 19612->19610 19613 41005c 20208 419dd0 19613->20208 19616 419dd0 3 API calls 19617 41007d DialogBoxParamW 19616->19617 19618 4100b7 19617->19618 20212 41a0ba 19618->20212 19636 41d882 19635->19636 19637 41d887 19635->19637 19638 421948 __FF_MSGBANNER 67 API calls 19636->19638 19639 42179d __NMSG_WRITE 67 API calls 19637->19639 19638->19637 19640 41d88f 19639->19640 19641 4214e9 _doexit 3 API calls 19640->19641 19642 41d899 19641->19642 19642->19439 19650 421470 Sleep GetModuleHandleW 19649->19650 19651 41eb17 19650->19651 19652 42148e 19650->19652 19651->19477 19652->19650 19652->19651 19654 41e75f _doexit 6 API calls 19653->19654 19655 421757 __init_pointers __initp_misc_winsig 19654->19655 19699 41ed0e 19655->19699 19658 41e6ed __encode_pointer 6 API calls 19659 41ebcf 19658->19659 19659->19490 19661 41ee32 19660->19661 19662 41ec17 19661->19662 19663 4241e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 19661->19663 19662->19479 19662->19500 19663->19661 19666 421331 19664->19666 19667 41ec44 19666->19667 19668 42134f Sleep 19666->19668 19702 4253c7 19666->19702 19667->19479 19667->19504 19669 421364 19668->19669 19669->19666 19669->19667 19719 41fa9c 19670->19719 19672 41e860 GetModuleHandleW 19673 41e870 19672->19673 19674 41e876 19672->19674 19675 421465 __crt_waiting_on_module_handle 2 API calls 19673->19675 19676 41e8b2 19674->19676 19677 41e88e GetProcAddress GetProcAddress 19674->19677 19675->19674 19678 41efa3 __lock 63 API calls 19676->19678 19677->19676 19679 41e8d1 InterlockedIncrement 19678->19679 19720 41e929 19679->19720 19682 41efa3 __lock 63 API calls 19683 41e8f2 19682->19683 19723 4221ad InterlockedIncrement 19683->19723 19685 41e910 19735 41e932 19685->19735 19687 41e91d ___lock_fhandle 19687->19508 19689 41e821 19688->19689 19690 41e82d 19688->19690 19692 41e768 __decode_pointer 6 API calls 19689->19692 19691 41e841 TlsFree 19690->19691 19693 41e84f 19690->19693 19691->19693 19692->19690 19694 41ee8e DeleteCriticalSection 19693->19694 19695 41eea6 19693->19695 19696 41a506 ___free_lc_time 67 API calls 19694->19696 19697 41eeb8 DeleteCriticalSection 19695->19697 19698 41eec6 19695->19698 19696->19693 19697->19695 19698->19485 19700 41e6ed __encode_pointer 6 API calls 19699->19700 19701 41ed18 19700->19701 19701->19658 19703 4253d3 ___lock_fhandle 19702->19703 19704 4253eb 19703->19704 19714 42540a _memset 19703->19714 19705 41edae __write_nolock 66 API calls 19704->19705 19706 4253f0 19705->19706 19707 420103 __write_nolock 6 API calls 19706->19707 19709 425400 ___lock_fhandle 19707->19709 19708 42547c HeapAlloc 19708->19714 19709->19666 19710 41fc9b __calloc_impl 6 API calls 19710->19714 19711 41efa3 __lock 66 API calls 19711->19714 19712 41f7b5 ___sbh_alloc_block 5 API calls 19712->19714 19714->19708 19714->19709 19714->19710 19714->19711 19714->19712 19715 4254c3 19714->19715 19718 41eec9 LeaveCriticalSection 19715->19718 19717 4254ca 19717->19714 19718->19717 19719->19672 19738 41eec9 LeaveCriticalSection 19720->19738 19722 41e8eb 19722->19682 19724 4221cb InterlockedIncrement 19723->19724 19725 4221ce 19723->19725 19724->19725 19726 4221db 19725->19726 19727 4221d8 InterlockedIncrement 19725->19727 19728 4221e5 InterlockedIncrement 19726->19728 19729 4221e8 19726->19729 19727->19726 19728->19729 19730 4221f2 InterlockedIncrement 19729->19730 19732 4221f5 19729->19732 19730->19732 19731 42220e InterlockedIncrement 19731->19732 19732->19731 19733 42221e InterlockedIncrement 19732->19733 19734 422229 InterlockedIncrement 19732->19734 19733->19732 19734->19685 19739 41eec9 LeaveCriticalSection 19735->19739 19737 41e939 19737->19687 19738->19722 19739->19737 19740->19511 19743 423798 19741->19743 19745 423805 19743->19745 19751 426731 19743->19751 19744 423903 19744->19556 19744->19558 19745->19744 19746 426731 77 API calls _parse_cmdline 19745->19746 19746->19745 19748 422056 19747->19748 19749 42204f 19747->19749 19748->19552 19992 421eac 19749->19992 19754 4266de 19751->19754 19757 41d0c8 19754->19757 19758 41d0db 19757->19758 19762 41d128 19757->19762 19765 41e9b4 19758->19765 19761 41d108 19761->19762 19785 421ba7 19761->19785 19762->19743 19801 41e93b GetLastError 19765->19801 19767 41e9bc 19768 41d0e0 19767->19768 19769 421495 __amsg_exit 67 API calls 19767->19769 19768->19761 19770 422313 19768->19770 19769->19768 19771 42231f ___lock_fhandle 19770->19771 19772 41e9b4 __getptd 67 API calls 19771->19772 19773 422324 19772->19773 19774 422352 19773->19774 19775 422336 19773->19775 19776 41efa3 __lock 67 API calls 19774->19776 19777 41e9b4 __getptd 67 API calls 19775->19777 19778 422359 19776->19778 19779 42233b 19777->19779 19820 4222d5 19778->19820 19783 422349 ___lock_fhandle 19779->19783 19784 421495 __amsg_exit 67 API calls 19779->19784 19783->19761 19784->19783 19786 421bb3 ___lock_fhandle 19785->19786 19787 41e9b4 __getptd 67 API calls 19786->19787 19788 421bb8 19787->19788 19789 41efa3 __lock 67 API calls 19788->19789 19790 421bca 19788->19790 19791 421be8 19789->19791 19793 421bd8 ___lock_fhandle 19790->19793 19797 421495 __amsg_exit 67 API calls 19790->19797 19792 421c31 19791->19792 19794 421c19 InterlockedIncrement 19791->19794 19795 421bff InterlockedDecrement 19791->19795 19988 421c42 19792->19988 19793->19762 19794->19792 19795->19794 19798 421c0a 19795->19798 19797->19793 19798->19794 19799 41a506 ___free_lc_time 67 API calls 19798->19799 19800 421c18 19799->19800 19800->19794 19815 41e7e3 TlsGetValue 19801->19815 19804 41e9a8 SetLastError 19804->19767 19805 421328 __calloc_crt 64 API calls 19806 41e966 19805->19806 19806->19804 19807 41e768 __decode_pointer 6 API calls 19806->19807 19808 41e980 19807->19808 19809 41e987 19808->19809 19810 41e99f 19808->19810 19811 41e854 __mtinit 64 API calls 19809->19811 19812 41a506 ___free_lc_time 64 API calls 19810->19812 19813 41e98f GetCurrentThreadId 19811->19813 19814 41e9a5 19812->19814 19813->19804 19814->19804 19816 41e813 19815->19816 19817 41e7f8 19815->19817 19816->19804 19816->19805 19818 41e768 __decode_pointer 6 API calls 19817->19818 19819 41e803 TlsSetValue 19818->19819 19819->19816 19821 4222d9 19820->19821 19822 42230b 19820->19822 19821->19822 19823 4221ad ___addlocaleref 8 API calls 19821->19823 19828 42237d 19822->19828 19824 4222ec 19823->19824 19824->19822 19831 42223c 19824->19831 19987 41eec9 LeaveCriticalSection 19828->19987 19830 422384 19830->19779 19832 4222d0 19831->19832 19833 42224d InterlockedDecrement 19831->19833 19832->19822 19845 422064 19832->19845 19834 422262 InterlockedDecrement 19833->19834 19835 422265 19833->19835 19834->19835 19836 422272 19835->19836 19837 42226f InterlockedDecrement 19835->19837 19838 42227f 19836->19838 19839 42227c InterlockedDecrement 19836->19839 19837->19836 19840 422289 InterlockedDecrement 19838->19840 19842 42228c 19838->19842 19839->19838 19840->19842 19841 4222a5 InterlockedDecrement 19841->19842 19842->19841 19843 4222b5 InterlockedDecrement 19842->19843 19844 4222c0 InterlockedDecrement 19842->19844 19843->19842 19844->19832 19846 4220e8 19845->19846 19850 42207b 19845->19850 19847 422135 19846->19847 19848 41a506 ___free_lc_time 67 API calls 19846->19848 19864 42215c 19847->19864 19899 425bee 19847->19899 19852 422109 19848->19852 19849 4220af 19853 4220d0 19849->19853 19861 41a506 ___free_lc_time 67 API calls 19849->19861 19850->19846 19850->19849 19859 41a506 ___free_lc_time 67 API calls 19850->19859 19854 41a506 ___free_lc_time 67 API calls 19852->19854 19857 41a506 ___free_lc_time 67 API calls 19853->19857 19856 42211c 19854->19856 19863 41a506 ___free_lc_time 67 API calls 19856->19863 19865 4220dd 19857->19865 19858 4221a1 19866 41a506 ___free_lc_time 67 API calls 19858->19866 19867 4220a4 19859->19867 19860 41a506 ___free_lc_time 67 API calls 19860->19864 19868 4220c5 19861->19868 19862 41a506 67 API calls ___free_lc_time 19862->19864 19869 42212a 19863->19869 19864->19858 19864->19862 19870 41a506 ___free_lc_time 67 API calls 19865->19870 19871 4221a7 19866->19871 19875 425dc8 19867->19875 19891 425d83 19868->19891 19874 41a506 ___free_lc_time 67 API calls 19869->19874 19870->19846 19871->19822 19874->19847 19876 425dd5 19875->19876 19890 425e52 19875->19890 19877 41a506 ___free_lc_time 67 API calls 19876->19877 19880 425de6 19876->19880 19877->19880 19878 425df8 19879 425e0a 19878->19879 19882 41a506 ___free_lc_time 67 API calls 19878->19882 19883 425e1c 19879->19883 19884 41a506 ___free_lc_time 67 API calls 19879->19884 19880->19878 19881 41a506 ___free_lc_time 67 API calls 19880->19881 19881->19878 19882->19879 19885 425e2e 19883->19885 19886 41a506 ___free_lc_time 67 API calls 19883->19886 19884->19883 19887 425e40 19885->19887 19888 41a506 ___free_lc_time 67 API calls 19885->19888 19886->19885 19889 41a506 ___free_lc_time 67 API calls 19887->19889 19887->19890 19888->19887 19889->19890 19890->19849 19892 425d90 19891->19892 19898 425dc4 19891->19898 19893 41a506 ___free_lc_time 67 API calls 19892->19893 19894 425da0 19892->19894 19893->19894 19895 41a506 ___free_lc_time 67 API calls 19894->19895 19896 425db2 19894->19896 19895->19896 19897 41a506 ___free_lc_time 67 API calls 19896->19897 19896->19898 19897->19898 19898->19853 19900 422155 19899->19900 19901 425bff 19899->19901 19900->19860 19902 41a506 ___free_lc_time 67 API calls 19901->19902 19903 425c07 19902->19903 19904 41a506 ___free_lc_time 67 API calls 19903->19904 19905 425c0f 19904->19905 19906 41a506 ___free_lc_time 67 API calls 19905->19906 19907 425c17 19906->19907 19908 41a506 ___free_lc_time 67 API calls 19907->19908 19909 425c1f 19908->19909 19910 41a506 ___free_lc_time 67 API calls 19909->19910 19911 425c27 19910->19911 19912 41a506 ___free_lc_time 67 API calls 19911->19912 19913 425c2f 19912->19913 19914 41a506 ___free_lc_time 67 API calls 19913->19914 19915 425c36 19914->19915 19916 41a506 ___free_lc_time 67 API calls 19915->19916 19917 425c3e 19916->19917 19918 41a506 ___free_lc_time 67 API calls 19917->19918 19919 425c46 19918->19919 19920 41a506 ___free_lc_time 67 API calls 19919->19920 19921 425c4e 19920->19921 19922 41a506 ___free_lc_time 67 API calls 19921->19922 19923 425c56 19922->19923 19987->19830 19991 41eec9 LeaveCriticalSection 19988->19991 19990 421c49 19990->19790 19991->19990 19993 421eb8 ___lock_fhandle 19992->19993 19994 41e9b4 __getptd 67 API calls 19993->19994 19995 421ec1 19994->19995 19996 421ba7 __setmbcp 69 API calls 19995->19996 19997 421ecb 19996->19997 20023 421c4b 19997->20023 20000 4212e3 __malloc_crt 67 API calls 20001 421eec 20000->20001 20002 42200b ___lock_fhandle 20001->20002 20030 421cc7 20001->20030 20002->19748 20005 422018 20005->20002 20009 41a506 ___free_lc_time 67 API calls 20005->20009 20014 42202b 20005->20014 20006 421f1c InterlockedDecrement 20007 421f2c 20006->20007 20008 421f3d InterlockedIncrement 20006->20008 20007->20008 20011 41a506 ___free_lc_time 67 API calls 20007->20011 20008->20002 20012 421f53 20008->20012 20009->20014 20010 41edae __write_nolock 67 API calls 20010->20002 20015 421f3c 20011->20015 20012->20002 20013 41efa3 __lock 67 API calls 20012->20013 20017 421f67 InterlockedDecrement 20013->20017 20014->20010 20015->20008 20018 421fe3 20017->20018 20019 421ff6 InterlockedIncrement 20017->20019 20018->20019 20021 41a506 ___free_lc_time 67 API calls 20018->20021 20040 42200d 20019->20040 20022 421ff5 20021->20022 20022->20019 20024 41d0c8 _LocaleUpdate::_LocaleUpdate 77 API calls 20023->20024 20025 421c5f 20024->20025 20026 421c6a GetOEMCP 20025->20026 20027 421c88 20025->20027 20029 421c7a 20026->20029 20028 421c8d GetACP 20027->20028 20027->20029 20028->20029 20029->20000 20029->20002 20031 421c4b getSystemCP 79 API calls 20030->20031 20032 421ce7 20031->20032 20033 421cf2 setSBCS 20032->20033 20036 421d36 IsValidCodePage 20032->20036 20038 421d5b _memset __setmbcp_nolock 20032->20038 20034 41e6de __write_nolock 5 API calls 20033->20034 20035 421eaa 20034->20035 20035->20005 20035->20006 20036->20033 20037 421d48 GetCPInfo 20036->20037 20037->20033 20037->20038 20043 421a14 GetCPInfo 20038->20043 20176 41eec9 LeaveCriticalSection 20040->20176 20042 422014 20042->20002 20047 421a48 _memset 20043->20047 20052 421afa 20043->20052 20046 41e6de __write_nolock 5 API calls 20049 421ba5 20046->20049 20053 425bac 20047->20053 20049->20038 20051 42274e ___crtLCMapStringA 102 API calls 20051->20052 20052->20046 20054 41d0c8 _LocaleUpdate::_LocaleUpdate 77 API calls 20053->20054 20055 425bbf 20054->20055 20063 4259f2 20055->20063 20058 42274e 20059 41d0c8 _LocaleUpdate::_LocaleUpdate 77 API calls 20058->20059 20060 422761 20059->20060 20129 4223a9 20060->20129 20064 425a13 GetStringTypeW 20063->20064 20065 425a3e 20063->20065 20066 425a33 GetLastError 20064->20066 20067 425a2b 20064->20067 20065->20067 20068 425b25 20065->20068 20066->20065 20069 425a77 MultiByteToWideChar 20067->20069 20086 425b1f 20067->20086 20091 425ef0 GetLocaleInfoA 20068->20091 20076 425aa4 20069->20076 20069->20086 20071 41e6de __write_nolock 5 API calls 20073 421ab5 20071->20073 20073->20058 20074 425b76 GetStringTypeA 20079 425b91 20074->20079 20074->20086 20075 425ab9 _memset __crtGetStringTypeA_stat 20078 425af2 MultiByteToWideChar 20075->20078 20075->20086 20076->20075 20080 41cf3e _malloc 67 API calls 20076->20080 20081 425b08 GetStringTypeW 20078->20081 20082 425b19 20078->20082 20083 41a506 ___free_lc_time 67 API calls 20079->20083 20080->20075 20081->20082 20087 422389 20082->20087 20083->20086 20086->20071 20088 422395 20087->20088 20090 4223a6 20087->20090 20089 41a506 ___free_lc_time 67 API calls 20088->20089 20088->20090 20089->20090 20090->20086 20092 425f23 20091->20092 20093 425f1e 20091->20093 20122 426f29 20092->20122 20095 41e6de __write_nolock 5 API calls 20093->20095 20096 425b49 20095->20096 20096->20074 20096->20086 20097 425f39 20096->20097 20098 425f79 GetCPInfo 20097->20098 20102 426003 20097->20102 20099 425f90 20098->20099 20100 425fee MultiByteToWideChar 20098->20100 20099->20100 20103 425f96 GetCPInfo 20099->20103 20100->20102 20106 425fa9 _strlen 20100->20106 20101 41e6de __write_nolock 5 API calls 20104 425b6a 20101->20104 20102->20101 20103->20100 20105 425fa3 20103->20105 20104->20074 20104->20086 20105->20100 20105->20106 20107 425fdb _memset __crtGetStringTypeA_stat 20106->20107 20108 41cf3e _malloc 67 API calls 20106->20108 20107->20102 20109 426038 MultiByteToWideChar 20107->20109 20108->20107 20110 426050 20109->20110 20111 42606f 20109->20111 20113 426057 WideCharToMultiByte 20110->20113 20114 426074 20110->20114 20112 422389 __freea 67 API calls 20111->20112 20112->20102 20113->20111 20115 426093 20114->20115 20116 42607f WideCharToMultiByte 20114->20116 20117 421328 __calloc_crt 67 API calls 20115->20117 20116->20111 20116->20115 20118 42609b 20117->20118 20118->20111 20119 4260a4 WideCharToMultiByte 20118->20119 20119->20111 20120 4260b6 20119->20120 20121 41a506 ___free_lc_time 67 API calls 20120->20121 20121->20111 20125 426efe 20122->20125 20126 426f17 20125->20126 20127 426ccf strtoxl 91 API calls 20126->20127 20128 426f24 20127->20128 20128->20093 20130 4223ca LCMapStringW 20129->20130 20133 4223e5 20129->20133 20131 4223ed GetLastError 20130->20131 20130->20133 20131->20133 20132 4225e3 20136 425ef0 ___ansicp 91 API calls 20132->20136 20133->20132 20134 42243f 20133->20134 20135 422458 MultiByteToWideChar 20134->20135 20158 4225da 20134->20158 20143 422485 20135->20143 20135->20158 20138 42260b 20136->20138 20137 41e6de __write_nolock 5 API calls 20139 421ad5 20137->20139 20140 422624 20138->20140 20141 4226ff LCMapStringA 20138->20141 20138->20158 20139->20051 20145 425f39 ___convertcp 74 API calls 20140->20145 20144 42265b 20141->20144 20142 4224d6 MultiByteToWideChar 20146 4225d1 20142->20146 20147 4224ef LCMapStringW 20142->20147 20149 41cf3e _malloc 67 API calls 20143->20149 20156 42249e __crtGetStringTypeA_stat 20143->20156 20148 422726 20144->20148 20153 41a506 ___free_lc_time 67 API calls 20144->20153 20150 422636 20145->20150 20151 422389 __freea 67 API calls 20146->20151 20147->20146 20152 422510 20147->20152 20157 41a506 ___free_lc_time 67 API calls 20148->20157 20148->20158 20149->20156 20154 422640 LCMapStringA 20150->20154 20150->20158 20151->20158 20155 422519 20152->20155 20162 422542 20152->20162 20153->20148 20154->20144 20160 422662 20154->20160 20155->20146 20159 42252b LCMapStringW 20155->20159 20156->20142 20156->20158 20157->20158 20158->20137 20159->20146 20163 422673 _memset __crtGetStringTypeA_stat 20160->20163 20165 41cf3e _malloc 67 API calls 20160->20165 20161 422591 LCMapStringW 20166 4225cb 20161->20166 20167 4225a9 WideCharToMultiByte 20161->20167 20164 41cf3e _malloc 67 API calls 20162->20164 20168 42255d __crtGetStringTypeA_stat 20162->20168 20163->20144 20169 4226b1 LCMapStringA 20163->20169 20164->20168 20165->20163 20170 422389 __freea 67 API calls 20166->20170 20167->20166 20168->20146 20168->20161 20171 4226d1 20169->20171 20172 4226cd 20169->20172 20170->20146 20174 425f39 ___convertcp 74 API calls 20171->20174 20175 422389 __freea 67 API calls 20172->20175 20174->20172 20175->20144 20176->20042 20178 4233df 20177->20178 20179 41e6ed __encode_pointer 6 API calls 20178->20179 20180 4233f7 20178->20180 20179->20178 20180->19581 20182 410e2b GetProcAddress 20181->20182 20183 40ff03 OleInitialize 20181->20183 20182->20183 20184 410e3b 20182->20184 20185 411f56 GetCPInfo 20183->20185 20184->20183 20186 411f7a IsDBCSLeadByte 20185->20186 20186->20186 20187 411f92 20186->20187 20187->19594 20189 40d66f 20188->20189 20190 40d77a 20189->20190 20191 40d6a4 CharUpperW 20189->20191 20192 40d72b CharUpperW 20189->20192 20193 40d6cb CharUpperW 20189->20193 20194 40d033 124 API calls 20189->20194 20190->19603 20190->19604 20191->20189 20192->20189 20193->20189 20194->20189 20197 40d626 20195->20197 20196 40d645 20196->19596 20197->20196 20198 40d63d SetEnvironmentVariableW 20197->20198 20198->20196 20200 41a9f7 __vswprintf_c_l 101 API calls 20199->20200 20201 40bc2e SetEnvironmentVariableW GetModuleHandleW LoadIconW LoadBitmapW 20200->20201 20202 41a060 LoadLibraryW LoadLibraryW OleInitialize InitCommonControlsEx SHGetMalloc 20201->20202 20202->19606 20218 40bc32 20203->20218 20205 40c3b4 20241 40c0f6 GetModuleHandleW FindResourceW 20205->20241 20207 40c3bb 20207->19613 20209 410073 20208->20209 20210 419dd9 GetDC 20208->20210 20209->19616 20210->20209 20211 419de8 GetDeviceCaps ReleaseDC 20210->20211 20211->20209 20219 40bc3c __EH_prolog _wcschr __write_nolock 20218->20219 20220 40bc5f GetModuleFileNameW 20219->20220 20222 40bc88 _wcscpy 20219->20222 20221 40bc7b _wcsrchr 20220->20221 20221->20222 20240 40bcbc ctype 20221->20240 20245 4087c3 20222->20245 20224 40bdf2 20225 408fed 124 API calls 20224->20225 20224->20240 20227 40be0e 20225->20227 20228 41cf3e _malloc 67 API calls 20227->20228 20230 40be18 20228->20230 20232 408e7b 125 API calls 20230->20232 20230->20240 20233 40be34 20232->20233 20235 41cf3e _malloc 67 API calls 20233->20235 20233->20240 20234 40bcb8 ctype _strncmp 20234->20224 20234->20240 20254 408bae 20234->20254 20262 408e7b 20234->20262 20270 408fed 20234->20270 20240->20205 20242 40c124 20241->20242 20244 40c11e 20241->20244 20353 40bf1d 20242->20353 20244->20207 20246 4087cd __write_nolock 20245->20246 20247 40882d CreateFileW 20246->20247 20248 40885d GetLastError 20247->20248 20250 4088af 20247->20250 20277 40a3dc 20248->20277 20250->20234 20251 40887d 20251->20250 20252 408881 CreateFileW GetLastError 20251->20252 20253 4088a6 20252->20253 20253->20250 20255 408bc0 20254->20255 20256 408bd3 SetFilePointer 20254->20256 20258 408c0b ___inittime 20255->20258 20297 406402 20255->20297 20257 408bee GetLastError 20256->20257 20256->20258 20257->20258 20260 408bf8 20257->20260 20258->20234 20260->20258 20261 406402 120 API calls 20260->20261 20261->20258 20264 408e93 20262->20264 20265 408ee0 20264->20265 20267 408ef5 20264->20267 20269 408eeb 20264->20269 20307 408ca0 20264->20307 20319 40653a 20265->20319 20268 408ca0 5 API calls 20267->20268 20267->20269 20268->20267 20269->20234 20337 408f4b 20270->20337 20273 409018 20273->20234 20274 406402 120 API calls 20274->20273 20278 40a3e9 __write_nolock 20277->20278 20286 40a3f3 _wcslen _wcscpy _wcsncpy 20278->20286 20287 40a0ea 20278->20287 20280 40a402 _wcslen 20290 40a2f5 20280->20290 20286->20251 20294 410b52 20287->20294 20291 40a300 20290->20291 20292 40a0ea CharUpperW 20291->20292 20293 40a30d 20291->20293 20292->20293 20295 40a0f8 20294->20295 20296 410b5f CharUpperW 20294->20296 20295->20280 20296->20295 20298 406416 20297->20298 20299 40640b 20297->20299 20303 4062fd 20298->20303 20300 406376 ctype 119 API calls 20299->20300 20300->20298 20305 40630c 20303->20305 20304 406329 20304->20256 20305->20304 20306 41c77f __CxxThrowException@8 RaiseException 20305->20306 20306->20304 20308 408cba ReadFile 20307->20308 20309 408caf GetStdHandle 20307->20309 20310 408cd3 20308->20310 20311 408cf3 20308->20311 20309->20308 20324 408c5a 20310->20324 20311->20264 20313 408cda 20328 40652c 20319->20328 20325 408c62 20324->20325 20326 408c65 GetFileType 20324->20326 20325->20313 20327 408c71 20326->20327 20327->20313 20331 406497 20328->20331 20334 40639f 20331->20334 20335 41170e ctype 119 API calls 20334->20335 20338 408fb4 20337->20338 20339 408f58 20337->20339 20338->20273 20338->20274 20340 408f89 SetFilePointer 20339->20340 20343 408f74 20339->20343 20344 408e03 20339->20344 20340->20338 20341 408faa GetLastError 20340->20341 20341->20338 20343->20340 20345 408e0d __EH_prolog 20344->20345 20350 40117b 20345->20350 20352 408bae 122 API calls 20350->20352 20351 401189 20352->20351 20354 40bf2a ctype __write_nolock 20353->20354 20357 40bf85 ctype _strlen 20354->20357 20360 40bfe4 _wcsrchr _wcscpy _wcschr ctype _wcsncpy 20354->20360 20361 411afd WideCharToMultiByte 20354->20361 20355 411afd ctype WideCharToMultiByte 20358 40bfb2 ctype _strlen 20355->20358 20357->20355 20359 40bc16 _swprintf 101 API calls 20358->20359 20359->20360 20360->20244 20362 411b27 20361->20362 20362->20357 18862 42993a 18867 405512 18862->18867 18868 40551c __EH_prolog 18867->18868 18886 40a026 18868->18886 18873 410d8e 67 API calls 18874 405546 18873->18874 18875 410d8e 67 API calls 18874->18875 18876 405555 18875->18876 18877 410d8e 67 API calls 18876->18877 18878 405564 18877->18878 18879 410d8e 67 API calls 18878->18879 18880 405573 18879->18880 18895 405394 18880->18895 18887 40a030 __EH_prolog 18886->18887 18908 40d0e6 18887->18908 18892 410d8e 19047 410d00 18892->19047 18896 409f85 2 API calls 18895->18896 18897 40539c 18896->18897 18898 410d00 67 API calls 18897->18898 18899 4053c9 18898->18899 18900 410d00 67 API calls 18899->18900 18901 4053d4 18900->18901 18902 410d00 67 API calls 18901->18902 18903 4053df 18902->18903 18904 410d00 67 API calls 18903->18904 18905 4053ea 18904->18905 18906 410d00 67 API calls 18905->18906 18907 4053f5 18906->18907 18915 40d033 18908->18915 18910 40a042 18911 409f85 18910->18911 18912 409f95 _memset 18911->18912 19042 410f12 18912->19042 18916 40d059 _wcslen 18915->18916 18917 40d042 _memset 18915->18917 18919 40cfb9 18916->18919 18917->18910 18920 40cfca ___crtGetEnvironmentStringsA 18919->18920 18923 40cef5 18920->18923 18924 40cf04 18923->18924 18925 40cf0e 18923->18925 18933 40ceb6 18924->18933 18927 40cf7c GetCurrentProcessId 18925->18927 18928 40cf31 18925->18928 18932 40cf5e 18927->18932 18928->18932 18937 406423 18928->18937 18930 40cf4c __init_pointers 18942 406371 18930->18942 18932->18917 18934 40ceef 18933->18934 18935 40cebf LoadLibraryW 18933->18935 18934->18925 18935->18934 18936 40ced0 GetProcAddress GetProcAddress 18935->18936 18936->18934 18946 41a9f7 18937->18946 18944 4062fd 18942->18944 18943 406329 18943->18932 18944->18943 19039 41c77f 18944->19039 18952 41a8ff 18946->18952 18949 406376 18994 41170e 18949->18994 18951 40639b 18951->18930 18953 41a92f 18952->18953 18954 41a90f 18952->18954 18957 41a93f 18953->18957 18962 41a95f 18953->18962 18967 41edae 18954->18967 18959 41edae __write_nolock 67 API calls 18957->18959 18960 41a944 18959->18960 18961 420103 __write_nolock 6 API calls 18960->18961 18965 406446 18961->18965 18963 41a9a6 18962->18963 18962->18965 18973 41fe68 18962->18973 18963->18965 18966 41fe68 __flsbuf 101 API calls 18963->18966 18965->18949 18966->18965 18968 41e93b __getptd_noexit 67 API calls 18967->18968 18969 41a914 18968->18969 18970 420103 18969->18970 18971 41e768 __decode_pointer 6 API calls 18970->18971 18972 420113 __invoke_watson 18971->18972 18974 424df7 __fileno 67 API calls 18973->18974 18975 41fe78 18974->18975 18976 41fe83 18975->18976 18977 41fe9a 18975->18977 18978 41edae __write_nolock 67 API calls 18976->18978 18979 41fe9e 18977->18979 18987 41feab __flswbuf 18977->18987 18981 41fe88 18978->18981 18980 41edae __write_nolock 67 API calls 18979->18980 18980->18981 18981->18963 18982 41ff9b 18984 424c6e __locking 101 API calls 18982->18984 18983 41ff1b 18985 41ff32 18983->18985 18989 41ff4f 18983->18989 18984->18981 18986 424c6e __locking 101 API calls 18985->18986 18986->18981 18987->18981 18988 424d93 __write_nolock 67 API calls 18987->18988 18990 41ff01 18987->18990 18993 41ff0c 18987->18993 18988->18990 18989->18981 18991 424422 __lseeki64 71 API calls 18989->18991 18992 424d4a __getbuf 67 API calls 18990->18992 18990->18993 18991->18981 18992->18993 18993->18982 18993->18983 18995 41176a 18994->18995 18998 41171d 18994->18998 18995->18951 18996 41178c 18996->18995 18999 40c3bf ctype 104 API calls 18996->18999 18997 4117b3 19001 40c3bf ctype 104 API calls 18997->19001 18998->18995 18998->18996 18998->18997 19002 41181c 18998->19002 19003 41176f 18998->19003 19004 411796 18998->19004 19005 4117df 18998->19005 19006 411763 18998->19006 19016 411742 18998->19016 19000 41179d 18999->19000 19008 40e283 ctype 116 API calls 19000->19008 19001->19016 19002->18995 19002->18996 19002->19003 19002->19004 19032 40c3bf 19003->19032 19012 40c3bf ctype 104 API calls 19004->19012 19007 40c3bf ctype 104 API calls 19005->19007 19027 40d3ac 19006->19027 19011 4117ef 19007->19011 19008->18995 19014 40e283 ctype 116 API calls 19011->19014 19012->19000 19017 4117f7 19014->19017 19018 40e283 19016->19018 19017->18951 19019 40e28c 19018->19019 19025 40e2d4 19018->19025 19020 40e296 GetLastError 19019->19020 19019->19025 19021 41a9f7 __vswprintf_c_l 101 API calls 19020->19021 19022 40e2bb 19021->19022 19023 40d3ac ctype 13 API calls 19022->19023 19024 40e2c6 19023->19024 19024->19025 19026 40e2cd SetLastError 19024->19026 19025->18951 19026->19025 19028 40d3b9 __write_nolock 19027->19028 19029 40d3e6 19028->19029 19030 40d3c6 wvsprintfW 19028->19030 19029->18995 19031 40d298 ctype 12 API calls 19030->19031 19031->19029 19033 40c3cf ctype 19032->19033 19034 40c404 LoadStringW 19033->19034 19035 40c416 LoadStringW 19033->19035 19034->19035 19036 40c424 19034->19036 19035->19036 19037 40bf1d ctype 102 API calls 19036->19037 19038 40c432 19037->19038 19038->19016 19040 41c7b4 RaiseException 19039->19040 19041 41c7a8 19039->19041 19040->18943 19041->19040 19045 410edb GetCurrentProcess GetProcessAffinityMask 19042->19045 19046 405528 19045->19046 19046->18892 19050 401b67 19047->19050 19051 401b70 19050->19051 19052 401b76 19050->19052 19054 41a506 19051->19054 19052->18873 19055 41a512 ___lock_fhandle 19054->19055 19061 41a58b ___lock_fhandle __dosmaperr 19055->19061 19066 41a551 19055->19066 19067 41efa3 19055->19067 19056 41a566 RtlFreeHeap 19058 41a578 19056->19058 19056->19061 19059 41edae __write_nolock 65 API calls 19058->19059 19060 41a57d GetLastError 19059->19060 19060->19061 19061->19052 19062 41a543 19081 41a55c 19062->19081 19063 41a529 ___sbh_find_block 19063->19062 19074 41f006 19063->19074 19066->19056 19066->19061 19068 41efb8 19067->19068 19069 41efcb EnterCriticalSection 19067->19069 19084 41eee0 19068->19084 19069->19063 19071 41efbe 19071->19069 19110 421495 19071->19110 19076 41f045 19074->19076 19080 41f2e7 19074->19080 19075 41f231 VirtualFree 19077 41f295 19075->19077 19076->19075 19076->19080 19078 41f2a4 VirtualFree HeapFree 19077->19078 19077->19080 19309 41cb50 19078->19309 19080->19062 19313 41eec9 LeaveCriticalSection 19081->19313 19083 41a563 19083->19066 19085 41eeec ___lock_fhandle 19084->19085 19086 41ef12 19085->19086 19117 421948 19085->19117 19094 41ef22 ___lock_fhandle 19086->19094 19163 4212e3 19086->19163 19090 41ef2d 19092 41ef43 19090->19092 19093 41ef34 19090->19093 19097 41efa3 __lock 67 API calls 19092->19097 19096 41edae __write_nolock 67 API calls 19093->19096 19094->19071 19096->19094 19099 41ef4a 19097->19099 19100 41ef52 19099->19100 19101 41ef7e 19099->19101 19168 4241e6 19100->19168 19102 41a506 ___free_lc_time 67 API calls 19101->19102 19104 41ef6f 19102->19104 19172 41ef9a 19104->19172 19105 41ef5d 19105->19104 19107 41a506 ___free_lc_time 67 API calls 19105->19107 19108 41ef69 19107->19108 19109 41edae __write_nolock 67 API calls 19108->19109 19109->19104 19111 421948 __FF_MSGBANNER 67 API calls 19110->19111 19112 42149f 19111->19112 19113 42179d __NMSG_WRITE 67 API calls 19112->19113 19114 4214a7 19113->19114 19115 41e768 __decode_pointer 6 API calls 19114->19115 19116 41efca 19115->19116 19116->19069 19175 4259a7 19117->19175 19119 42194f 19120 42195c 19119->19120 19122 4259a7 __set_error_mode 67 API calls 19119->19122 19121 42179d __NMSG_WRITE 67 API calls 19120->19121 19125 41ef01 19120->19125 19123 421974 19121->19123 19122->19120 19124 42179d __NMSG_WRITE 67 API calls 19123->19124 19124->19125 19126 42179d 19125->19126 19127 4217b1 19126->19127 19128 4259a7 __set_error_mode 64 API calls 19127->19128 19159 41ef08 19127->19159 19129 4217d3 19128->19129 19130 421911 GetStdHandle 19129->19130 19132 4259a7 __set_error_mode 64 API calls 19129->19132 19131 42191f _strlen 19130->19131 19130->19159 19135 421938 WriteFile 19131->19135 19131->19159 19133 4217e4 19132->19133 19133->19130 19134 4217f6 19133->19134 19134->19159 19181 422896 19134->19181 19135->19159 19138 42182c GetModuleFileNameA 19140 42184a 19138->19140 19145 42186d _strlen 19138->19145 19142 422896 _strcpy_s 64 API calls 19140->19142 19143 42185a 19142->19143 19143->19145 19146 41ffdb __invoke_watson 10 API calls 19143->19146 19144 4218b0 19206 42587e 19144->19206 19145->19144 19197 4258f2 19145->19197 19146->19145 19151 4218d4 19152 42587e _strcat_s 64 API calls 19151->19152 19154 4218e8 19152->19154 19153 41ffdb __invoke_watson 10 API calls 19153->19151 19156 4218f9 19154->19156 19157 41ffdb __invoke_watson 10 API calls 19154->19157 19155 41ffdb __invoke_watson 10 API calls 19155->19144 19215 425715 19156->19215 19157->19156 19160 4214e9 19159->19160 19275 4214be GetModuleHandleW 19160->19275 19166 4212ec 19163->19166 19165 421322 19165->19090 19166->19165 19167 421303 Sleep 19166->19167 19278 41cf3e 19166->19278 19167->19166 19307 41fa9c 19168->19307 19170 4241f2 InitializeCriticalSectionAndSpinCount 19171 424236 ___lock_fhandle 19170->19171 19171->19105 19308 41eec9 LeaveCriticalSection 19172->19308 19174 41efa1 19174->19094 19176 4259b6 19175->19176 19177 41edae __write_nolock 67 API calls 19176->19177 19178 4259c0 19176->19178 19179 4259d9 19177->19179 19178->19119 19180 420103 __write_nolock 6 API calls 19179->19180 19180->19178 19182 4228a7 19181->19182 19183 4228ae 19181->19183 19182->19183 19185 4228d4 19182->19185 19184 41edae __write_nolock 67 API calls 19183->19184 19189 4228b3 19184->19189 19187 421818 19185->19187 19188 41edae __write_nolock 67 API calls 19185->19188 19186 420103 __write_nolock 6 API calls 19186->19187 19187->19138 19190 41ffdb 19187->19190 19188->19189 19189->19186 19242 41a820 19190->19242 19192 420008 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19193 4200e4 GetCurrentProcess TerminateProcess 19192->19193 19194 4200d8 __invoke_watson 19192->19194 19244 41e6de 19193->19244 19194->19193 19196 420101 19196->19138 19200 425904 19197->19200 19198 425908 19199 41edae __write_nolock 67 API calls 19198->19199 19201 42189d 19198->19201 19205 425924 19199->19205 19200->19198 19200->19201 19203 42594e 19200->19203 19201->19144 19201->19155 19202 420103 __write_nolock 6 API calls 19202->19201 19203->19201 19204 41edae __write_nolock 67 API calls 19203->19204 19204->19205 19205->19202 19207 425896 19206->19207 19210 42588f 19206->19210 19208 41edae __write_nolock 67 API calls 19207->19208 19209 42589b 19208->19209 19211 420103 __write_nolock 6 API calls 19209->19211 19210->19207 19212 4258ca 19210->19212 19213 4218c3 19211->19213 19212->19213 19214 41edae __write_nolock 67 API calls 19212->19214 19213->19151 19213->19153 19214->19209 19252 41e75f 19215->19252 19218 425738 LoadLibraryA 19219 42574d GetProcAddress 19218->19219 19226 425862 19218->19226 19221 425763 19219->19221 19219->19226 19220 4257c0 19237 4257ea 19220->19237 19265 41e768 TlsGetValue 19220->19265 19255 41e6ed TlsGetValue 19221->19255 19222 41e768 __decode_pointer 6 API calls 19222->19226 19223 41e768 __decode_pointer 6 API calls 19234 42582d 19223->19234 19226->19159 19229 41e768 __decode_pointer 6 API calls 19229->19237 19230 41e6ed __encode_pointer 6 API calls 19231 42577e GetProcAddress 19230->19231 19232 41e6ed __encode_pointer 6 API calls 19231->19232 19233 425793 GetProcAddress 19232->19233 19235 41e6ed __encode_pointer 6 API calls 19233->19235 19236 41e768 __decode_pointer 6 API calls 19234->19236 19240 425815 19234->19240 19238 4257a8 19235->19238 19236->19240 19237->19223 19237->19240 19238->19220 19239 4257b2 GetProcAddress 19238->19239 19241 41e6ed __encode_pointer 6 API calls 19239->19241 19240->19222 19241->19220 19243 41a82c __VEC_memzero 19242->19243 19243->19192 19245 41e6e6 19244->19245 19246 41e6e8 IsDebuggerPresent 19244->19246 19245->19196 19248 424e29 __invoke_watson 19246->19248 19249 423f50 SetUnhandledExceptionFilter UnhandledExceptionFilter 19248->19249 19250 423f75 GetCurrentProcess TerminateProcess 19249->19250 19251 423f6d __invoke_watson 19249->19251 19250->19196 19251->19250 19253 41e6ed __encode_pointer 6 API calls 19252->19253 19254 41e766 19253->19254 19254->19218 19254->19220 19256 41e705 19255->19256 19257 41e726 GetModuleHandleW 19255->19257 19256->19257 19258 41e70f TlsGetValue 19256->19258 19259 41e741 GetProcAddress 19257->19259 19260 41e736 19257->19260 19262 41e71a 19258->19262 19264 41e71e GetProcAddress 19259->19264 19261 421465 __crt_waiting_on_module_handle Sleep GetModuleHandleW 19260->19261 19263 41e73c 19261->19263 19262->19257 19262->19264 19263->19259 19263->19264 19264->19230 19266 41e7a1 GetModuleHandleW 19265->19266 19267 41e780 19265->19267 19269 41e7b1 19266->19269 19270 41e7bc GetProcAddress 19266->19270 19267->19266 19268 41e78a TlsGetValue 19267->19268 19272 41e795 19268->19272 19271 421465 __crt_waiting_on_module_handle Sleep GetModuleHandleW 19269->19271 19274 41e799 19270->19274 19273 41e7b7 19271->19273 19272->19266 19272->19274 19273->19270 19273->19274 19274->19229 19276 4214d2 GetProcAddress 19275->19276 19277 4214e2 ExitProcess 19275->19277 19276->19277 19279 41cff1 19278->19279 19289 41cf50 19278->19289 19280 41fc9b __calloc_impl 6 API calls 19279->19280 19281 41cff7 19280->19281 19283 41edae __write_nolock 66 API calls 19281->19283 19282 421948 __FF_MSGBANNER 66 API calls 19287 41cf61 19282->19287 19295 41cfe9 19283->19295 19285 42179d __NMSG_WRITE 66 API calls 19285->19287 19286 41cfad RtlAllocateHeap 19286->19289 19287->19282 19287->19285 19288 4214e9 _doexit 3 API calls 19287->19288 19287->19289 19288->19287 19289->19286 19289->19287 19290 41cfdd 19289->19290 19293 41cfe2 19289->19293 19289->19295 19296 41ceef 19289->19296 19304 41fc9b 19289->19304 19291 41edae __write_nolock 66 API calls 19290->19291 19291->19293 19294 41edae __write_nolock 66 API calls 19293->19294 19294->19295 19295->19166 19297 41cefb ___lock_fhandle 19296->19297 19298 41cf2c ___lock_fhandle 19297->19298 19299 41efa3 __lock 67 API calls 19297->19299 19298->19289 19300 41cf11 19299->19300 19301 41f7b5 ___sbh_alloc_block 5 API calls 19300->19301 19302 41cf1c 19301->19302 19303 41cf35 _malloc LeaveCriticalSection 19302->19303 19303->19298 19305 41e768 __decode_pointer 6 API calls 19304->19305 19306 41fcab 19305->19306 19306->19289 19307->19170 19308->19174 19310 41cb68 19309->19310 19311 41cb97 19310->19311 19312 41cb8f __VEC_memcpy 19310->19312 19311->19080 19312->19311 19313->19083

                                                  Executed Functions

                                                  Function 0040FEF0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 189filecomwindowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00410E1C: GetModuleHandleW.KERNEL32(kernel32,0040FF03,00000001), ref: 00410E21
                                                    • Part of subcall function 00410E1C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410E31
                                                  • OleInitialize.OLE32(00000000), ref: 0040FF06
                                                    • Part of subcall function 00411F56: GetCPInfo.KERNEL32(00000000,?,?,?,?,0040FF16), ref: 00411F67
                                                    • Part of subcall function 00411F56: IsDBCSLeadByte.KERNEL32(00000000), ref: 00411F7B
                                                  • _memset.LIBCMT ref: 0040FF22
                                                  • GetCommandLineW.KERNEL32 ref: 0040FF2A
                                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0040FF50
                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 0040FF62
                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040FF8B
                                                    • Part of subcall function 0040D5F7: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0040D610
                                                    • Part of subcall function 0040D5F7: SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D643
                                                  • CloseHandle.KERNEL32(?), ref: 0040FF94
                                                  • GetModuleFileNameW.KERNEL32(00000000,00439820,00000800), ref: 0040FFAE
                                                  • SetEnvironmentVariableW.KERNEL32(sfxname,00439820), ref: 0040FFC0
                                                  • GetLocalTime.KERNEL32(?), ref: 0040FFC6
                                                  • _swprintf.LIBCMT ref: 0040FFFD
                                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00410011
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410014
                                                  • LoadIconW.USER32(00000000,00000064), ref: 0041002B
                                                  • LoadBitmapW.USER32(00000065), ref: 0041003E
                                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,0040F58D,00000000), ref: 0041009D
                                                  • DeleteObject.GDI32 ref: 004100FE
                                                  • DeleteObject.GDI32(?), ref: 0041010A
                                                    • Part of subcall function 0040D64B: CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D6AC
                                                    • Part of subcall function 0040D64B: CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D6D3
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00410147
                                                  • Sleep.KERNEL32(?), ref: 00410157
                                                  • OleUninitialize.OLE32 ref: 0041015D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentFileHandleVariable$Module$CharCloseDeleteLoadObjectUpperView$AddressBitmapByteCommandDialogIconInfoInitializeLeadLineLocalMappingNameOpenParamProcSleepTimeUninitializeUnmap_memset_swprintf
                                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                  • API String ID: 2890863147-3710569615
                                                  • Opcode ID: e302a6a03e0c0a9aaa08beecaf1dedc93de811017ef03846853a5e8821ade7c7
                                                  • Instruction ID: f6d524faf13461bd4ea8cb5a97d50562f0dad5b6822c88fd20d602f5543b7383
                                                  • Opcode Fuzzy Hash: e302a6a03e0c0a9aaa08beecaf1dedc93de811017ef03846853a5e8821ade7c7
                                                  • Instruction Fuzzy Hash: 5061D971A00205BFC720BFA1DC499AE7BB8EB05314F50443BF901A22A1DB7D4D95DB6E
                                                  Function 00402F2C Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 544COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 611 402f2c-402f5e call 41a4dc call 41aaf0 call 40b736 618 402f60-402f75 611->618 619 402faf-402fb3 611->619 618->619 621 402f77 618->621 620 40302f-403034 call 40b4c8 619->620 626 403039-40303c 620->626 622 402f83-402f9e call 401bbb 621->622 623 402f79-402f81 621->623 627 402fa0-402fa2 call 401c37 622->627 637 402fb5-402fee call 405fe7 622->637 623->619 623->622 626->627 628 403042-403071 call 40b5af call 40b670 call 40b60d 626->628 634 402fa7-402faa 627->634 651 403675-403677 call 401c80 628->651 652 403077-403079 628->652 635 403680 634->635 640 403682-40368a call 41a506 635->640 641 40368b 635->641 646 402ff0-403007 call 41ac04 637->646 647 40302c 637->647 640->641 645 40368d-40369e 641->645 646->647 656 403009-403027 call 406376 call 4062ba 646->656 647->620 657 40367c 651->657 652->651 655 40307f-403089 652->655 655->651 658 40308f-403092 655->658 656->634 657->635 658->651 660 403098-4030a4 call 40b4c8 658->660 666 4030b2-403103 call 40b716 call 40b60d * 2 660->666 667 4030a6-4030ad call 401c37 660->667 676 403105-403123 call 401c80 call 4062ba 666->676 677 40313d-40314c 666->677 667->657 676->677 695 403125-403138 call 40639f 676->695 678 40317b-403188 677->678 679 40314e-403166 call 40b60d 677->679 682 403198-4031ce call 4010d4 678->682 683 40318a-403195 call 40b60d 678->683 679->678 689 403168 679->689 696 4031d4 682->696 697 40358d-4035ec call 409b19 call 40b60d 682->697 683->682 693 40316a-40316d 689->693 694 40316f-403176 call 401c80 689->694 693->678 693->694 694->634 695->657 698 403641-40364d 696->698 699 4031da-4031dd 696->699 723 4035fe 697->723 724 4035ee-4035fc call 40b60d 697->724 708 40365f-403666 698->708 709 40364f 698->709 704 4031e3-4031e6 699->704 705 4032f7-403300 699->705 712 403225-40323a call 40b60d 704->712 713 4031e8-4031eb 704->713 716 403302 705->716 717 403308-403375 call 409b44 call 40b60d * 2 705->717 714 403671-403673 708->714 715 403668-403670 call 41a506 708->715 709->651 710 403651-40365d 709->710 710->651 710->708 733 40324c-403270 call 40b60d call 40b562 712->733 734 40323c-403247 call 401ca3 712->734 713->698 719 4031f1-403220 call 40b60d 713->719 714->645 715->714 716->717 750 403377-403382 717->750 751 403388-4033a2 717->751 719->698 731 403605-40360c 723->731 724->731 736 40361c 731->736 737 40360e-403615 731->737 733->734 753 403272-40328a call 40b696 733->753 734->657 743 40361e-40362a 736->743 737->736 741 403617-40361a 737->741 741->743 743->698 747 40362c-40363c call 40272e 743->747 747->698 750->751 754 4033a4 751->754 755 4033aa-4033ac 751->755 762 4032eb-4032f2 753->762 763 40328c-4032e5 call 40b696 * 2 call 4106ae call 4109b0 call 410a29 call 41ac04 753->763 756 4033ae-4033cc call 40b60d 754->756 758 4033a6-4033a8 754->758 755->756 764 4033e4-4033f4 756->764 765 4033ce-4033df call 40b5af call 411357 756->765 758->755 758->756 762->698 763->762 769 4033f6-403404 call 40b5af 764->769 770 40340a-403464 call 40b60d * 3 764->770 765->764 769->770 787 403466-40346c 770->787 788 40346e-403470 770->788 790 403475-4034a2 787->790 788->790 791 403472 788->791 793 4034a4-4034a8 790->793 794 4034af 790->794 791->790 793->794 797 4034aa-4034ad 793->797 798 4034b1-403502 794->798 797->798 799 403504 798->799 800 403506-403539 call 40b696 call 411cd1 798->800 799->800 805 40354a-40354e 800->805 806 40353b-403545 call 40272e 800->806 808 403550-403558 call 401a7e 805->808 809 40355a-403569 call 41aa21 805->809 806->805 814 403572-403576 808->814 809->814 815 40356b 809->815 814->698 816 40357c-403588 call 40639f 814->816 815->814 816->698
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memcmp$H_prolog
                                                  • String ID: @$CMT
                                                  • API String ID: 212800410-3935043585
                                                  • Opcode ID: 37295884825835a7901171c985930d0b7c01ea67690c6e0965a3387f9fb6a373
                                                  • Instruction ID: 4535b6ba2d5654eb70152741eafeedd3820f65e0183003bc7b62017ff8f1088e
                                                  • Opcode Fuzzy Hash: 37295884825835a7901171c985930d0b7c01ea67690c6e0965a3387f9fb6a373
                                                  • Instruction Fuzzy Hash: 252215715006849FDB24DF24C891BDA3BE5AF14308F08057FED4AEB2C6DB799588CB69
                                                  Function 00409476 Relevance: 7.6, APIs: 5, Instructions: 111fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 819 409476-409499 call 41aaf0 822 409505-409510 FindNextFileW 819->822 823 40949b-4094ac FindFirstFileW 819->823 824 409512-409522 GetLastError 822->824 825 409528-40952c 822->825 826 409532-4095f8 call 410b9c call 40a745 call 41abd0 call 411333 * 3 823->826 827 4094b2-4094c4 call 40a3dc 823->827 824->825 825->826 828 4095fd-40960b 825->828 826->828 833 4094c6-4094dc FindFirstFileW 827->833 834 4094de-4094e7 GetLastError 827->834 833->826 833->834 836 4094f8 834->836 837 4094e9-4094ec 834->837 841 4094fa-409500 836->841 837->836 840 4094ee-4094f1 837->840 840->836 843 4094f3-4094f6 840->843 841->828 843->841
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?,?,00000800,?,?,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 004094A4
                                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 004094D4
                                                  • GetLastError.KERNEL32(?,?,00000800,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 004094DE
                                                  • FindNextFileW.KERNEL32(000000FF,?,00000800,?,?,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 00409508
                                                  • GetLastError.KERNEL32(?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 00409516
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FileFind$ErrorFirstLast$Next
                                                  • String ID:
                                                  • API String ID: 869497890-0
                                                  • Opcode ID: 2a733cbadd2ca7cd29a11b90f53c863ddd5810a24544a1ec061ee6039bd7df5a
                                                  • Instruction ID: 852f22f8762d0aaf1b59ecd7198268998001e7cc0733578d9edc4610c3c70bd0
                                                  • Opcode Fuzzy Hash: 2a733cbadd2ca7cd29a11b90f53c863ddd5810a24544a1ec061ee6039bd7df5a
                                                  • Instruction Fuzzy Hash: 2E414071500648ABCB21DF29CC84ADA77F8AF48350F10466AF9AEE2291D774AEC1DB14
                                                  Function 0040F58D Relevance: 112.7, APIs: 55, Strings: 9, Instructions: 691COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$z8D
                                                  • API String ID: 3519838083-129321368
                                                  • Opcode ID: a4dd4ca0380014ca9fbcc784b7d3cd6a11c13eb0733f377532361ed44e646897
                                                  • Instruction ID: cc4c1e380d3e9e53cf766c3de9df5bd6880f95cbde9f973ccf433d51db550174
                                                  • Opcode Fuzzy Hash: a4dd4ca0380014ca9fbcc784b7d3cd6a11c13eb0733f377532361ed44e646897
                                                  • Instruction Fuzzy Hash: C732C371540248BFEB31BF619C85E9B3A68EB06304F44407BF901B61E2DB794999CB6E
                                                  Function 0040E857 Relevance: 73.9, APIs: 35, Strings: 7, Instructions: 411windowfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 247 40e857-40e86f call 41a4dc call 41aaf0 252 40f434-40f43f 247->252 253 40e875-40e89b call 40d781 247->253 253->252 256 40e8a1-40e8a4 253->256 257 40e8a9-40e8c3 256->257 258 40e8ca-40e8dd call 40dcb8 257->258 261 40e8df 258->261 262 40e8e3-40e8fb call 411e60 261->262 265 40e90b-40e90f 262->265 266 40e8fd-40e904 262->266 267 40f405-40f42b call 40d781 265->267 268 40e915-40e918 265->268 266->262 269 40e906 266->269 267->257 284 40f431-40f433 267->284 270 40eb06-40eb0a 268->270 271 40ebc7-40ebcb 268->271 272 40eba8-40ebac 268->272 273 40e91f-40e923 268->273 269->267 270->267 277 40eb10-40eb1f 270->277 271->267 275 40ebd1-40ebd9 271->275 272->267 279 40ebb2-40ebc2 SetWindowTextW 272->279 273->267 276 40e929-40e993 call 419c9b call 40a146 call 409433 call 40945c call 4067e1 call 40960e 273->276 275->267 280 40ebdf-40ebf9 275->280 348 40eaf2-40eb01 call 409449 276->348 349 40e999 276->349 282 40eb21-40eb2d call 41a7c9 277->282 283 40eb2e-40eb32 277->283 279->267 285 40ec04-40ec0d call 41a7af 280->285 286 40ebfb-40ec01 280->286 282->283 289 40eb34-40eb3a 283->289 290 40eb3c-40eb44 call 40d92d 283->290 284->252 285->267 301 40ec13-40ec1a 285->301 286->285 294 40eb46-40eb4a 289->294 290->294 299 40eb50-40eb5c call 41a7af 294->299 300 40eb4c-40eb4e 294->300 303 40eb5e-40eb82 call 41a7af call 41a594 299->303 300->303 307 40ec36-40ec3a 301->307 308 40ec1c-40ec21 301->308 329 40eb84-40eb86 303->329 330 40eb89-40eb96 call 41a7c9 303->330 313 40ec40-40ec43 307->313 314 40ed1b 307->314 308->307 311 40ec23-40ec2a 308->311 311->267 317 40ec30-40ec31 311->317 319 40ec50-40ec6a RegOpenKeyExW 313->319 320 40ec45-40ec4a 313->320 315 40ed1c-40ed23 call 41a7f7 314->315 328 40ed28-40ed29 315->328 317->315 324 40ecb5-40ecbd 319->324 325 40ec6c-40eca6 RegQueryValueExW RegCloseKey 319->325 320->314 320->319 326 40ecea-40ed08 call 41a7af * 2 324->326 327 40ecbf-40ecd5 call 41a7af 324->327 332 40eca8 325->332 333 40ecab-40ecad 325->333 335 40ed2a-40ed3c call 41ca4f 326->335 364 40ed0a-40ed19 call 41a7c9 326->364 327->326 344 40ecd7-40ece9 call 41a7c9 327->344 328->335 329->330 330->267 346 40eb9c-40eba3 call 41a506 330->346 332->333 333->324 353 40ed4a-40ed98 call 41a7f7 call 40db16 GetDlgItem SetWindowTextW SendMessageW call 41aa21 335->353 354 40ed3e-40ed43 335->354 344->326 346->267 348->267 351 40e99e-40e9b4 SetFileAttributesW 349->351 358 40e9ba-40e9ee call 40aa7d call 40a116 call 41a7af 351->358 359 40ea5c-40ea68 GetFileAttributesW 351->359 384 40ed9d-40eda1 353->384 354->353 361 40ed45-40ed47 354->361 389 40e9f0-40ea00 call 41a7af 358->389 390 40ea02-40ea10 call 40a0a4 358->390 366 40ead6-40eaec call 40960e 359->366 367 40ea6a-40ea79 DeleteFileW 359->367 361->353 364->328 366->348 366->351 367->366 371 40ea7b-40ea7f 367->371 376 40ea87-40eaab call 40bc16 GetFileAttributesW 371->376 387 40ea81-40ea84 376->387 388 40eaad-40eac3 MoveFileW 376->388 384->267 385 40eda7-40edbc SendMessageW 384->385 385->267 387->376 388->366 391 40eac5-40ead0 MoveFileExW 388->391 389->390 396 40ea16-40ea56 call 41a7af call 41a820 SHFileOperationW 389->396 390->348 390->396 391->366 396->359
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040E85C
                                                    • Part of subcall function 0040D781: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0040D82F
                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,00000800,?,00000000,75A85540,?,0040F541,?,00000003), ref: 0040E9A7
                                                  • _wcslen.LIBCMT ref: 0040E9E2
                                                  • _wcslen.LIBCMT ref: 0040E9F7
                                                  • _wcslen.LIBCMT ref: 0040EA1D
                                                  • _memset.LIBCMT ref: 0040EA33
                                                  • SHFileOperationW.SHELL32 ref: 0040EA56
                                                  • GetFileAttributesW.KERNEL32(?), ref: 0040EA63
                                                  • DeleteFileW.KERNEL32(?), ref: 0040EA71
                                                  • _wcscat.LIBCMT ref: 0040EB27
                                                  • _wcslen.LIBCMT ref: 0040EB5F
                                                  • _realloc.LIBCMT ref: 0040EB71
                                                  • _wcscat.LIBCMT ref: 0040EB8B
                                                  • SetWindowTextW.USER32(?,?), ref: 0040EBBC
                                                  • _wcslen.LIBCMT ref: 0040EC05
                                                  • _wcscpy.LIBCMT ref: 0040ED23
                                                  • _wcsrchr.LIBCMT ref: 0040ED33
                                                  • _wcscpy.LIBCMT ref: 0040ED52
                                                  • GetDlgItem.USER32(?,00000066), ref: 0040ED6B
                                                  • SetWindowTextW.USER32(00000000,?), ref: 0040ED7B
                                                  • SendMessageW.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040ED8A
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040EDB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$File$AttributesMessageSendTextWindow_wcscat_wcscpy$DeleteEnvironmentExpandH_prologItemOperationStrings_memset_realloc_wcsrchr
                                                  • String ID: "$%s.%d.tmp$<br>$C:\Windows$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
                                                  • API String ID: 3339014310-2533930246
                                                  • Opcode ID: c81f8d7f1960366ff0ac0b138369ee3006538eb7a10c16c36d47d9a37235cbbb
                                                  • Instruction ID: 0f1639a2c7fd1c8d50817f8e0d6f0902ef34777a202bf9cba062cd401a3abf5d
                                                  • Opcode Fuzzy Hash: c81f8d7f1960366ff0ac0b138369ee3006538eb7a10c16c36d47d9a37235cbbb
                                                  • Instruction Fuzzy Hash: F2F14EB1900219AADB20DBA1DC45BEE7378FF04314F4408BBFA15B21D1EB789A958F59
                                                  Function 0040BC32 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 240COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 465 40bc32-40bc5d call 41a4dc call 41aaf0 call 41ca29 472 40bc88-40bcba call 41a7f7 call 408786 call 4087c3 465->472 473 40bc5f-40bc7f GetModuleFileNameW call 41ca4f 465->473 484 40bcd0-40bcda 472->484 485 40bcbc-40bccb call 408c7d 472->485 479 40bc85 473->479 480 40bf0e-40bf1a 473->480 479->472 487 40bcdb-40bcdf 484->487 491 40bf0d 485->491 489 40bce5-40bd05 call 408bae call 408e7b 487->489 490 40bdfc-40be23 call 408fed call 41cf3e 487->490 499 40bd0a-40bd14 489->499 500 40bf03-40bf0c call 408c7d 490->500 501 40be29-40be3b call 408e7b 490->501 491->480 502 40bdc8-40bdec call 408fed 499->502 503 40bd1a-40bd24 499->503 500->491 520 40be44-40be53 call 41cf3e 501->520 521 40be3d-40be42 501->521 502->487 516 40bdf2-40bdf6 502->516 507 40bd26-40bd2e 503->507 508 40bd4b-40bd4f 503->508 507->508 510 40bd30-40bd49 call 41d008 507->510 512 40bd51-40bd5d 508->512 513 40bd7d-40bd80 508->513 510->508 530 40bdc0-40bdc5 510->530 512->513 517 40bd5f-40bd67 512->517 518 40bd82-40bd8a 513->518 519 40bdab-40bdb4 513->519 516->490 524 40befd 516->524 517->513 525 40bd69-40bd7b call 41c81c 517->525 518->519 526 40bd8c-40bda5 call 41d008 518->526 519->503 527 40bdba 519->527 520->524 535 40be59-40be77 call 411b3c call 41a506 520->535 528 40be79-40be83 521->528 524->500 525->513 541 40bdbc 525->541 526->519 526->524 527->502 532 40be85 528->532 533 40be87-40be94 528->533 530->502 532->533 537 40bef2-40befa 533->537 538 40be96-40bea0 533->538 535->528 537->524 538->537 542 40bea2-40bea6 538->542 541->530 544 40bea8-40beaf 542->544 545 40bed9-40bedd 542->545 549 40beb1-40beb4 544->549 550 40bed4 544->550 547 40bee5 545->547 548 40bedf-40bee3 545->548 554 40bee7 547->554 548->547 553 40bee8-40bef0 548->553 555 40bed0-40bed2 549->555 556 40beb6-40beb9 549->556 552 40bed6-40bed7 550->552 552->554 553->537 553->538 554->553 555->552 557 40bebb-40bebe 556->557 558 40becc-40bece 556->558 559 40bec0-40bec2 557->559 560 40bec8-40beca 557->560 558->552 559->553 561 40bec4-40bec6 559->561 560->552 561->552
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040BC37
                                                  • _wcschr.LIBCMT ref: 0040BC4E
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,004335BC,0040C3B4,0041005C,00439820,0041005C,00439820), ref: 0040BC67
                                                  • _wcsrchr.LIBCMT ref: 0040BC76
                                                  • _wcscpy.LIBCMT ref: 0040BC8C
                                                  • _malloc.LIBCMT ref: 0040BE13
                                                    • Part of subcall function 00408BAE: SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408BE1
                                                    • Part of subcall function 00408BAE: GetLastError.KERNEL32(?,?), ref: 00408BEE
                                                  • _strncmp.LIBCMT ref: 0040BD3F
                                                  • _strncmp.LIBCMT ref: 0040BD9B
                                                  • _malloc.LIBCMT ref: 0040BE49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: File_malloc_strncmp$ErrorH_prologLastModuleNamePointer_wcschr_wcscpy_wcsrchr
                                                  • String ID: *messages***$*messages***$a
                                                  • API String ID: 644328012-1639468518
                                                  • Opcode ID: cfa50f55f05dd38727f7e2c767a8efa24f78901bf0e7e1d2db41408b4bb4ba45
                                                  • Instruction ID: aa973f8903d1be904dc07ab5abbbb304e5ce1521a2ae556c165a5ca6c4136d8e
                                                  • Opcode Fuzzy Hash: cfa50f55f05dd38727f7e2c767a8efa24f78901bf0e7e1d2db41408b4bb4ba45
                                                  • Instruction Fuzzy Hash: 5981F2B1A002099ADB34DF64CC85BEA77A4EF10354F10417FE791B72D1DBB88A85CA9D
                                                  Function 0040C15C Relevance: 21.2, APIs: 14, Instructions: 205COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 562 40c15c-40c1b9 call 40c075 GetWindowRect GetClientRect 565 40c258-40c261 562->565 566 40c1bf-40c1c3 562->566 569 40c2a1-40c2c0 GetSystemMetrics GetWindow 565->569 570 40c263-40c29a GetWindowTextW call 40bf1d SetWindowTextW 565->570 567 40c1c9-40c208 566->567 568 40c29c 566->568 571 40c20a 567->571 572 40c20c-40c20e 567->572 568->569 574 40c399-40c39b 569->574 570->569 571->572 575 40c210 572->575 576 40c212-40c229 GetWindowLongW 572->576 577 40c3a1-40c3a5 574->577 578 40c2c5-40c2cc 574->578 575->576 580 40c232-40c255 SetWindowPos GetWindowRect 576->580 581 40c22b 576->581 578->577 582 40c2d2-40c2eb GetWindowTextW 578->582 580->565 581->580 583 40c313-40c317 582->583 584 40c2ed-40c30d call 40bf1d SetWindowTextW 582->584 586 40c383-40c394 GetWindow 583->586 587 40c319-40c37d GetWindowRect SetWindowPos 583->587 584->583 586->577 589 40c396 586->589 587->586 589->574
                                                  APIs
                                                    • Part of subcall function 0040C075: _wcschr.LIBCMT ref: 0040C0A5
                                                  • GetWindowRect.USER32(?,?), ref: 0040C185
                                                  • GetClientRect.USER32(?,?), ref: 0040C192
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0040C21E
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040C242
                                                  • GetWindowRect.USER32(?,?), ref: 0040C24F
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0040C26E
                                                  • SetWindowTextW.USER32(?,?), ref: 0040C294
                                                  • GetSystemMetrics.USER32(00000008), ref: 0040C2A3
                                                  • GetWindow.USER32(?,00000005), ref: 0040C2B0
                                                  • GetWindowTextW.USER32(00000000,?,00000400), ref: 0040C2DD
                                                  • SetWindowTextW.USER32(00000000,00000000), ref: 0040C30D
                                                  • GetWindowRect.USER32(00000000,?), ref: 0040C320
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000110,00000000,00000110,00000204), ref: 0040C37D
                                                  • GetWindow.USER32(00000000,00000002), ref: 0040C388
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                                  • String ID:
                                                  • API String ID: 4134264131-0
                                                  • Opcode ID: 9886efa1d7aa19233dee01def18c78a05a732e10b374928cec257c7fc49daa0d
                                                  • Instruction ID: 46c95fab82868b9c938a6533d3e49af797eb3fa96210388a24d02bb49560b234
                                                  • Opcode Fuzzy Hash: 9886efa1d7aa19233dee01def18c78a05a732e10b374928cec257c7fc49daa0d
                                                  • Instruction Fuzzy Hash: 9A711671A00219EFDF10DFE8CC89AEEBBB9FB08314F048169FD15B61A0D774AA558B54
                                                  Function 0040D298 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94windowCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetDlgItem.USER32(00000068,00000000), ref: 0040D2A9
                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040D3E6,00000001,?,?,0040E2C6,0042A848,0044CF30,0044CF30,00001000), ref: 0040D2D6
                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0040D2E2
                                                  • SendMessageW.USER32(00000000,000000C2,00000000,0042A73C), ref: 0040D2F1
                                                  • SendMessageW.USER32(0040639B,000000B1,05F5E100,05F5E100), ref: 0040D305
                                                  • SendMessageW.USER32(0040639B,0000043A,00000000,?), ref: 0040D31C
                                                  • SendMessageW.USER32(0040639B,00000444,00000001,0000005C), ref: 0040D357
                                                  • SendMessageW.USER32(0040639B,000000C2,00000000,00000456), ref: 0040D366
                                                  • SendMessageW.USER32(0040639B,000000B1,05F5E100,05F5E100), ref: 0040D36E
                                                  • SendMessageW.USER32(0040639B,00000444,00000001,0000005C), ref: 0040D392
                                                  • SendMessageW.USER32(0040639B,000000C2,00000000,0042A810), ref: 0040D3A3
                                                    • Part of subcall function 0041918B: DestroyWindow.USER32(?,75A85540,0040D2D3,?,?,?,?,?,0040D3E6,00000001,?,?,0040E2C6,0042A848,0044CF30,0044CF30), ref: 00419196
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$DestroyItemShow
                                                  • String ID: \
                                                  • API String ID: 2996232536-2967466578
                                                  • Opcode ID: 099f520084dbf5fca48704fc3201186082e925487be8ae0bd6b4d09b2fa327de
                                                  • Instruction ID: 06257c9e161764c7d53c24ae9c51dbab41789d270eb5449b748dea2bf3ac4db1
                                                  • Opcode Fuzzy Hash: 099f520084dbf5fca48704fc3201186082e925487be8ae0bd6b4d09b2fa327de
                                                  • Instruction Fuzzy Hash: C431B170E4025CBBEB219BA0CC4AFAEBFB9EB41714F10412AF500BA1E0D7B51D55DB59
                                                  Function 0041A060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30librarycomCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(riched32.dll,00000000,00439820,?,?,?,00410051), ref: 0041A07B
                                                  • LoadLibraryW.KERNEL32(riched20.dll,?,00410051), ref: 0041A084
                                                  • OleInitialize.OLE32(00000000), ref: 0041A08B
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 0041A0A3
                                                  • SHGetMalloc.SHELL32(0044F800), ref: 0041A0AE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$CommonControlsInitInitializeMalloc
                                                  • String ID: riched20.dll$riched32.dll
                                                  • API String ID: 448729520-3294723617
                                                  • Opcode ID: 8624e4f240296107261ce0a47b5d27c571c626025523bcd3f0aeccd25934cca6
                                                  • Instruction ID: d62a9b991739124620cbbd73e07a01740528edc951963754c9102d88a2026b42
                                                  • Opcode Fuzzy Hash: 8624e4f240296107261ce0a47b5d27c571c626025523bcd3f0aeccd25934cca6
                                                  • Instruction Fuzzy Hash: EFF08271B00318AFD7209FA5DC0EB9ABBE8EF40766F50442DE54593250DBB8A4458BA9
                                                  Function 0040DA8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 600 40da8c-40daa2 call 41aaf0 603 40db11-40db13 600->603 604 40daa4-40daab 600->604 604->603 605 40daad-40dae2 call 40da4f RegCreateKeyExW 604->605 605->603 608 40dae4-40db0b call 41a7af RegSetValueExW RegCloseKey 605->608 608->603
                                                  APIs
                                                    • Part of subcall function 0040DA4F: _wcscpy.LIBCMT ref: 0040DA54
                                                  • RegCreateKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,C:\Windows), ref: 0040DAD9
                                                  • _wcslen.LIBCMT ref: 0040DAE7
                                                  • RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0040DB02
                                                  • RegCloseKey.KERNELBASE(?), ref: 0040DB0B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateValue_wcscpy_wcslen
                                                  • String ID: C:\Windows$Software\WinRAR SFX
                                                  • API String ID: 3170333323-1036045337
                                                  • Opcode ID: 253b5885f96daf7b7a8b4f1510ea2afe6e1404dcbc281fb2c19877bebd1cbb3e
                                                  • Instruction ID: c04f9cf324d6fb33717342d95d48926d42d97767c878bcc2ae640bd506731f16
                                                  • Opcode Fuzzy Hash: 253b5885f96daf7b7a8b4f1510ea2afe6e1404dcbc281fb2c19877bebd1cbb3e
                                                  • Instruction Fuzzy Hash: 7F018476A0020CBFEB21AF90DC86EDA777CEB08388F504076B60562061DA745ED99669
                                                  Function 0041A506 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 849 41a506-41a517 call 41fa9c 852 41a519-41a520 849->852 853 41a58e-41a593 call 41fae1 849->853 854 41a522-41a53a call 41efa3 call 41efd6 852->854 855 41a565 852->855 867 41a545-41a555 call 41a55c 854->867 868 41a53c-41a544 call 41f006 854->868 857 41a566-41a576 RtlFreeHeap 855->857 857->853 860 41a578-41a58d call 41edae GetLastError call 41ed6c 857->860 860->853 867->853 874 41a557-41a55a 867->874 868->867 874->857
                                                  APIs
                                                  • __lock.LIBCMT ref: 0041A524
                                                    • Part of subcall function 0041EFA3: __mtinitlocknum.LIBCMT ref: 0041EFB9
                                                    • Part of subcall function 0041EFA3: __amsg_exit.LIBCMT ref: 0041EFC5
                                                    • Part of subcall function 0041EFA3: EnterCriticalSection.KERNEL32(0041A9AB,0041A9AB,?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001), ref: 0041EFCD
                                                  • ___sbh_find_block.LIBCMT ref: 0041A52F
                                                  • ___sbh_free_block.LIBCMT ref: 0041A53E
                                                  • RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
                                                  • GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                  • String ID:
                                                  • API String ID: 2714421763-0
                                                  • Opcode ID: 1eba3eb2bfd23f5b1e043426ba5b029f38dd9947a11c8dba489f2cac3b6c6ae4
                                                  • Instruction ID: 0c17081243acc93c5e04f74f5850e91c5e9c62578e05a8caa74c22d26ff5c9bd
                                                  • Opcode Fuzzy Hash: 1eba3eb2bfd23f5b1e043426ba5b029f38dd9947a11c8dba489f2cac3b6c6ae4
                                                  • Instruction Fuzzy Hash: 1D01847194A215BBDB306BB29C067DE3B65AF00798F10012BFC0496291DB3C86D19A5E
                                                  Function 00411119 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0041102B: ResetEvent.KERNEL32(?,00000200,?,?,00405016), ref: 00411051
                                                    • Part of subcall function 0041102B: ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00411061
                                                  • ReleaseSemaphore.KERNEL32(?,00000020,00000000,?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411135
                                                  • CloseHandle.KERNELBASE(00000003,00000003,?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411156
                                                  • DeleteCriticalSection.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 0041116C
                                                  • CloseHandle.KERNELBASE(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411178
                                                  • CloseHandle.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411180
                                                    • Part of subcall function 00410EA0: WaitForSingleObject.KERNEL32(?,000000FF,00410FD9,?,?,00411197,?,?,?,?,?,004111E6), ref: 00410EA6
                                                    • Part of subcall function 00410EA0: GetLastError.KERNEL32(?,?,?,?,?,004111E6), ref: 00410EB2
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                  • String ID:
                                                  • API String ID: 1868215902-0
                                                  • Opcode ID: 29ee5acdc12332976cb057a69276285ab821669b88e8e9e7981cd7b54762f760
                                                  • Instruction ID: 628da898c48b8095e2505876ae832dd6733ab043d372e65b09dbeb3e2adc3a3f
                                                  • Opcode Fuzzy Hash: 29ee5acdc12332976cb057a69276285ab821669b88e8e9e7981cd7b54762f760
                                                  • Instruction Fuzzy Hash: F9F06275101704AFD7206B70DC45BD7BBA5EB0A354F00042AF7AA41120CB7768A19B29
                                                  Function 0040DB16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 884 40db16-40db2a call 41aaf0 887 40db30-40db5a call 40da4f RegOpenKeyExW 884->887 888 40dbbd-40dbbe 884->888 887->888 891 40db5c-40db86 RegQueryValueExW 887->891 892 40dbb4-40dbb7 RegCloseKey 891->892 893 40db88-40db93 891->893 892->888 894 40db95 893->894 895 40db98-40dbaf call 410b9c 893->895 894->895 895->892
                                                  APIs
                                                    • Part of subcall function 0040DA4F: _wcscpy.LIBCMT ref: 0040DA54
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000001,?,?), ref: 0040DB51
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040DB7E
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040DBB7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue_wcscpy
                                                  • String ID: Software\WinRAR SFX
                                                  • API String ID: 2005349754-754673328
                                                  • Opcode ID: 5a2b69c89800e9bdd399ce0e9e4a259883a1022fe18fb91a4a4725133ef4c013
                                                  • Instruction ID: 4c76dbbd45d9bc8f01a1638326186229006e98cd85c276784524804615dea21e
                                                  • Opcode Fuzzy Hash: 5a2b69c89800e9bdd399ce0e9e4a259883a1022fe18fb91a4a4725133ef4c013
                                                  • Instruction Fuzzy Hash: 29110635A0020CEBEF219F90DD45FDE7BB8EF04345F5040B6B905A2191D7B8AA94DB69
                                                  Function 004050E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 897 4050e8-4050fd SHGetMalloc 898 405103-40513a SHBrowseForFolderW 897->898 899 4050ff-405101 897->899 901 405140-40515e SHGetPathFromIDListW 898->901 902 40513c-40513e 898->902 900 405160-405161 899->900 903 40515f 901->903 902->903 903->900
                                                  APIs
                                                  • SHGetMalloc.SHELL32(?), ref: 004050F5
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00405130
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: BrowseFolderMalloc
                                                  • String ID: A
                                                  • API String ID: 3812826013-3554254475
                                                  • Opcode ID: 38b49180d38aa256d497848d66ef1996a2da1d611468f43139da5b44fce9136b
                                                  • Instruction ID: 7c691baa3b27f7502734ebd35b11d26621297010b335108cc4fc530f71bfb90e
                                                  • Opcode Fuzzy Hash: 38b49180d38aa256d497848d66ef1996a2da1d611468f43139da5b44fce9136b
                                                  • Instruction Fuzzy Hash: F0010572900619EBDB11CFA4D909BEF7BF8EF49311F204466E805EB240D779DA058FA5
                                                  Function 00419CB2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 905 419cb2-419cd1 GetClassNameW 906 419cd3-419ce8 call 411e60 905->906 907 419cf9-419cfb 905->907 912 419cf8 906->912 913 419cea-419cf6 FindWindowExW 906->913 909 419d06-419d08 907->909 910 419cfd-419d00 SHAutoComplete 907->910 910->909 912->907 913->912
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000050), ref: 00419CC9
                                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00419D00
                                                    • Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409CA8,?,00000000,?,00409DC2,00000000,-00000002,?,00000000,?), ref: 00411E76
                                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00419CF0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                  • String ID: EDIT
                                                  • API String ID: 4243998846-3080729518
                                                  • Opcode ID: b027ed5b97d113a91e8e700dc85ec23dd11054ff1df16afbaa6f3d453c1c9159
                                                  • Instruction ID: c03662b206b47bf0f9187f3c1687b62eae72e09aaad69f108c393d7fbd584eff
                                                  • Opcode Fuzzy Hash: b027ed5b97d113a91e8e700dc85ec23dd11054ff1df16afbaa6f3d453c1c9159
                                                  • Instruction Fuzzy Hash: 3CF0E232300219BBDB305A15AD05FEB36BC9F86B40F840066FE01E2280EB68D84285BA
                                                  Function 0040D5F7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 914 40d5f7-40d621 SetEnvironmentVariableW call 410c58 916 40d626-40d62a 914->916 917 40d645-40d648 916->917 918 40d62c 916->918 919 40d630-40d63b call 410b7f 918->919 922 40d63d-40d643 SetEnvironmentVariableW 919->922 923 40d62e-40d62f 919->923 922->917 923->919
                                                  APIs
                                                  • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0040D610
                                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D643
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentVariable
                                                  • String ID: sfxcmd$sfxpar
                                                  • API String ID: 1431749950-3493335439
                                                  • Opcode ID: bac05ca2e549dd4e556f3ae34e89e1e7b45a97b9d2e2d38533528fd9b5159ab4
                                                  • Instruction ID: 209d7830a902f923c059ddcb8ccd8c76eadbb62e41e0a08ffeb6939b57d6bf06
                                                  • Opcode Fuzzy Hash: bac05ca2e549dd4e556f3ae34e89e1e7b45a97b9d2e2d38533528fd9b5159ab4
                                                  • Instruction Fuzzy Hash: 29E0EC3660011437CA102A969C01EBB7A6CDBC1744F1000337E48A2080E979D89E8BED
                                                  Function 004087C3 Relevance: 6.1, APIs: 4, Instructions: 104fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,-7FFFF7FE,?,00000000,00000003,-00000001,00000000,00000802,00000000,?,00000000,00406E59,00000000,00000005,?,00000011), ref: 00408854
                                                  • GetLastError.KERNEL32(?,00000000,00406E59,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 0040885D
                                                  • CreateFileW.KERNEL32(?,-7FFFF7FE,?,00000000,00000003,00000000,00000000,?,?,00000800,?,00000000,00406E59,00000000,00000005,?), ref: 00408895
                                                  • GetLastError.KERNEL32(?,00000000,00406E59,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 00408899
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorFileLast
                                                  • String ID:
                                                  • API String ID: 1214770103-0
                                                  • Opcode ID: 4d3b36c18a63bf9a6cb3bb75dabf04ddc5da56a9a0870096324c8bcc010d085f
                                                  • Instruction ID: e5fec55928a071c2e3d1b6f10086eb5e0cd4d8e33465c7e2028d9d916ffc9c2f
                                                  • Opcode Fuzzy Hash: 4d3b36c18a63bf9a6cb3bb75dabf04ddc5da56a9a0870096324c8bcc010d085f
                                                  • Instruction Fuzzy Hash: 083169725047449BE7309B20CD05BEB77D4AB80318F104A2EF9D0A33C2DBBE9548D75A
                                                  Function 00401822 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00401827
                                                    • Part of subcall function 00405F3C: __EH_prolog.LIBCMT ref: 00405F41
                                                    • Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FA4
                                                    • Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FB0
                                                    • Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FCE
                                                    • Part of subcall function 0040B8E3: __EH_prolog.LIBCMT ref: 0040B8E8
                                                  • _memset.LIBCMT ref: 0040196A
                                                  • _memset.LIBCMT ref: 00401979
                                                  • _memset.LIBCMT ref: 00401988
                                                    • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                    • Part of subcall function 0040A026: __EH_prolog.LIBCMT ref: 0040A02B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset$H_prolog$_malloc
                                                  • String ID:
                                                  • API String ID: 4233843809-0
                                                  • Opcode ID: 89f10ec8c43f5c59ed1e48a3837198038f2aefdd0a2d009fb04471144bad9c18
                                                  • Instruction ID: 211b101a5e2dbba32f2c8dae62910ed897794103f7d8a7f2ed724c9505602145
                                                  • Opcode Fuzzy Hash: 89f10ec8c43f5c59ed1e48a3837198038f2aefdd0a2d009fb04471144bad9c18
                                                  • Instruction Fuzzy Hash: 865127B1445F809EC321DF7988916D7FFE0AF29314F84496E91FE93282D7352658CB29
                                                  Function 00413CE8 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset$H_prolog_malloc
                                                  • String ID:
                                                  • API String ID: 1600808285-0
                                                  • Opcode ID: f9e7b2a6a83c73fc1ba99619ebe61da21776ee40c69ad0e57b9b97bafc6a76b5
                                                  • Instruction ID: 702ce421a693160a9893d7f58a622c69960126b9ff2eeb296b605b135dd4a1ff
                                                  • Opcode Fuzzy Hash: f9e7b2a6a83c73fc1ba99619ebe61da21776ee40c69ad0e57b9b97bafc6a76b5
                                                  • Instruction Fuzzy Hash: F831D4B1E01215ABDB14AF65D9057EB76A8FF14319F10013FE105E7281E7789E9087ED
                                                  Function 00408CA0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6,004335AC,?,00000000,?,?,00408EB0,?,00000000,?,?,00000000), ref: 00408CB1
                                                  • ReadFile.KERNELBASE(?,?,?,00000000,00000000,004335AC,?,00000000,?,?,00408EB0,?,00000000,?,?,00000000), ref: 00408CC9
                                                  • GetLastError.KERNEL32(?,00408EB0,?,00000000,?,?,00000000), ref: 00408D01
                                                  • GetLastError.KERNEL32(?,00408EB0,?,00000000,?,?,00000000), ref: 00408D1C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileHandleRead
                                                  • String ID:
                                                  • API String ID: 2244327787-0
                                                  • Opcode ID: c1fed62a9ea2a8515d50b02984c21f09fd940ae1629289a4c1ded04f954c3d6f
                                                  • Instruction ID: b149f771e66fe820b49a3db0cdc04a66bbf6f60059da98a6e892905e95da3d99
                                                  • Opcode Fuzzy Hash: c1fed62a9ea2a8515d50b02984c21f09fd940ae1629289a4c1ded04f954c3d6f
                                                  • Instruction Fuzzy Hash: B411A734504608EFEB205B50DA4096A37A8FF71374B10863FE996A52D1DE3DCD41DF2A
                                                  Function 004076AA Relevance: 6.0, APIs: 2, Strings: 1, Instructions: 792COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004076AF
                                                    • Part of subcall function 00418B3D: _wcscpy.LIBCMT ref: 00418C26
                                                  • _memcmp.LIBCMT ref: 00407ABB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog_memcmp_wcscpy
                                                  • String ID: E
                                                  • API String ID: 1926841707-3568589458
                                                  • Opcode ID: 196e278f7dddb126d2dbccce5fe2abb71f5a872f6c9e6e354283e500f103bc2c
                                                  • Instruction ID: c8680630b07ceb330da05956c27536b96a03d31217007f6de18683c0289c3294
                                                  • Opcode Fuzzy Hash: 196e278f7dddb126d2dbccce5fe2abb71f5a872f6c9e6e354283e500f103bc2c
                                                  • Instruction Fuzzy Hash: 4872B870D086849EEF25DB64C844BEA7BA55F05304F0840FFE94A6B2D2C77D7984CB6A
                                                  Function 0040D116 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D127
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040D138
                                                  • TranslateMessage.USER32(?), ref: 0040D142
                                                  • DispatchMessageW.USER32(?), ref: 0040D14C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Message$DispatchPeekTranslate
                                                  • String ID:
                                                  • API String ID: 4217535847-0
                                                  • Opcode ID: db1d2709ee26d26a19af258b04a512226032370801fdef34d6f208b0e00134af
                                                  • Instruction ID: 62915b0a08277243b8fe4fd8ce30adb6e130eab43b2b780e39f86cd7d7c3188f
                                                  • Opcode Fuzzy Hash: db1d2709ee26d26a19af258b04a512226032370801fdef34d6f208b0e00134af
                                                  • Instruction Fuzzy Hash: 9FE0ED72E0112AA7CB20ABE19C0CDDB7F6CEE062517404021BD05E2015D638D116C7F5
                                                  Function 0040820B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00408210
                                                    • Part of subcall function 00401822: __EH_prolog.LIBCMT ref: 00401827
                                                    • Part of subcall function 00401822: _memset.LIBCMT ref: 0040196A
                                                    • Part of subcall function 00401822: _memset.LIBCMT ref: 00401979
                                                    • Part of subcall function 00401822: _memset.LIBCMT ref: 00401988
                                                    • Part of subcall function 00401417: __EH_prolog.LIBCMT ref: 0040141C
                                                  • _wcscpy.LIBCMT ref: 004082AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog_memset$_wcscpy
                                                  • String ID: rar
                                                  • API String ID: 2876264062-1792618458
                                                  • Opcode ID: d8064b72c640e36a82a0b68421302acdf3e8c056939b4e9f8210efc5c70c758b
                                                  • Instruction ID: 75000dcce843433d4275637ef0618472c828e59e125cdaf0ff5f97d994d1ab7f
                                                  • Opcode Fuzzy Hash: d8064b72c640e36a82a0b68421302acdf3e8c056939b4e9f8210efc5c70c758b
                                                  • Instruction Fuzzy Hash: 3D41A4319002589EDB24DB50C955BEA77B8AB14304F4448FFE489B3182DB796FC8CB29
                                                  Function 00411254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00010000,Function_000111DD,?,00000000,?), ref: 00411278
                                                  • SetThreadPriority.KERNEL32(?,00000000,?,?,004112E4,-00000108,00404FE0), ref: 004112BF
                                                    • Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                                  • String ID: CreateThread failed
                                                  • API String ID: 2655393344-3849766595
                                                  • Opcode ID: 3061c48cbf7df5314d67cb84a6f78a2ab06f9f7c5b99b3b88179035cff10f0ee
                                                  • Instruction ID: 964536ca15170dd961cb9332306e5bd8003a90b1d1e662a5f33448d65f1dc838
                                                  • Opcode Fuzzy Hash: 3061c48cbf7df5314d67cb84a6f78a2ab06f9f7c5b99b3b88179035cff10f0ee
                                                  • Instruction Fuzzy Hash: 4B01A2753453057BD3215F55AC46BB673A9EB44766F20043FFB82E11D0DAB4A8608A2D
                                                  Function 004126F0 Relevance: 4.6, APIs: 3, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBCMT ref: 0041276B
                                                  • _malloc.LIBCMT ref: 00412785
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  • _memset.LIBCMT ref: 004127D8
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AllocateException@8HeapThrow_malloc_memset
                                                  • String ID:
                                                  • API String ID: 3965744532-0
                                                  • Opcode ID: aecc41870ac87d010834a5c488dea66f27f1e28d46d9c5665e17219ed6a13b4d
                                                  • Instruction ID: 1154a5c9599e5537b836a1002f89e902606abe80a59ae87693d08389c363c3d7
                                                  • Opcode Fuzzy Hash: aecc41870ac87d010834a5c488dea66f27f1e28d46d9c5665e17219ed6a13b4d
                                                  • Instruction Fuzzy Hash: 05410470905745ABEB25EE38D6C47DBB7D0AF14304F20482FE5A6D3281C7B8A9E4C718
                                                  Function 00408AA9 Relevance: 4.6, APIs: 3, Instructions: 104fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,0040BB41,?,?,00000000,?,?,004124ED,?,?,?,00000001,?), ref: 00408AC5
                                                  • WriteFile.KERNEL32(00000001,?,00004000,?,00000000,?,?,0040BB41,?,?,00000000,?,?,004124ED,?,?), ref: 00408B01
                                                  • WriteFile.KERNELBASE(00000001,?,00000000,?,00000000,?,?,?,?,?,0040BB41,?,?,00000000,?,?), ref: 00408B2D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$Handle
                                                  • String ID:
                                                  • API String ID: 4209713984-0
                                                  • Opcode ID: 2630e5a33cfd0af18d09aa74bbfd8346207367a51011a650ef626fa881f46d74
                                                  • Instruction ID: f20fcf70e75a5c6d44a32b1c4255a65a5bf54a4d93884812af3801fc7a684339
                                                  • Opcode Fuzzy Hash: 2630e5a33cfd0af18d09aa74bbfd8346207367a51011a650ef626fa881f46d74
                                                  • Instruction Fuzzy Hash: 9B31C371300204AFDB209F65CA44BAB77A9EB94310F04813FF996E72C1DB78A905DF29
                                                  Function 004092C9 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A08A: _wcslen.LIBCMT ref: 0040A090
                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,?,?,?,0040941E,?,00000001,00000000,?,?,?,?,?), ref: 004092F9
                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000800,00000000,00000000,?,?,?,0040941E,?,00000001,00000000,?,?), ref: 00409328
                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,?,0040941E,?,00000001,00000000,?,?,?,?,?,?,004067A5), ref: 00409341
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory$ErrorLast_wcslen
                                                  • String ID:
                                                  • API String ID: 2260680371-0
                                                  • Opcode ID: e440fb91986ed667ecea05b8623b67f22d0563812c7c3dc4cd5ad5119d8de580
                                                  • Instruction ID: 5cfd1deac55777c6f3d5c0bdf32a3cf990456680eccb4e8d5c114054f7fd3324
                                                  • Opcode Fuzzy Hash: e440fb91986ed667ecea05b8623b67f22d0563812c7c3dc4cd5ad5119d8de580
                                                  • Instruction Fuzzy Hash: DD01C031100204A5DB216A664C42BBB37589B4EB84F88447BFD41F62D2CB7C9C92D97E
                                                  Function 0040E2D7 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040E2DC
                                                  • _wcscpy.LIBCMT ref: 0040E2FC
                                                    • Part of subcall function 00410D16: _wcslen.LIBCMT ref: 00410D2C
                                                    • Part of subcall function 00410D16: _wcscpy.LIBCMT ref: 00410D42
                                                  • _wcscpy.LIBCMT ref: 0040E31A
                                                    • Part of subcall function 00407150: __EH_prolog.LIBCMT ref: 00407155
                                                    • Part of subcall function 00407074: __EH_prolog.LIBCMT ref: 00407079
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog_wcscpy$_wcslen
                                                  • String ID:
                                                  • API String ID: 2067596392-0
                                                  • Opcode ID: aa5c2ab907567c22763022a3e14260f934ba444c4f603d8b7408ac10fc9ad921
                                                  • Instruction ID: 34baa23ef678cdf00172776f2fc4f6da7b22e3ce89fab18911e310d79256e735
                                                  • Opcode Fuzzy Hash: aa5c2ab907567c22763022a3e14260f934ba444c4f603d8b7408ac10fc9ad921
                                                  • Instruction Fuzzy Hash: E7112675906294AED705EBA4AC427CD7BA0DB16318F1040AFF444A2292CFB91A90DB6E
                                                  Function 00401768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: CMT
                                                  • API String ID: 3519838083-2756464174
                                                  • Opcode ID: c5dcd452fd1e4eeec7eacad65d6409f1913b512c17b790326e9b6827e8618ada
                                                  • Instruction ID: 903a9e83ebfadd1395375551f57b58f4375dbb7200b7f1b09ca9293e13445996
                                                  • Opcode Fuzzy Hash: c5dcd452fd1e4eeec7eacad65d6409f1913b512c17b790326e9b6827e8618ada
                                                  • Instruction Fuzzy Hash: C5210275600144AFCB05EF6488908AEBBB9EF44314B00C06FF866773E2CB389E01DB68
                                                  Function 00401106 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _realloc.LIBCMT ref: 0040115B
                                                    • Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441
                                                  Strings
                                                  • Maximum allowed array size (%u) is exceeded, xrefs: 0040112C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __vswprintf_c_l_realloc
                                                  • String ID: Maximum allowed array size (%u) is exceeded
                                                  • API String ID: 620378156-979119166
                                                  • Opcode ID: dce6db5a0bfaf73c63961f3884acddfac192c2d93569977231d8791de2d42667
                                                  • Instruction ID: b98885df3920ffeceb53ce79d7a953b92e5ea0a83a6506546a83ec3ee512e677
                                                  • Opcode Fuzzy Hash: dce6db5a0bfaf73c63961f3884acddfac192c2d93569977231d8791de2d42667
                                                  • Instruction Fuzzy Hash: 8D014F353006056FD728EA25D89193BB3E9EB88764310483FF99B97791EA39BC548718
                                                  Function 00401417 Relevance: 3.3, APIs: 2, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: e8d4131a6c0ab78f129bbdc20b8640a8360fcb8037d97d2b6f97067a7eefdc9b
                                                  • Instruction ID: 1df30631c7f2331ab9bb659be56b51083ca38efb3ea41a431c6c341c2f7f2518
                                                  • Opcode Fuzzy Hash: e8d4131a6c0ab78f129bbdc20b8640a8360fcb8037d97d2b6f97067a7eefdc9b
                                                  • Instruction Fuzzy Hash: D7A1A370904B44AFDB31DB38C8447ABB7E5AB45304F14482FE4A7A72E1D779A881CB59
                                                  Function 00408923 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,?,?,-00000011,?,00408777,?,-00000011,?), ref: 004089A5
                                                  • CreateFileW.KERNEL32(?,000000FF,?,00000000,00000002,00000000,00000000,?,?,00000800,?,?,?,-00000011,?,00408777), ref: 004089DA
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: a074d9b34406725a99dd7798f6dc6781e4ed09d04832e0e73d262d8c08033346
                                                  • Instruction ID: 01d84b190ee352a3a297c1effa4f932d2cea621e1ee0f9c6dc0f58f94aa457de
                                                  • Opcode Fuzzy Hash: a074d9b34406725a99dd7798f6dc6781e4ed09d04832e0e73d262d8c08033346
                                                  • Instruction Fuzzy Hash: F621E6B1000709AFDB20AF28CD41AEA7BA9EB04324F00853EF5D5972D1CA799D859B59
                                                  Function 004012EA Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004012EF
                                                    • Part of subcall function 00402C8B: __EH_prolog.LIBCMT ref: 00402C90
                                                  • _wcslen.LIBCMT ref: 00401391
                                                    • Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
                                                    • Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
                                                    • Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
                                                    • Part of subcall function 0041A506: RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
                                                    • Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_wcslen
                                                  • String ID:
                                                  • API String ID: 2367413355-0
                                                  • Opcode ID: 11f42ef8cdaa0769df478fd29a00db720605d229e9827037435442823eb81be9
                                                  • Instruction ID: 0a298500d8bcfa7ff7c3c7c798daa7998fe1fc2396f24876ea38c2992963b511
                                                  • Opcode Fuzzy Hash: 11f42ef8cdaa0769df478fd29a00db720605d229e9827037435442823eb81be9
                                                  • Instruction Fuzzy Hash: 43218131C04219AADF11AF95D8019EFBBBAEF44704F10402FF815B26B1D7791951DB99
                                                  Function 0040E75F Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040E764
                                                    • Part of subcall function 00401822: __EH_prolog.LIBCMT ref: 00401827
                                                    • Part of subcall function 00401822: _memset.LIBCMT ref: 0040196A
                                                    • Part of subcall function 00401822: _memset.LIBCMT ref: 00401979
                                                    • Part of subcall function 00401822: _memset.LIBCMT ref: 00401988
                                                    • Part of subcall function 00401768: __EH_prolog.LIBCMT ref: 0040176D
                                                  • _malloc.LIBCMT ref: 0040E7CC
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog_memset$AllocateHeap_malloc
                                                  • String ID:
                                                  • API String ID: 47157355-0
                                                  • Opcode ID: 8a0e236cf4d95a6c185fe36cf45249ef349d68e2c77d2ed9baa34b65b141d772
                                                  • Instruction ID: 028989472a53044f7525bc0779393b56fb6d8ddec0b6eee1d5d0b7402cf9aefd
                                                  • Opcode Fuzzy Hash: 8a0e236cf4d95a6c185fe36cf45249ef349d68e2c77d2ed9baa34b65b141d772
                                                  • Instruction Fuzzy Hash: 09217F72800259EFCF15EFA5D8819EEB7B4BF08308F10456FE006B3291E7385A44DB69
                                                  Function 00408BAE Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408BE1
                                                  • GetLastError.KERNEL32(?,?), ref: 00408BEE
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer
                                                  • String ID:
                                                  • API String ID: 2976181284-0
                                                  • Opcode ID: 401041f812e38b2c9cc7bc658f647880eeddc778264b755613b9ad4916800595
                                                  • Instruction ID: 02e03e75e993c9a8a945b97f90e28c3a97864ede8bf9f3e31abc9cd0b64ad5c5
                                                  • Opcode Fuzzy Hash: 401041f812e38b2c9cc7bc658f647880eeddc778264b755613b9ad4916800595
                                                  • Instruction Fuzzy Hash: 540145B2706204BFE7209B788D458AB36ADCB84334B14423FB192E33C1EA749D00527D
                                                  Function 0040C3BF Relevance: 3.0, APIs: 2, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C410
                                                  • LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C422
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: LoadString
                                                  • String ID:
                                                  • API String ID: 2948472770-0
                                                  • Opcode ID: 72945bf23e6ae9cf9b0fab0a5a9e43b8bd420b2efeca12c7a5d03f8341522d8c
                                                  • Instruction ID: edfc175873420c56a2918f30daf07abd917a54f8fc7c105ac48efc03a3cacc81
                                                  • Opcode Fuzzy Hash: 72945bf23e6ae9cf9b0fab0a5a9e43b8bd420b2efeca12c7a5d03f8341522d8c
                                                  • Instruction Fuzzy Hash: 200186722012107FD6209F19AC85F577BEDEB99351F10543AB900D32A1D6359C01876C
                                                  Function 00408F4B Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(?,?,00000001,00000000,?,?,?,?,00408FD1,00000000,00000000,00000000,?,00407DE2,?,?), ref: 00408F9E
                                                  • GetLastError.KERNEL32(00408FD1,00000000,00000000,00000000,?,00407DE2,?,?,?,?,?,?,?,?), ref: 00408FAA
                                                    • Part of subcall function 00408E03: __EH_prolog.LIBCMT ref: 00408E08
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileH_prologLastPointer
                                                  • String ID:
                                                  • API String ID: 4236474358-0
                                                  • Opcode ID: fcb39ab4431aa7e293366899b2db99d4a95afe2178fb6d1211a042b2fb6e45d7
                                                  • Instruction ID: 31f7e80921147255a447777291f97898e209bd40052f61b908ef1a5d0e3b9beb
                                                  • Opcode Fuzzy Hash: fcb39ab4431aa7e293366899b2db99d4a95afe2178fb6d1211a042b2fb6e45d7
                                                  • Instruction Fuzzy Hash: 1E019631200306DBCF248F64CD046AE776ABF813A5F14463EF8A1A22D0DB78D951DA55
                                                  Function 0041A89A Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _malloc.LIBCMT ref: 0041A8B4
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  • __CxxThrowException@8.LIBCMT ref: 0041A8F9
                                                    • Part of subcall function 0041216A: std::exception::exception.LIBCMT ref: 00412174
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1264268182-0
                                                  • Opcode ID: 652451197443050397a994e0f1a437ce7b6bc5e6c303dc83bd53091e5d1b5587
                                                  • Instruction ID: 42064790ed8d2a037bfba99cbedd4ff18ff19c5b52db1d8e26b3e688ef0b8114
                                                  • Opcode Fuzzy Hash: 652451197443050397a994e0f1a437ce7b6bc5e6c303dc83bd53091e5d1b5587
                                                  • Instruction Fuzzy Hash: 64F0E23160021972CB047B22ED46ACE37586F01728B10403BFC1199192DFAC9ADA919E
                                                  Function 004090E4 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?,?,-00000011,?,0040877F,?,?,00000001,?,?,?,?,?,?,00000000,?), ref: 004090FC
                                                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,0040877F,?,?,00000001,?,?,?,?,?,?,00000000), ref: 00409126
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 0a42f7c6465a65df2585c125a2f12a68c0d7bb240ddda169d7c29578124ac562
                                                  • Instruction ID: c332a15ca0b0e5e82477794df9822c7aeed54c7470201c7e9f38434531037f1b
                                                  • Opcode Fuzzy Hash: 0a42f7c6465a65df2585c125a2f12a68c0d7bb240ddda169d7c29578124ac562
                                                  • Instruction Fuzzy Hash: DBE02B3114122AA7EB00A620DC01FDA3B5C9F043C0F0440737C80E71D1DB75DCE0D9A4
                                                  Function 00409041 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,004092AE,?,00406796,?,?,?,?), ref: 00409059
                                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,004092AE,?,00406796,?,?,?,?), ref: 00409081
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: b25c0f1027ae8764d85bcc1b21548e8f0eb716d18d4362393a4ff3fac8f95358
                                                  • Instruction ID: f0aa2148c7acefeba2e85b7bc3a11c2245577506fd5686bf0be3bfe97b3e7ecd
                                                  • Opcode Fuzzy Hash: b25c0f1027ae8764d85bcc1b21548e8f0eb716d18d4362393a4ff3fac8f95358
                                                  • Instruction Fuzzy Hash: BBE092326101186ACB10A669DC00BDE379D9BC83E5F0401B3BE44E32D5DAB4DD95CBA5
                                                  Function 0040DDFF Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ItemText_swprintf
                                                  • String ID:
                                                  • API String ID: 3011073432-0
                                                  • Opcode ID: 8034b9b9aa660211ead63cdf03b6a57d34fff27c13a9ae0071d7a28958d0b1e9
                                                  • Instruction ID: 335ddef7e6713e4d0d4f603cdcadd61df7388e1f4a4116fbf7552c9c9eb2c210
                                                  • Opcode Fuzzy Hash: 8034b9b9aa660211ead63cdf03b6a57d34fff27c13a9ae0071d7a28958d0b1e9
                                                  • Instruction Fuzzy Hash: 02F0EC75A0420866E711B7A1CC07F9B36589B09789F04047FB601760F3D9795564479A
                                                  Function 00410EDB Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,00410F17,00409FF4), ref: 00410EE8
                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00410EEF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Process$AffinityCurrentMask
                                                  • String ID:
                                                  • API String ID: 1231390398-0
                                                  • Opcode ID: 5b6efae98f4fd143c9c11739b7a9d49426725563ed325c59bf560736ad01bde8
                                                  • Instruction ID: ae3045e16ef29d64dcafac8e7d0c22bbd438388315c71f77e1501110187c073f
                                                  • Opcode Fuzzy Hash: 5b6efae98f4fd143c9c11739b7a9d49426725563ed325c59bf560736ad01bde8
                                                  • Instruction Fuzzy Hash: 86E08672A1020AA78F2897A0CD4A9EF32ACEB01215700087BE503C1640EAF8D5D24629
                                                  Function 004060C9 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ItemShowWindow
                                                  • String ID:
                                                  • API String ID: 3351165006-0
                                                  • Opcode ID: 76029219059209f4090a36f07538af165f69a2de4b0c3b600f66da5fa765a026
                                                  • Instruction ID: 00e924dde3bcd55588ca107b376b403c6fb897f844ebcc5e5070703d20151260
                                                  • Opcode Fuzzy Hash: 76029219059209f4090a36f07538af165f69a2de4b0c3b600f66da5fa765a026
                                                  • Instruction Fuzzy Hash: E7C01232258241FFCB020BB0DC09E2ABBA8ABA5312F10CD68B4A5C1160C23AC024DB22
                                                  Function 00402C8B Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 2adb2e46dfa9c528ebc340105a31a2d546adb33428178d20608c313c98083781
                                                  • Instruction ID: d2613427887af626ac15b725df06f6c4975e9b849f4698f9cbfae21a5c634ed1
                                                  • Opcode Fuzzy Hash: 2adb2e46dfa9c528ebc340105a31a2d546adb33428178d20608c313c98083781
                                                  • Instruction Fuzzy Hash: 8E615870505B40AADB34DB39C999BEBB7E4AF51304F00456FF4AB622C2CBBC2944DB59
                                                  Function 0040935F Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy
                                                  • String ID:
                                                  • API String ID: 1735881322-0
                                                  • Opcode ID: eec277942e391c224009335c7c4fdbf9ccf01f1ad50b69e55fa7bc55e694a795
                                                  • Instruction ID: d4505bb1f71f0a7630b1187c5dc073957316d7994076f763c5609016dbc7fb68
                                                  • Opcode Fuzzy Hash: eec277942e391c224009335c7c4fdbf9ccf01f1ad50b69e55fa7bc55e694a795
                                                  • Instruction Fuzzy Hash: 1821F9705412146ADF209BA5C8817EF73A8AF09744F104067FD84E71C2E6BC9DC58799
                                                  Function 004071DF Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 64ae09b8b7d6d911e9fbb323825e8f5681d7d5dd0d1dbfba22af46c2c3ac0037
                                                  • Instruction ID: 0e7476b061c64c38a033d28293548f621ad6c4fedd1d6d7b32e1dff298444af0
                                                  • Opcode Fuzzy Hash: 64ae09b8b7d6d911e9fbb323825e8f5681d7d5dd0d1dbfba22af46c2c3ac0037
                                                  • Instruction Fuzzy Hash: F611E336D04216A7CB21AE69D881BAF7774AB84724F00427FF910772C0C77CAD4186AE
                                                  Function 004155EF Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004155F4
                                                    • Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
                                                    • Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
                                                    • Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
                                                    • Part of subcall function 0041A506: RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
                                                    • Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ErrorFreeH_prologHeapLast___sbh_find_block___sbh_free_block__lock
                                                  • String ID:
                                                  • API String ID: 2675452811-0
                                                  • Opcode ID: 8497dd6851e15abeade78bc1a96ba9a899c127afdb4d8d4cff6b23ee0cc24447
                                                  • Instruction ID: af90cb06349abb904c7e908c808b67ca80216b7905dff4050bf1b7fec03d4104
                                                  • Opcode Fuzzy Hash: 8497dd6851e15abeade78bc1a96ba9a899c127afdb4d8d4cff6b23ee0cc24447
                                                  • Instruction Fuzzy Hash: DA117871210740DAC325FF76DA636DBB7B0AF24304F40091EA06B525D2EFB8BA44CA19
                                                  Function 00407150 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00407155
                                                    • Part of subcall function 0040B8E3: __EH_prolog.LIBCMT ref: 0040B8E8
                                                    • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                    • Part of subcall function 0041768A: __EH_prolog.LIBCMT ref: 0041768F
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$_malloc
                                                  • String ID:
                                                  • API String ID: 4254904621-0
                                                  • Opcode ID: f4a0015dd81c6367a1e3723969d7ed7b71eec4aecea33b784c0cc5c9c2fc540f
                                                  • Instruction ID: 4fa22713ff1b1cd4263d7298948381a35fc14f9b7bb01a12f51cc5b8ed2a70ee
                                                  • Opcode Fuzzy Hash: f4a0015dd81c6367a1e3723969d7ed7b71eec4aecea33b784c0cc5c9c2fc540f
                                                  • Instruction Fuzzy Hash: B401ADB2A107009AC7109FAAC44029AF7E9FF94310F00842FE459D3390D7B8A9408B59
                                                  Function 00408E03 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 863cc4a6e1e3a3a4d87e432309fddcfd3b8ff728f9b2f9572ac3dc0eeb2e4462
                                                  • Instruction ID: bd93042bfc1aad2116d0877f42dabf9818625296a81febac24436190ec2c14aa
                                                  • Opcode Fuzzy Hash: 863cc4a6e1e3a3a4d87e432309fddcfd3b8ff728f9b2f9572ac3dc0eeb2e4462
                                                  • Instruction Fuzzy Hash: 33F04F35B00214AFD7149F58C889FADB7B5EF48724F208159E912A73D1CB749D008A54
                                                  Function 00405512 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00405517
                                                    • Part of subcall function 0040A026: __EH_prolog.LIBCMT ref: 0040A02B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 8d7273e43c00e3d352773117abe9a80c711290f191c18f656fba03e9df2d1900
                                                  • Instruction ID: fa77f21fc7194b1e08a14eb3a2c561e3cb85337c9bb77c22dcaa42305da5d14c
                                                  • Opcode Fuzzy Hash: 8d7273e43c00e3d352773117abe9a80c711290f191c18f656fba03e9df2d1900
                                                  • Instruction Fuzzy Hash: A2013130901694DAD715EBA5D1157DDB7B49F14308F00449FE456532C3DFF82B84CB66
                                                  Function 004096BC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A0A4: _wcspbrk.LIBCMT ref: 0040A0B5
                                                  • FindClose.KERNELBASE(00000000,00000800,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 004096EC
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CloseFind_wcspbrk
                                                  • String ID:
                                                  • API String ID: 2190230203-0
                                                  • Opcode ID: 85123c6e94d2e517bbdffd63dea6bf8ab785228859dafa86eb4c7b41f0ab578b
                                                  • Instruction ID: c5db38677187ea9b8dec244fb3c8af9ff7d0a6647eff614e001a313c4cd0766c
                                                  • Opcode Fuzzy Hash: 85123c6e94d2e517bbdffd63dea6bf8ab785228859dafa86eb4c7b41f0ab578b
                                                  • Instruction Fuzzy Hash: 21F09635005380ABCA225B658404AC77B945F55365F048A1EB1F9621D7C279545ADB26
                                                  Function 00407074 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00407079
                                                    • Part of subcall function 004155EF: __EH_prolog.LIBCMT ref: 004155F4
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: b7d3c8e010c571e5a6642b72fc2b2d393aaf48cfcd88e5119046994b0af1dfd5
                                                  • Instruction ID: da238740c98ae75ebc3f5927faf798116ad114c2e9bc9b884e51ec1b39bdab83
                                                  • Opcode Fuzzy Hash: b7d3c8e010c571e5a6642b72fc2b2d393aaf48cfcd88e5119046994b0af1dfd5
                                                  • Instruction Fuzzy Hash: D1E06D32A11610ABC715AB29C4066EEF3B9EFC0728F10422FA062636C1DBB86D418659
                                                  Function 00410DDE Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00410E13
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ExecutionStateThread
                                                  • String ID:
                                                  • API String ID: 2211380416-0
                                                  • Opcode ID: 99114e7ac6e4293e68323f01352a3d081b9a398302f12d6f006bb62c0eb9cb63
                                                  • Instruction ID: ce8ef4de1523c5d0242b00cb845f3d850d1a93a8e5a83f46045a12d46b5ed054
                                                  • Opcode Fuzzy Hash: 99114e7ac6e4293e68323f01352a3d081b9a398302f12d6f006bb62c0eb9cb63
                                                  • Instruction Fuzzy Hash: 62D0C23170015022CA213B2B2815BEE56194F81724F0900BFB501622E38EAC09C281EE
                                                  Function 00409720 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset
                                                  • String ID:
                                                  • API String ID: 2102423945-0
                                                  • Opcode ID: c61d5f3dc6c1f9b97ffe444c65296dc1c5881d1e0fbf0653a527c25b506bb31f
                                                  • Instruction ID: 57c48ace6bef99692c10c7cc37c4410ce12e8001caaa4568d5ee7d388360cf58
                                                  • Opcode Fuzzy Hash: c61d5f3dc6c1f9b97ffe444c65296dc1c5881d1e0fbf0653a527c25b506bb31f
                                                  • Instruction Fuzzy Hash: D7E0CD729053406AD371751D9C04F579AD85B95725F14C82FB089A32C3C1BC5C51C759
                                                  Function 0041EDF7 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041EE0C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CreateHeap
                                                  • String ID:
                                                  • API String ID: 10892065-0
                                                  • Opcode ID: 6c78c704c61e396e770c5c9d5bf39bc32bfab303bf8d18d204e2a82309729daa
                                                  • Instruction ID: eb53d8fa6b9c670d76401f9b6e634384cdf5b6bc28e7f080834842f41bea832e
                                                  • Opcode Fuzzy Hash: 6c78c704c61e396e770c5c9d5bf39bc32bfab303bf8d18d204e2a82309729daa
                                                  • Instruction Fuzzy Hash: E6D05E366503485ADB106F716C09B763BDCD384396F104436BC1DC6150F775C5A09A48
                                                  Function 00408C5A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00408CDA,?,00408EB0,?,00000000,?,?,00000000), ref: 00408C66
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: b9077224b9f88db5cd0ce6d94ac7233058a1c10921077028cad7c3ce69d3e2a2
                                                  • Instruction ID: 2361e1c995e4a541e26ad64c94d2af3b89e31d8e4072a4a2db2c19a8efa4df55
                                                  • Opcode Fuzzy Hash: b9077224b9f88db5cd0ce6d94ac7233058a1c10921077028cad7c3ce69d3e2a2
                                                  • Instruction Fuzzy Hash: 8EC0127151610056DF2046385A8845B376687433667789FF9E071D12E5CB3ECC56B025
                                                  Function 0040D513 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0040D530
                                                    • Part of subcall function 0040D116: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D127
                                                    • Part of subcall function 0040D116: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040D138
                                                    • Part of subcall function 0040D116: TranslateMessage.USER32(?), ref: 0040D142
                                                    • Part of subcall function 0040D116: DispatchMessageW.USER32(?), ref: 0040D14C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Message$DispatchItemPeekSendTranslate
                                                  • String ID:
                                                  • API String ID: 4142818094-0
                                                  • Opcode ID: 7040c51d5953534f53b945be8071fa726febfab1a70e776a765f2f75df90e843
                                                  • Instruction ID: 888b2871e718dea131dfcf0ec1cbc21fe8f041a13ed789b986bd41985b0bed4c
                                                  • Opcode Fuzzy Hash: 7040c51d5953534f53b945be8071fa726febfab1a70e776a765f2f75df90e843
                                                  • Instruction Fuzzy Hash: FDC01235240300ABE7117B50DD07F1A3A62BB88B09F808039BA81380F2CEB648369A0A
                                                  Function 00408C47 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEndOfFile.KERNELBASE(?,004080D7,?,?,?,?,?,?), ref: 00408C4A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: File
                                                  • String ID:
                                                  • API String ID: 749574446-0
                                                  • Opcode ID: 372b206049e22359e890f019f69c17f88631756899d3b8a56b0e056d033f7bf1
                                                  • Instruction ID: 463f2a0b6f7528456a39aa395305c1415068e572747894341c9f749ccc5f34b3
                                                  • Opcode Fuzzy Hash: 372b206049e22359e890f019f69c17f88631756899d3b8a56b0e056d033f7bf1
                                                  • Instruction Fuzzy Hash: 80B012703E0006878E102B30CD084143910D71130630041B0600AC6061CB13C0135611
                                                  Function 00419C88 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetCurrentDirectoryW.KERNELBASE(?,0040D8E5,0042A65C,00000000,?,00000006,?,00000800), ref: 00419C8C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID:
                                                  • API String ID: 1611563598-0
                                                  • Opcode ID: 35c8f440b0c787f752f8f5ff34d68e699b4f54a7e8ae052c3817328c3539a25c
                                                  • Instruction ID: 2a7281b05ebb75ae791a00df68b116ffeccc810d55834c007acaed3bb23dd98c
                                                  • Opcode Fuzzy Hash: 35c8f440b0c787f752f8f5ff34d68e699b4f54a7e8ae052c3817328c3539a25c
                                                  • Instruction Fuzzy Hash: 50A012302940064F8A100B30CC0D82577506760702F0096307002C10A4CB304430A505
                                                  Function 00408A32 Relevance: 1.3, APIs: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNELBASE(?,759220B0,00000000,0040868D,?,?,?,?,00407427,?,00000000,?,00000800,?,?,?), ref: 00408A4D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: b21f32aa194ba9df83e0161a33b0e827325d82f6e4b9bdb228d687f297159138
                                                  • Instruction ID: ad6283f58ebf58fc73997c28fab75cfea7daa8eae0e70c9973603df5d86841c1
                                                  • Opcode Fuzzy Hash: b21f32aa194ba9df83e0161a33b0e827325d82f6e4b9bdb228d687f297159138
                                                  • Instruction Fuzzy Hash: 55F027706427044FD73056384A4879333D85B16331F049B2FD8E2A3BC0CB7898894E64

                                                  Non-executed Functions

                                                  Function 0040DE5E Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 291windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0040DED8
                                                  • DestroyIcon.USER32(00000000), ref: 0040DEE3
                                                  • EndDialog.USER32(?,00000006), ref: 0040DEEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: DestroyDialogIconItemMessageSend
                                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                  • API String ID: 3309745630-1840816070
                                                  • Opcode ID: 16eeae55bdc9405558cec747ebfcc07caac1c70e605718ffa483f40035c658e6
                                                  • Instruction ID: 1ca02d43f13477766b0e0b2ecc80fe6690186a1d560daa565d76ee57e1f32e2a
                                                  • Opcode Fuzzy Hash: 16eeae55bdc9405558cec747ebfcc07caac1c70e605718ffa483f40035c658e6
                                                  • Instruction Fuzzy Hash: 56A18272A4021CABEB21DFE0CC85FEF776DEB04704F440476BA05E60D1D6789E5A8B65
                                                  Function 0040690A Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 294fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040690F
                                                  • _wcslen.LIBCMT ref: 00406978
                                                  • _wcscpy.LIBCMT ref: 004069E4
                                                  • _wcslen.LIBCMT ref: 004069F0
                                                    • Part of subcall function 00406553: GetCurrentProcess.KERNEL32(00000020,?), ref: 00406562
                                                    • Part of subcall function 00406553: OpenProcessToken.ADVAPI32(00000000), ref: 00406569
                                                    • Part of subcall function 00406553: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406589
                                                    • Part of subcall function 00406553: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040659E
                                                    • Part of subcall function 00406553: GetLastError.KERNEL32 ref: 004065A8
                                                    • Part of subcall function 00406553: CloseHandle.KERNEL32(?), ref: 004065B7
                                                    • Part of subcall function 0040935F: _wcsncpy.LIBCMT ref: 004093C6
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000001), ref: 00406A7B
                                                  • CloseHandle.KERNEL32(00000000), ref: 00406A8C
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000001), ref: 00406A99
                                                  • _wcscpy.LIBCMT ref: 00406AE5
                                                  • _wcscpy.LIBCMT ref: 00406B09
                                                  • _wcscpy.LIBCMT ref: 00406B55
                                                  • _wcscpy.LIBCMT ref: 00406B7E
                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406BA4
                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00406BCF
                                                  • CloseHandle.KERNEL32(00000000), ref: 00406BDA
                                                  • GetLastError.KERNEL32 ref: 00406BEC
                                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 00406C21
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00406C29
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$CloseCreateFileHandle$DirectoryErrorLastProcessToken_wcslen$AdjustControlCurrentDeleteDeviceH_prologLookupOpenPrivilegePrivilegesRemoveValue_wcsncpy
                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                  • API String ID: 295717069-3508440684
                                                  • Opcode ID: 61ce2a1e948bc651cc5c71645e7a660e15ad332992f425926efc10dd858bd714
                                                  • Instruction ID: 0b044a0677013c3ee0dedeb9ad72db73be6c8eb7e300feb6a7d55a674be6f19f
                                                  • Opcode Fuzzy Hash: 61ce2a1e948bc651cc5c71645e7a660e15ad332992f425926efc10dd858bd714
                                                  • Instruction Fuzzy Hash: 56B1B471A00215AFDF21EF64CC45BDA77B8EF04304F00446AF95AF7281D778AAA4CB69
                                                  Function 004106F4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __byteswap_ulong
                                                  • String ID: @Z@
                                                  • API String ID: 2309504477-3109265564
                                                  • Opcode ID: 3d995ba0cc5bd3afd1912a8f52df84b91350d78957cf3c3d8552aa4fe151a300
                                                  • Instruction ID: 1dc3a99616fea8f09d0a2898b21a56a39af3494018e3c7a499627515aa5f83aa
                                                  • Opcode Fuzzy Hash: 3d995ba0cc5bd3afd1912a8f52df84b91350d78957cf3c3d8552aa4fe151a300
                                                  • Instruction Fuzzy Hash: 869119B1A006148FCB24DF5AC881A9EB7F1FF48308F1445AEE59AE7721D734E9948F48
                                                  Function 0040CEB6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CF0E,00000020,?,?,00405D3C,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CEC4
                                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CEDD
                                                  • GetProcAddress.KERNEL32(00438800,CryptUnprotectMemory), ref: 0040CEE9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                  • API String ID: 2238633743-1753850145
                                                  • Opcode ID: 5fe6950aaff99067424b8bdf76d8a3167c7df5a56d66711809a8faa92a841fba
                                                  • Instruction ID: 6e3b8f00ce2f8e0fa430b510b5536735c08c44b91adf59875fbb0715622b898a
                                                  • Opcode Fuzzy Hash: 5fe6950aaff99067424b8bdf76d8a3167c7df5a56d66711809a8faa92a841fba
                                                  • Instruction Fuzzy Hash: 7EE092306003119FD7319F79EC44B03BBE89F94B10B14846FE984E3250C6B8D4518B5D
                                                  Function 00406553 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000020,?), ref: 00406562
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00406569
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406589
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040659E
                                                  • GetLastError.KERNEL32 ref: 004065A8
                                                  • CloseHandle.KERNEL32(?), ref: 004065B7
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: c4d8732f7f1e2046f43f8b45a71e1742e44d7c33346580acd03521233585be14
                                                  • Instruction ID: 201d4201c496fcfd48e74424a9b99b2c6b7fcfb09556bcb8571a25bcb240e8ee
                                                  • Opcode Fuzzy Hash: c4d8732f7f1e2046f43f8b45a71e1742e44d7c33346580acd03521233585be14
                                                  • Instruction Fuzzy Hash: A0011DB1600209FFDB209FA4DC89EAF7BBCAB04344F401076B902E1255D775CE259A75
                                                  Function 00401CC1 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 769COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00401CC6
                                                  • _strlen.LIBCMT ref: 00402237
                                                    • Part of subcall function 00411B3C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00001FFF,?,?,004022BC,00000000,?,00000800,?,00001FFF,?), ref: 00411B58
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00402393
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                  • String ID: CMT
                                                  • API String ID: 1706572503-2756464174
                                                  • Opcode ID: a938faf7c17183071b0639e51388f91889b5cef4979cfb0538ab3c6a938d128c
                                                  • Instruction ID: 47e58a6222a9c82a3371e9f2a391d10810198bea5a194d1edf5ea2ede1dda2e7
                                                  • Opcode Fuzzy Hash: a938faf7c17183071b0639e51388f91889b5cef4979cfb0538ab3c6a938d128c
                                                  • Instruction Fuzzy Hash: 8B6201709006849FCF25DF64C8947EE7BB1AF14304F0844BEE986BB2D6DB795985CB28
                                                  Function 0041E6DE Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 00423F3E
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423F53
                                                  • UnhandledExceptionFilter.KERNEL32(0042BA78), ref: 00423F5E
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00423F7A
                                                  • TerminateProcess.KERNEL32(00000000), ref: 00423F81
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                  • String ID:
                                                  • API String ID: 2579439406-0
                                                  • Opcode ID: 4de6ed279e9cf42e89259ac0ebda5d4927e8938d534c68d964197d147836f072
                                                  • Instruction ID: 77c401cdca4814435c65699ef26cb777055d8c499ed0f7a386f9586c05fd5705
                                                  • Opcode Fuzzy Hash: 4de6ed279e9cf42e89259ac0ebda5d4927e8938d534c68d964197d147836f072
                                                  • Instruction Fuzzy Hash: 6F21C0B8A10208DFE710DF25F8496597BA0FB1A315F90117BE90887271EBB5599ECF0E
                                                  Function 0040D155 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0040D17B
                                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,004300CC,?,?), ref: 0040D1CA
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FormatInfoLocaleNumber
                                                  • String ID:
                                                  • API String ID: 2169056816-0
                                                  • Opcode ID: fae0c5bc4c9ea969901553f08fe9413b92117c2e4d377c34b7ff725826ea960f
                                                  • Instruction ID: 2e86bd0250e0b4fef5c8dc12a3830970d19becb9d4c55c3472b337e1343b8b10
                                                  • Opcode Fuzzy Hash: fae0c5bc4c9ea969901553f08fe9413b92117c2e4d377c34b7ff725826ea960f
                                                  • Instruction Fuzzy Hash: DB017C35600248AEE710DFA4EC41FAAB7FCEF09714F005426FA04EB1A0D3B89915CB6D
                                                  Function 00410178 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <D$DD
                                                  • API String ID: 0-3036587789
                                                  • Opcode ID: a120047ceaa170e9019935171625ae5ad03bfb54992e95746f25c16dbdc0a917
                                                  • Instruction ID: 59a02f745f793eb532b4d9e305735a670a6f692f985c4356a20c5044c607aa25
                                                  • Opcode Fuzzy Hash: a120047ceaa170e9019935171625ae5ad03bfb54992e95746f25c16dbdc0a917
                                                  • Instruction Fuzzy Hash: E8D15D72A0061ACFCF14CF58D884599B3B1FF8C308B2685ADE919AB245D731BA56CF94
                                                  Function 00417D78 Relevance: 2.6, APIs: 1, Instructions: 1055COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset
                                                  • String ID:
                                                  • API String ID: 2102423945-0
                                                  • Opcode ID: f2ddf0237e8c887b9397686041efde03e6b7465c6b8aca2acf299e0ee70c85ec
                                                  • Instruction ID: ca8e397051957a2ab45e24d4035287d6273771f133136d8253d7927585564b75
                                                  • Opcode Fuzzy Hash: f2ddf0237e8c887b9397686041efde03e6b7465c6b8aca2acf299e0ee70c85ec
                                                  • Instruction Fuzzy Hash: 5692D5709087859FCB29CF34C4D06E9BBF1AF55308F18C5AED8968B342D738A985CB59
                                                  Function 00414946 Relevance: 2.0, APIs: 1, Instructions: 478COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _realloc
                                                  • String ID:
                                                  • API String ID: 1750794848-0
                                                  • Opcode ID: 19fe713726019c3973d82b14b26a9fc68d02c60563561d4d82d0835d1efeca77
                                                  • Instruction ID: 2a1397d1efbb1e156a4ddc1088eaf27e515a490876f5f290c2ff2c2445328417
                                                  • Opcode Fuzzy Hash: 19fe713726019c3973d82b14b26a9fc68d02c60563561d4d82d0835d1efeca77
                                                  • Instruction Fuzzy Hash: 0B02E5B1A106069BCB1DCF28C5916E9B7E1FF85304F24852ED556CBA85D338F9E1CB88
                                                  Function 00413EE3 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset
                                                  • String ID:
                                                  • API String ID: 2102423945-0
                                                  • Opcode ID: 9c54e9cdedc4d1f5f0a70ee5fbfd421263a38b40d6fcac4ed0c82430486a0b60
                                                  • Instruction ID: 3562be7dcc5a33f83423fe2ddc28cf6e78eed116dec30ec79901489c8d2199a3
                                                  • Opcode Fuzzy Hash: 9c54e9cdedc4d1f5f0a70ee5fbfd421263a38b40d6fcac4ed0c82430486a0b60
                                                  • Instruction Fuzzy Hash: CBA11472A00208EBDB04DF65C581BED77B5AB94304F24447FE942EB282C77C9AC2DB59
                                                  Function 00419BB0 Relevance: 1.6, APIs: 1, Instructions: 89comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(0042B1F8,00000000,00000001,0042B148,?), ref: 00419BC9
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CreateInstance
                                                  • String ID:
                                                  • API String ID: 542301482-0
                                                  • Opcode ID: 291608a549582a43ab036b31c95ed53b806bcf03129be81fab9f556b712dc9f9
                                                  • Instruction ID: e9337f94160ec10d5a134cda80235c1f61728acff05639409476ed3799cc72ed
                                                  • Opcode Fuzzy Hash: 291608a549582a43ab036b31c95ed53b806bcf03129be81fab9f556b712dc9f9
                                                  • Instruction Fuzzy Hash: FC311875A00209EFCF04CFA0C898DAA7BB9EF49304B204499F942DB250D739EE51DBA4
                                                  Function 0040CA52 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset
                                                  • String ID:
                                                  • API String ID: 2102423945-0
                                                  • Opcode ID: f170c41e67568dbb41c50a43ec108573c349a1076046e87b2a713adcc681154b
                                                  • Instruction ID: e1f0199fda650a5869103b9083c5b7a650503f912fa59dbaeb4dd54c60283149
                                                  • Opcode Fuzzy Hash: f170c41e67568dbb41c50a43ec108573c349a1076046e87b2a713adcc681154b
                                                  • Instruction Fuzzy Hash: 0721F672704209DFD724CF28D4817AA7BE5AB19300F10892FD896E73C2C678E9458B49
                                                  Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 00409C2B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Version
                                                  • String ID:
                                                  • API String ID: 1889659487-0
                                                  • Opcode ID: 1145292b874a8e7a56bde58bed546469a1a499fc1dbdbc0264d61b52db470385
                                                  • Instruction ID: d7c6bb9a1732f6c2eece22a2b410928bcf9985e9f3444315991ea75afaaef588
                                                  • Opcode Fuzzy Hash: 1145292b874a8e7a56bde58bed546469a1a499fc1dbdbc0264d61b52db470385
                                                  • Instruction Fuzzy Hash: E4F0F4B1A041088FDB28CF18E992A99B7F5A748305F1002A5D619D3390DA78AE81CF69
                                                  Function 004234CE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002348C), ref: 004234D3
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: c83ebaee86b923b47ec218d74108a47e8bb0214f05dc8ef17ebda85afd4cada2
                                                  • Instruction ID: 1b01da781a1f42b14bf088c4285091799bc00e9a7c54fca4454c541a30810ab4
                                                  • Opcode Fuzzy Hash: c83ebaee86b923b47ec218d74108a47e8bb0214f05dc8ef17ebda85afd4cada2
                                                  • Instruction Fuzzy Hash: 539002603521104746112BB06C1D51565A17F48617BD104A5B401C5054DA598621551B
                                                  Function 00404986 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: gj
                                                  • API String ID: 0-4203073231
                                                  • Opcode ID: 8e8f698dc4288f7cd721a7a81a634b87765ee1de91585cf515aab87a68fe5fee
                                                  • Instruction ID: d9eb52a2d6ff44a43e3580116b86408f9a206631cbab7b39ea8bb55ae5343344
                                                  • Opcode Fuzzy Hash: 8e8f698dc4288f7cd721a7a81a634b87765ee1de91585cf515aab87a68fe5fee
                                                  • Instruction Fuzzy Hash: 81C126B2D002289BDF44CF9AD8405EEFBF2BFC8310F2AC1A6D81477615D6346A529F91
                                                  Function 00416C3F Relevance: .8, Instructions: 835COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset
                                                  • String ID:
                                                  • API String ID: 2102423945-0
                                                  • Opcode ID: 345b0d20b664bc5a7c067b8b85495d146ce8f508c18b5b2458494fa8c5d0ce26
                                                  • Instruction ID: ec473c390e775c3513d1f4c5f902ffdbdf11d251c2712a84011b28fca20aaef5
                                                  • Opcode Fuzzy Hash: 345b0d20b664bc5a7c067b8b85495d146ce8f508c18b5b2458494fa8c5d0ce26
                                                  • Instruction Fuzzy Hash: 5F72E770A087459FCB29CF24C5D0AE9BBF1EF55304F1584AED99A8B342D338E985CB58
                                                  Function 00415D9A Relevance: .8, Instructions: 795COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 55f74d88c168b2656ab75066bc4e011c1757566443c1fcad1fbcf06b528a1986
                                                  • Instruction ID: 136bcfac07b0c46142f126060f48d767d5d9002a5a6c7f55271a6c6e067ee92a
                                                  • Opcode Fuzzy Hash: 55f74d88c168b2656ab75066bc4e011c1757566443c1fcad1fbcf06b528a1986
                                                  • Instruction Fuzzy Hash: 8C72B070A04645DFCB19CF68C5806EDBBB1FF45308F2981AED8598B742C339E991CB59
                                                  Function 0041BCD9 Relevance: .4, Instructions: 384COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                  • Instruction ID: fa64fecedd4ee0fbc6ebc6d5fd45eff142ec883d8ec5514f9c97111b8272a84e
                                                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                  • Instruction Fuzzy Hash: 93D18E73C0E9B34A8735812D84582BBEE62AFD175031EC3E2DCE42F389D62B5D9196D4
                                                  Function 0041B8B9 Relevance: .4, Instructions: 378COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                  • Instruction ID: 1a9104bdc18b99a6bc3a57d880f0b00b8efb4b2948f4f82757f4a36a4691901f
                                                  • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                  • Instruction Fuzzy Hash: 8DD18E73D1E9B30A8735812D80682ABEE62AFD175031EC3E2DCE42F389D72B5D9195D4
                                                  Function 0041B4AD Relevance: .4, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                  • Instruction ID: 29e0c2194e43b481a6c61040bafb45c2199937250b84d4f9493dc4b244529513
                                                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                  • Instruction Fuzzy Hash: 24C16E73C0E9B30A8736812D81685ABEE62AFD175031FC3A2DCE42F389D36B5D9195D4
                                                  Function 0041B0D9 Relevance: .4, Instructions: 351COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                  • Instruction ID: 2db7ca3506525dcc090db9a2522c638e963424884ad3e69ae6d01f57f6380b46
                                                  • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                  • Instruction Fuzzy Hash: 7AC17173D0E9B3068735812E84686ABEE62AFD175031FC3E29CE42F389D32B5D9495D4
                                                  Function 0041462B Relevance: .2, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74c5e34f9abefec6387e3142de93532e06a17bc948433487153fd85e66a9dea7
                                                  • Instruction ID: 3d3811311c0e96151038b15cdb33c9c3baef1538c920ea216c41a1bce0e780a6
                                                  • Opcode Fuzzy Hash: 74c5e34f9abefec6387e3142de93532e06a17bc948433487153fd85e66a9dea7
                                                  • Instruction Fuzzy Hash: DC812731600644ABDB14EF29C590BFD73A5EB92318F20842FE9569B2C2C77CD9C2CB59
                                                  Function 0040CB23 Relevance: .2, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 10288e97197f0ad943ca35c4742294250ec2590f5ea2a5543df369fbf88b7a0a
                                                  • Instruction ID: 755fc568a246bd0a3aab6df15388740ae6706893d1001b075bd9344283f82762
                                                  • Opcode Fuzzy Hash: 10288e97197f0ad943ca35c4742294250ec2590f5ea2a5543df369fbf88b7a0a
                                                  • Instruction Fuzzy Hash: FFC151B48182D9AECF01DFA5D4A09FEBFF4AF1A240B0950DAE5D5A7252C234D720DB64
                                                  Function 0040C756 Relevance: .2, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e054519032d673b283cd141de9047936413c4ec94c95275afdf7b1c1e6e7c11b
                                                  • Instruction ID: cc05d4957c3f93bbff5645bcbd2bf23a73745bdaee5f26767fd414b38deba9ac
                                                  • Opcode Fuzzy Hash: e054519032d673b283cd141de9047936413c4ec94c95275afdf7b1c1e6e7c11b
                                                  • Instruction Fuzzy Hash: 7281E35220E2E18EE71AC73C14E96F63FA11F72100B2EA2EEC4CD4F6D7D665051AD729
                                                  Function 0040C4FF Relevance: .2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aae54acdac3927cc066ee4afd89015ce1ad81bcf754d871dab6d471837bf2d3e
                                                  • Instruction ID: ff0af43037c4d522a8ee791cbe8e93d8d44487ff0532052a3f1666816209b0e9
                                                  • Opcode Fuzzy Hash: aae54acdac3927cc066ee4afd89015ce1ad81bcf754d871dab6d471837bf2d3e
                                                  • Instruction Fuzzy Hash: CF51F874804298AACF11CFA4C4D05FDBFB0EF5A328F6955BFD8857B282C2356646CB94
                                                  Function 0041450F Relevance: .1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51b2d21a1de5244f25583c5063fbcf28c6649e746e5830653507aa8b0461497a
                                                  • Instruction ID: 1b781f1f23d015917a337ea3c6206954a5313e6084e2437016288461132a8366
                                                  • Opcode Fuzzy Hash: 51b2d21a1de5244f25583c5063fbcf28c6649e746e5830653507aa8b0461497a
                                                  • Instruction Fuzzy Hash: EF312372A10605ABCB04DF38C4912DEBBE2EF81308F14812FD865DB782D37DA945CB94
                                                  Function 00405610 Relevance: .1, Instructions: 73COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 866ee34adc6fec30ee19582cd252525266032b464ccb2f20f1e66a817629a287
                                                  • Instruction ID: 2ccb413243c8e3f3810094ea986113c02d7a387cc67c693c5ca68079d889c8bb
                                                  • Opcode Fuzzy Hash: 866ee34adc6fec30ee19582cd252525266032b464ccb2f20f1e66a817629a287
                                                  • Instruction Fuzzy Hash: 2821D872A106716BD7048F65EC8412733A2D7CA3617DB4237DF445B3B1D135B922CAE8
                                                  Function 0040A3DC Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy_wcslen_wcsncpy
                                                  • String ID: UNC$\\?\
                                                  • API String ID: 677062453-253988292
                                                  • Opcode ID: 2abde0defb8e8217f0e08e38dadbd9202aa69e0edf90a9fc0407522747aefdaa
                                                  • Instruction ID: cd13f9bd72fca169d524aa050727d65a10ef4dcd9f377a8cbe6755f4863ba3db
                                                  • Opcode Fuzzy Hash: 2abde0defb8e8217f0e08e38dadbd9202aa69e0edf90a9fc0407522747aefdaa
                                                  • Instruction Fuzzy Hash: 7441AF7294131476DB20AA618C82AEB33687F55748F04442FF954732C2E7BCD6A586AB
                                                  Function 00419779 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 125memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0041979F
                                                  • _malloc.LIBCMT ref: 004197AC
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  • _wcscpy.LIBCMT ref: 004197C5
                                                  • _wcscat.LIBCMT ref: 004197D0
                                                  • _wcscat.LIBCMT ref: 004197DB
                                                  • _wcscat.LIBCMT ref: 00419816
                                                  • _wcscat.LIBCMT ref: 00419827
                                                  • _wcslen.LIBCMT ref: 00419840
                                                  • GlobalAlloc.KERNEL32(00000040,-00000009,?,<html>,00000006), ref: 00419851
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000), ref: 00419872
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0041989A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscat$Global_wcslen$AllocAllocateByteCharCreateHeapMultiStreamWide_malloc_wcscpy
                                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                  • API String ID: 4158105118-4209811716
                                                  • Opcode ID: b13132087b6157768e62f45c8a46c0f1663856c825173c1b80b74b9a5b241520
                                                  • Instruction ID: 9750a07ada00fadd6417d4a808c8c0194c88b3581ecb1a923ba5d07fa5d26e01
                                                  • Opcode Fuzzy Hash: b13132087b6157768e62f45c8a46c0f1663856c825173c1b80b74b9a5b241520
                                                  • Instruction Fuzzy Hash: 1C312A32900205BBDB11BB659C95EEF77789F42724F14415FF810AB2C6DB7C8E81836A
                                                  Function 0040E46C Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 174windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040E489
                                                  • _memset.LIBCMT ref: 0040E4A4
                                                  • ShellExecuteExW.SHELL32(?), ref: 0040E59A
                                                  • IsWindowVisible.USER32(?), ref: 0040E5D3
                                                  • ShowWindow.USER32(?,00000000), ref: 0040E5E1
                                                  • WaitForInputIdle.USER32(?,000007D0), ref: 0040E5EF
                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0040E60C
                                                  • CloseHandle.KERNEL32(?), ref: 0040E62B
                                                  • ShowWindow.USER32(?,00000001), ref: 0040E684
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_memset_wcslen
                                                  • String ID: .exe$.inf$z(D
                                                  • API String ID: 3215649069-3601587883
                                                  • Opcode ID: bed88ef6189cab0bc2363a68129e730fc28d238946ac4723ee352b551c7a999f
                                                  • Instruction ID: 3e26098100528e53db86749210a7047ac1cc05a8490cbdb1dbf577081e62715c
                                                  • Opcode Fuzzy Hash: bed88ef6189cab0bc2363a68129e730fc28d238946ac4723ee352b551c7a999f
                                                  • Instruction Fuzzy Hash: 8051B571910258BADF31AFA2EC405AE7BB4EF11304F444C7BE841B72E1E77999A5CB09
                                                  Function 00419A9D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(?,00000000,00000000,?,?), ref: 00419AB7
                                                    • Part of subcall function 00419A36: LoadCursorW.USER32(00000000,00007F00), ref: 00419A6D
                                                    • Part of subcall function 00419A36: RegisterClassExW.USER32(00000030), ref: 00419A8E
                                                  • GetWindowRect.USER32(?,?), ref: 00419AD8
                                                  • GetParent.USER32(?), ref: 00419AEB
                                                  • MapWindowPoints.USER32(00000000,00000000), ref: 00419AF0
                                                  • DestroyWindow.USER32(?), ref: 00419AFE
                                                  • GetParent.USER32(?), ref: 00419B1C
                                                  • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 00419B3B
                                                  • ShowWindow.USER32(?,00000005,?), ref: 00419B6D
                                                  • SetWindowTextW.USER32(?,00000000), ref: 00419B77
                                                  • ShowWindow.USER32(00000000,00000005), ref: 00419B8D
                                                  • UpdateWindow.USER32(?), ref: 00419B96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
                                                  • String ID: RarHtmlClassName
                                                  • API String ID: 3841971108-1658105358
                                                  • Opcode ID: 16e1c11b631fea3f24aabbe380a880f14a925712ab14143eb1e2f30964cb5bb4
                                                  • Instruction ID: a0655035169e6554100d25c4e6de203faa719369231219c5c88fda93c074337e
                                                  • Opcode Fuzzy Hash: 16e1c11b631fea3f24aabbe380a880f14a925712ab14143eb1e2f30964cb5bb4
                                                  • Instruction Fuzzy Hash: 0331B035600604EFCB319F65EC48EAFBBB9FF44700F10451AF91692260D735AD51DBA9
                                                  Function 00405164 Relevance: 21.1, APIs: 14, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcscpy.LIBCMT ref: 00405182
                                                  • _wcslen.LIBCMT ref: 0040518A
                                                  • _wcscpy.LIBCMT ref: 0040519A
                                                  • _wcslen.LIBCMT ref: 004051A0
                                                  • _wcscpy.LIBCMT ref: 004051B8
                                                  • _wcslen.LIBCMT ref: 004051BE
                                                  • _wcscpy.LIBCMT ref: 004051CD
                                                  • _wcslen.LIBCMT ref: 004051D3
                                                  • _memset.LIBCMT ref: 004051E8
                                                  • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405234
                                                  • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 0040523C
                                                  • CommDlgExtendedError.COMDLG32(?,?,?,?,?,000000A2), ref: 00405244
                                                  • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405260
                                                  • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405268
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FileName_wcscpy_wcslen$OpenSave$CommErrorExtended_memset
                                                  • String ID:
                                                  • API String ID: 3496903968-0
                                                  • Opcode ID: 446a76bb310dad6e5806d0052d9e568853349a282fe8c87d623ef543e340e0f8
                                                  • Instruction ID: 017447a648ceccb586da1f31f92202068c03838f3088d87860c47b682a039f1a
                                                  • Opcode Fuzzy Hash: 446a76bb310dad6e5806d0052d9e568853349a282fe8c87d623ef543e340e0f8
                                                  • Instruction Fuzzy Hash: D531D775901618ABCB11AFA5DC45ACF7BB8EF04314F00002AF904B7281DB38DA958FAE
                                                  Function 00419D0B Relevance: 19.6, APIs: 13, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 00419D17
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00419D27
                                                  • CreateCompatibleDC.GDI32(?), ref: 00419D2E
                                                  • GetObjectW.GDI32(?,00000018,?), ref: 00419D3C
                                                  • CreateCompatibleBitmap.GDI32(?,00000200,00419EBD), ref: 00419D5E
                                                  • SelectObject.GDI32(00000000,?), ref: 00419D71
                                                  • SelectObject.GDI32(?,00000200), ref: 00419D7C
                                                  • StretchBlt.GDI32(?,00000000,00000000,00000200,00419EBD,00000000,00000000,00000000,?,?,00CC0020), ref: 00419D9A
                                                  • SelectObject.GDI32(00000000,?), ref: 00419DA4
                                                  • SelectObject.GDI32(?,00419EBD), ref: 00419DAC
                                                  • DeleteDC.GDI32(00000000), ref: 00419DB5
                                                  • DeleteDC.GDI32(?), ref: 00419DBA
                                                  • ReleaseDC.USER32(00000000,?), ref: 00419DC0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Object$Select$CompatibleCreate$Delete$BitmapReleaseStretch
                                                  • String ID:
                                                  • API String ID: 3950507155-0
                                                  • Opcode ID: c5f4d7ef721d9f2cf6d28cde0393e927751e3943138dffdaa34ce4f2faff49d0
                                                  • Instruction ID: fe64683af8def945f8560e9c967618457674570685148338231d72a037962566
                                                  • Opcode Fuzzy Hash: c5f4d7ef721d9f2cf6d28cde0393e927751e3943138dffdaa34ce4f2faff49d0
                                                  • Instruction Fuzzy Hash: C021A076900218FFCF129FA1DC48DDEBFBAFB48350B104466F914A2120C7369A65EFA4
                                                  Function 0041E854 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D8A0,0000000C,0041E98F,00000000,00000000,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 0041E866
                                                  • __crt_waiting_on_module_handle.LIBCMT ref: 0041E871
                                                    • Part of subcall function 00421465: Sleep.KERNEL32(000003E8,00000000,?,0041E7B7,KERNEL32.DLL,?,0041E803,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 00421471
                                                    • Part of subcall function 00421465: GetModuleHandleW.KERNEL32(00000000,?,0041E7B7,KERNEL32.DLL,?,0041E803,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 0042147A
                                                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041E89A
                                                  • GetProcAddress.KERNEL32(0041A9BA,DecodePointer), ref: 0041E8AA
                                                  • __lock.LIBCMT ref: 0041E8CC
                                                  • InterlockedIncrement.KERNEL32(?), ref: 0041E8D9
                                                  • __lock.LIBCMT ref: 0041E8ED
                                                  • ___addlocaleref.LIBCMT ref: 0041E90B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                  • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                  • API String ID: 1028249917-2843748187
                                                  • Opcode ID: d8a1d3b64ce03b740c9770e28a10d8a3d1cb693a8f1fd6d09f99049fe87b25f8
                                                  • Instruction ID: 28857185edf288c115030afddfc21b3ad53991f12277c54fa87cb1ac16e0dfb5
                                                  • Opcode Fuzzy Hash: d8a1d3b64ce03b740c9770e28a10d8a3d1cb693a8f1fd6d09f99049fe87b25f8
                                                  • Instruction Fuzzy Hash: 82119071A40701AFD720AF36D805B9EBBE0AF44314F60456FE8A997290CB78A981CF5D
                                                  Function 0040F0C2 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$ChangeNotify_wcschr_wcsncpy
                                                  • String ID: "$.lnk
                                                  • API String ID: 1911921660-4024015082
                                                  • Opcode ID: bb3ca6cd81c2d3ad9077df71b8a1193f574709db9a1feafa84c70d00a6701fe0
                                                  • Instruction ID: e9d5912a6b4b3542aee3cadb88dbd3b5a863ff0206024957ce050cac0ef3000c
                                                  • Opcode Fuzzy Hash: bb3ca6cd81c2d3ad9077df71b8a1193f574709db9a1feafa84c70d00a6701fe0
                                                  • Instruction Fuzzy Hash: 5191227280022899DF35DBA5CC49EEEB37CBB44304F4405BBE509F7181EB789AD98B59
                                                  Function 0040EEC9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(?,?), ref: 0040EEE6
                                                    • Part of subcall function 0040A116: _wcslen.LIBCMT ref: 0040A11C
                                                    • Part of subcall function 0040A116: _wcscat.LIBCMT ref: 0040A13B
                                                  • _swprintf.LIBCMT ref: 0040EF22
                                                    • Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29
                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0040EF44
                                                  • _wcschr.LIBCMT ref: 0040EF77
                                                  • _wcscpy.LIBCMT ref: 0040EFBB
                                                  • _wcscpy.LIBCMT ref: 0040EFE4
                                                  • _wcscpy.LIBCMT ref: 0040EFF7
                                                  • MessageBoxW.USER32(?,00000000,00000000,00000024), ref: 0040F027
                                                  • EndDialog.USER32(?,00000001), ref: 0040F049
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$DialogItemMessagePathTempText__vswprintf_c_l_swprintf_wcscat_wcschr_wcslen
                                                  • String ID: %s%s%d
                                                  • API String ID: 1897388972-1000756122
                                                  • Opcode ID: f75e7cfbeccc15e09081c60efc06442c44850a7c3c336a2ff36c1e07c701c860
                                                  • Instruction ID: 7c5ef0a1406295de31e953a15a9408ca88d5d0b5476cb7747de3243763a4baae
                                                  • Opcode Fuzzy Hash: f75e7cfbeccc15e09081c60efc06442c44850a7c3c336a2ff36c1e07c701c860
                                                  • Instruction Fuzzy Hash: 325176728001199BDB21DF61DC44BEE77B8FB04308F0445BBEA09E7191E7789AE98F59
                                                  Function 004191D8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 004191E3
                                                  • _malloc.LIBCMT ref: 004191F1
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  • _wcscpy.LIBCMT ref: 0041920F
                                                  • _wcslen.LIBCMT ref: 00419215
                                                  • _wcscpy.LIBCMT ref: 0041925D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy_wcslen$AllocateHeap_malloc
                                                  • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                  • API String ID: 2405444336-406990186
                                                  • Opcode ID: ef4270a2c62554232e7dcaf25c2b62ab2229b7f12839ff23f0a1ced700b27f0b
                                                  • Instruction ID: 0e02d37120f5dc5c9773bcbd7ae744d1444ccd80410fa70afd17435bf81929d8
                                                  • Opcode Fuzzy Hash: ef4270a2c62554232e7dcaf25c2b62ab2229b7f12839ff23f0a1ced700b27f0b
                                                  • Instruction Fuzzy Hash: BF21FB76904304BBDB20AB54DC41ADAB3B4EF45314B20445BE455A7390E7BC9ED1839E
                                                  Function 0040F47B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0040F4E4
                                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0040F4F9
                                                  • GetDlgItem.USER32(?,00000065), ref: 0040F508
                                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0040F51D
                                                  • GetSysColor.USER32(0000000F), ref: 0040F521
                                                  • SendMessageW.USER32(?,00000443,00000000,00000000), ref: 0040F531
                                                  • SetForegroundWindow.USER32(?), ref: 0040F54B
                                                  • EndDialog.USER32(?,00000001), ref: 0040F57E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Item$ColorDialogForegroundWindow
                                                  • String ID: LICENSEDLG
                                                  • API String ID: 3794146707-2177901306
                                                  • Opcode ID: d29b6d15fe2784098a0e22a55afb32f4fb9deba78a5e36aabb146d1ab528ff85
                                                  • Instruction ID: 7fefae372e04e04a7da23b2667bfd905224a5402d39c62195e2e2b0091848963
                                                  • Opcode Fuzzy Hash: d29b6d15fe2784098a0e22a55afb32f4fb9deba78a5e36aabb146d1ab528ff85
                                                  • Instruction Fuzzy Hash: E521F9312002047BDB31AF61EC45E5B3B6DEB89B10F408436FE15B51E2D6798955CB2C
                                                  Function 0040DBC1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindow.USER32(?,00000005), ref: 0040DBE1
                                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0040DC1A
                                                    • Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409CA8,?,00000000,?,00409DC2,00000000,-00000002,?,00000000,?), ref: 00411E76
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0040DC38
                                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0040DC4F
                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0040DC5E
                                                    • Part of subcall function 00419E13: GetDC.USER32(00000000), ref: 00419E1F
                                                    • Part of subcall function 00419E13: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00419E2E
                                                    • Part of subcall function 00419E13: ReleaseDC.USER32(00000000,00000000), ref: 00419E3C
                                                    • Part of subcall function 00419DD0: GetDC.USER32(00000000), ref: 00419DDC
                                                    • Part of subcall function 00419DD0: GetDeviceCaps.GDI32(00000000,00000058), ref: 00419DEB
                                                    • Part of subcall function 00419DD0: ReleaseDC.USER32(00000000,00000000), ref: 00419DF9
                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040DC85
                                                  • DeleteObject.GDI32(00000000), ref: 0040DC90
                                                  • GetWindow.USER32(00000000,00000002), ref: 0040DC99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                  • String ID: STATIC
                                                  • API String ID: 1444658586-1882779555
                                                  • Opcode ID: 9567939a25e22092ccbfb99d506bbc14daa15c8c25c728e04901b5a25124ff52
                                                  • Instruction ID: 65505d2462e9bd66d8f24c48bff8a2f322d46b7930d969d63ebb67ecbc3f0dac
                                                  • Opcode Fuzzy Hash: 9567939a25e22092ccbfb99d506bbc14daa15c8c25c728e04901b5a25124ff52
                                                  • Instruction Fuzzy Hash: B321F132A40204BBEB21AB90CC46FEF77B8AF41B50F404026FD04B61C1CBB89D86D66D
                                                  Function 0040BF1D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _strlen$_swprintf_wcschr_wcscpy_wcsncpy_wcsrchr
                                                  • String ID: %08x
                                                  • API String ID: 3224783807-3682738293
                                                  • Opcode ID: 2200e9e523ffbcd5ccc4f85804e7305beb7f218704d283e0c38cbcae486b8257
                                                  • Instruction ID: 07d0537aec3a1dd66ebb0c57739ff8632de72c66deae5d09d2d4ff76284a4df6
                                                  • Opcode Fuzzy Hash: 2200e9e523ffbcd5ccc4f85804e7305beb7f218704d283e0c38cbcae486b8257
                                                  • Instruction Fuzzy Hash: 4841E832500219AADB24AB64CC85AFF32ACDF40754F54413BB915E71C1DB7DDD80C6AE
                                                  Function 0040A8A1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A76A: _wcsrchr.LIBCMT ref: 0040A77E
                                                  • _wcslen.LIBCMT ref: 0040A8D7
                                                  • _wcscpy.LIBCMT ref: 0040A90C
                                                    • Part of subcall function 00410BC9: _wcslen.LIBCMT ref: 00410BCF
                                                    • Part of subcall function 00410BC9: _wcsncat.LIBCMT ref: 00410BE8
                                                  • _wcslen.LIBCMT ref: 0040A94C
                                                  • _wcscpy.LIBCMT ref: 0040A9BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$_wcscpy$_wcsncat_wcsrchr
                                                  • String ID: .rar$exe$rar$sfx
                                                  • API String ID: 1023950463-630704357
                                                  • Opcode ID: 9e98728e43a4f5731da7381b6b017391db5884caad39c64eb22fb19538172cba
                                                  • Instruction ID: 29a0ca65efafee0ddffcc544de8f71498ac5d95f7ded716494b7ad5447c572c4
                                                  • Opcode Fuzzy Hash: 9e98728e43a4f5731da7381b6b017391db5884caad39c64eb22fb19538172cba
                                                  • Instruction Fuzzy Hash: 233106B170431056C3206B259C46A7B63A8DF05794B264C3BF882BB1E1E77C98E2925F
                                                  Function 0041963B Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00419654
                                                  • GetTickCount.KERNEL32 ref: 0041966F
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419683
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00419694
                                                  • TranslateMessage.USER32(?), ref: 0041969E
                                                  • DispatchMessageW.USER32(?), ref: 004196A8
                                                  • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000204,?), ref: 00419748
                                                  • ShowWindow.USER32(?,00000005), ref: 00419753
                                                  • SetWindowTextW.USER32(?,00000000), ref: 0041975D
                                                    • Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
                                                    • Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
                                                    • Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
                                                    • Part of subcall function 0041A506: RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
                                                    • Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Message$Window$CountTick$DispatchErrorFreeHeapLastPeekShowTextTranslate___sbh_find_block___sbh_free_block__lock
                                                  • String ID:
                                                  • API String ID: 1762286965-0
                                                  • Opcode ID: 748e2987246eabe4ea9cf9adf1aa4bbad94aab04b0c2a3b2d0d409a63cb1e23e
                                                  • Instruction ID: 0fcf3197ed2ac79a16e8f935243f891c0de6f754acb5965f6be033bd159a0870
                                                  • Opcode Fuzzy Hash: 748e2987246eabe4ea9cf9adf1aa4bbad94aab04b0c2a3b2d0d409a63cb1e23e
                                                  • Instruction Fuzzy Hash: F4412871A00219EFCB10EFA5C8989DEBB79FF49751B10846AF905D7250D738DE81CBA4
                                                  Function 004084EE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004084F3
                                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00408516
                                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00408535
                                                    • Part of subcall function 0040A5DB: _wcslen.LIBCMT ref: 0040A5E1
                                                    • Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409CA8,?,00000000,?,00409DC2,00000000,-00000002,?,00000000,?), ref: 00411E76
                                                  • _swprintf.LIBCMT ref: 004085CD
                                                    • Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29
                                                  • MoveFileW.KERNEL32(?,00000000), ref: 00408639
                                                  • MoveFileW.KERNEL32(00000000,?), ref: 0040867C
                                                    • Part of subcall function 00410B9C: _wcsncpy.LIBCMT ref: 00410BB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen_wcsncpy
                                                  • String ID: rtmp%d
                                                  • API String ID: 506780119-3303766350
                                                  • Opcode ID: a91559be58acffd0dc5b452dff065d579de74766ff3e95af3a762548e6537785
                                                  • Instruction ID: 086441498323e4bc326e09acd5d1366d0aff3811eaae5beb392a373780c828d6
                                                  • Opcode Fuzzy Hash: a91559be58acffd0dc5b452dff065d579de74766ff3e95af3a762548e6537785
                                                  • Instruction Fuzzy Hash: DE415E71901218AACB20EB61CE45EDF777CAF00394F0008ABB585B7181EA7D9B959E68
                                                  Function 0040AA7D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcschr$__vswprintf_c_l_swprintf_wcsncpy
                                                  • String ID: %c:\$%s.%d.tmp
                                                  • API String ID: 2474501127-1021493711
                                                  • Opcode ID: da4b65786035d2197ed7d49f53fcd311549ea47fe36f06ac93baee63d6beaa20
                                                  • Instruction ID: b4756b8e91951cb7d51e69898c9cc4431ccaeceaeab60524178106c8bdd82eb4
                                                  • Opcode Fuzzy Hash: da4b65786035d2197ed7d49f53fcd311549ea47fe36f06ac93baee63d6beaa20
                                                  • Instruction Fuzzy Hash: 8101042320431169DA20EB769C45C6B73ACDFD93A0B00883FF584E31C1EA78D4A0C27B
                                                  Function 004192D0 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 004192E2
                                                  • GetTickCount.KERNEL32 ref: 004192E7
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419316
                                                  • TranslateMessage.USER32(?), ref: 00419324
                                                  • DispatchMessageW.USER32(?), ref: 0041932E
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041933B
                                                  • GetTickCount.KERNEL32 ref: 00419341
                                                  • VariantInit.OLEAUT32(?), ref: 0041934E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Message$CountTick$DispatchInitPeekTranslateVariant
                                                  • String ID:
                                                  • API String ID: 4242828014-0
                                                  • Opcode ID: 3739eaef324a12835188418d8e4db8062592f3b82a480bdb7c4c47042269d501
                                                  • Instruction ID: 9cb0af2a0f3e63d9aa0a53d062aebc77c377528e3d470f830326fa06e80cb38f
                                                  • Opcode Fuzzy Hash: 3739eaef324a12835188418d8e4db8062592f3b82a480bdb7c4c47042269d501
                                                  • Instruction Fuzzy Hash: C121F7B1E00208AFDB10DFE4D888EEEBBBCEF48305F504866F911E7250D6799E458B61
                                                  Function 00419EA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00419E75: GetDC.USER32(00000000), ref: 00419E79
                                                    • Part of subcall function 00419E75: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00419E84
                                                    • Part of subcall function 00419E75: ReleaseDC.USER32(00000000,00000000), ref: 00419E8F
                                                  • GetObjectW.GDI32(00000200,00000018,?), ref: 00419ECD
                                                  • CoCreateInstance.OLE32(0042B208,00000000,00000001,0042B100,?,00000000,?), ref: 00419EFD
                                                    • Part of subcall function 00419D0B: GetDC.USER32(00000000), ref: 00419D17
                                                    • Part of subcall function 00419D0B: CreateCompatibleDC.GDI32(00000000), ref: 00419D27
                                                    • Part of subcall function 00419D0B: CreateCompatibleDC.GDI32(?), ref: 00419D2E
                                                    • Part of subcall function 00419D0B: GetObjectW.GDI32(?,00000018,?), ref: 00419D3C
                                                    • Part of subcall function 00419D0B: CreateCompatibleBitmap.GDI32(?,00000200,00419EBD), ref: 00419D5E
                                                    • Part of subcall function 00419D0B: SelectObject.GDI32(00000000,?), ref: 00419D71
                                                    • Part of subcall function 00419D0B: SelectObject.GDI32(?,00000200), ref: 00419D7C
                                                    • Part of subcall function 00419D0B: StretchBlt.GDI32(?,00000000,00000000,00000200,00419EBD,00000000,00000000,00000000,?,?,00CC0020), ref: 00419D9A
                                                    • Part of subcall function 00419D0B: SelectObject.GDI32(00000000,?), ref: 00419DA4
                                                    • Part of subcall function 00419D0B: SelectObject.GDI32(?,00419EBD), ref: 00419DAC
                                                    • Part of subcall function 00419D0B: DeleteDC.GDI32(00000000), ref: 00419DB5
                                                    • Part of subcall function 00419D0B: DeleteDC.GDI32(?), ref: 00419DBA
                                                    • Part of subcall function 00419D0B: ReleaseDC.USER32(00000000,?), ref: 00419DC0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Object$CreateSelect$Compatible$DeleteRelease$BitmapCapsDeviceInstanceStretch
                                                  • String ID: (
                                                  • API String ID: 189428636-3887548279
                                                  • Opcode ID: 2c95d850f981d7af9c5ed3b9bf4fae1c522e7595f6c5569b0b0a1ef1f992ee39
                                                  • Instruction ID: d8cf3f11634150c5eb1370622c6fe0712570af28e2ae67cdae83cea958a68594
                                                  • Opcode Fuzzy Hash: 2c95d850f981d7af9c5ed3b9bf4fae1c522e7595f6c5569b0b0a1ef1f992ee39
                                                  • Instruction Fuzzy Hash: 21610875A00209EFCB00DFA5D888EEEBBB9FF89704B10845AF815EB250D7759E51CB64
                                                  Function 0041947D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00419489
                                                  • _malloc.LIBCMT ref: 00419493
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap_malloc_wcslen
                                                  • String ID: </p>$</style>$<br>$<style>
                                                  • API String ID: 4208083856-1200123991
                                                  • Opcode ID: 84057df06bfe7753af8be449b5ed96cf61f8b1a65555f0712547b90151fa4e6f
                                                  • Instruction ID: 25e48dc46573b9320602deb0b34776bf62bfe2b29788b043e296d39cf0375d11
                                                  • Opcode Fuzzy Hash: 84057df06bfe7753af8be449b5ed96cf61f8b1a65555f0712547b90151fa4e6f
                                                  • Instruction Fuzzy Hash: 69412477645212B5DB315B1998217FA73A69F01754F68401BED81B32C0E76C8EC2C26D
                                                  Function 004113F1 Relevance: 10.6, APIs: 7, Instructions: 134timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00409C06: GetVersionExW.KERNEL32(?), ref: 00409C2B
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 00411425
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00411435
                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00411441
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0041144F
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00411459
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 004114A6
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00411523
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                  • String ID:
                                                  • API String ID: 2092733347-0
                                                  • Opcode ID: b334752188d409053c41308d043ef773f1ba1375d33674074c65fffa3be1e0d1
                                                  • Instruction ID: 2321c29e0176793db35fe244bdb3b2ca835dfa759224b44d16608c614d02fbda
                                                  • Opcode Fuzzy Hash: b334752188d409053c41308d043ef773f1ba1375d33674074c65fffa3be1e0d1
                                                  • Instruction Fuzzy Hash: 40410AB1E00218AFCB14DFA9C8849EEB7F9FF48314B14852FE946E7240D778A945CB64
                                                  Function 0040D92D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _malloc.LIBCMT ref: 0040D941
                                                    • Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
                                                    • Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
                                                    • Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5
                                                  • _wcslen.LIBCMT ref: 0040D981
                                                  • _wcscat.LIBCMT ref: 0040D998
                                                  • _wcslen.LIBCMT ref: 0040D99E
                                                  • _wcscpy.LIBCMT ref: 0040D9CC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$AllocateHeap_malloc_wcscat_wcscpy
                                                  • String ID: }
                                                  • API String ID: 2020890722-4239843852
                                                  • Opcode ID: 87a1d4075c0fbabaaf42ee75a1288eb88e4c448287557cbd43c96a9187b86b14
                                                  • Instruction ID: a9b9a9eb170ff11f00d7125a4cd00596761e48c06437fb6caf1dcbb108c8f9f0
                                                  • Opcode Fuzzy Hash: 87a1d4075c0fbabaaf42ee75a1288eb88e4c448287557cbd43c96a9187b86b14
                                                  • Instruction Fuzzy Hash: 6111B771D0131A59EB25ABE08CC57DB72B8DF00354F10007BE645E22D1EBBC9A99C39D
                                                  Function 00411541 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemTimeToFileTime.KERNEL32(?,004116A7,?,?), ref: 00411592
                                                  • LocalFileTimeToFileTime.KERNEL32(004116A7,?), ref: 004115BE
                                                  • FileTimeToSystemTime.KERNEL32(004116A7,?), ref: 004115D4
                                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004115E4
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 004115F2
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 004115FC
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Time$File$System$Local$Specific
                                                  • String ID:
                                                  • API String ID: 3144155402-0
                                                  • Opcode ID: f90245df41cc322dafe52bf530a12eef1bc8a67292351d8d3269b2ac88901438
                                                  • Instruction ID: daaaa78088cd12f13caf2716ff388f37494b9d87aa27411613d97d80370a29eb
                                                  • Opcode Fuzzy Hash: f90245df41cc322dafe52bf530a12eef1bc8a67292351d8d3269b2ac88901438
                                                  • Instruction Fuzzy Hash: 92313276D001199BCB14DFD4C840AEFB7B9FF48710F04452AE946E3250E634A945CBA9
                                                  Function 0041DD85 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __CreateFrameInfo.LIBCMT ref: 0041DDAD
                                                    • Part of subcall function 0041A3D6: __getptd.LIBCMT ref: 0041A3E4
                                                    • Part of subcall function 0041A3D6: __getptd.LIBCMT ref: 0041A3F2
                                                  • __getptd.LIBCMT ref: 0041DDB7
                                                    • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                    • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                  • __getptd.LIBCMT ref: 0041DDC5
                                                  • __getptd.LIBCMT ref: 0041DDD3
                                                  • __getptd.LIBCMT ref: 0041DDDE
                                                  • _CallCatchBlock2.LIBCMT ref: 0041DE04
                                                    • Part of subcall function 0041A47B: __CallSettingFrame@12.LIBCMT ref: 0041A4C7
                                                    • Part of subcall function 0041DEAB: __getptd.LIBCMT ref: 0041DEBA
                                                    • Part of subcall function 0041DEAB: __getptd.LIBCMT ref: 0041DEC8
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                  • String ID:
                                                  • API String ID: 1602911419-0
                                                  • Opcode ID: 5eb10d2cb4eb5e2da6c5453d1fe4c56248c4e16d68a7da2668f442ad0aab7930
                                                  • Instruction ID: e3df1943845817192d3dafa627097d3dc4affc0cfff12b6418408f9c93a4c95a
                                                  • Opcode Fuzzy Hash: 5eb10d2cb4eb5e2da6c5453d1fe4c56248c4e16d68a7da2668f442ad0aab7930
                                                  • Instruction Fuzzy Hash: 9E1126B1D00209DFDF00EFA1C445AED7BB0FF04318F10806AF854AB251DB389A519B59
                                                  Function 0040D64B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D6AC
                                                  • CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D6D3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CharUpper
                                                  • String ID: -$z8D
                                                  • API String ID: 9403516-4016828469
                                                  • Opcode ID: 6e6643a8c5453ab08bb62a8daeba662149a01c951e73f69a55f52de3d79d5015
                                                  • Instruction ID: 6cb870ea5eaa954c7fe556a8e422e29c236d8a0fbf71e72dd1f5d8a9bc66e192
                                                  • Opcode Fuzzy Hash: 6e6643a8c5453ab08bb62a8daeba662149a01c951e73f69a55f52de3d79d5015
                                                  • Instruction Fuzzy Hash: FE21A5B9C0011995DB60B7E98D48BBB66A8FB41304F144177E548B32D2EA7CDECC8B6D
                                                  Function 0040680A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040680F
                                                    • Part of subcall function 00402C8B: __EH_prolog.LIBCMT ref: 00402C90
                                                  • SetFileSecurityW.ADVAPI32(00000000,00000007,?,?,?,?,00000000,?,00406EF5,?,?,?,?,0040773A,?,?), ref: 00406897
                                                  • SetFileSecurityW.ADVAPI32(?,00000007,?,00000000,?,00000800,?,0040773A,?,?,?,?,?,00000000,0040839C,?), ref: 004068BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FileH_prologSecurity
                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                  • API String ID: 2167059215-639343689
                                                  • Opcode ID: 72cefa14781493d3ceb14cba897e291cfc2eee12fd1132a67d2d49c664862da8
                                                  • Instruction ID: e80266907105dbdc6ea336272c15ef3f26093cba4c1f52b7c6092cd65192489b
                                                  • Opcode Fuzzy Hash: 72cefa14781493d3ceb14cba897e291cfc2eee12fd1132a67d2d49c664862da8
                                                  • Instruction Fuzzy Hash: 8D219372901259BEDF21AF55DC01BAF77689B04758F00803BF802B62C1C7BC8A559BAD
                                                  Function 0040E1B2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 0040E1E8
                                                  • DialogBoxParamW.USER32(GETPASSWORD1,?,0040D477,?,00000007), ref: 0040E22C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: DialogParamVisibleWindow
                                                  • String ID: GETPASSWORD1$z8D$z8D
                                                  • API String ID: 3157717868-3779298832
                                                  • Opcode ID: 8a5930b9f1bd4a7920270691445133db6bb9d1af5357342886f90841ecad1a96
                                                  • Instruction ID: 2ec29a5f94ea44b227bd1a9c17bea14e87d691145e51ce1093468d312523c58d
                                                  • Opcode Fuzzy Hash: 8a5930b9f1bd4a7920270691445133db6bb9d1af5357342886f90841ecad1a96
                                                  • Instruction Fuzzy Hash: B71159717002445BEB21DF62AC80B973B99AB08765F08007BFD446B2D1C7BC8CA0C76D
                                                  Function 0040D3EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndDialog.USER32(?,00000001), ref: 0040D431
                                                  • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0040D447
                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D461
                                                  • SetDlgItemTextW.USER32(?,00000066), ref: 0040D46C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ItemText$Dialog
                                                  • String ID: RENAMEDLG
                                                  • API String ID: 1770891597-3299779563
                                                  • Opcode ID: 762bcebfea9f2beca08e3ffb6bbc5115bfac0753acb3b7587415e25b8287d6f5
                                                  • Instruction ID: a809f9c23db95260371581c6ee5cd384337b37eb9584205a8113e0e6bfd29c9a
                                                  • Opcode Fuzzy Hash: 762bcebfea9f2beca08e3ffb6bbc5115bfac0753acb3b7587415e25b8287d6f5
                                                  • Instruction Fuzzy Hash: 6F01D836A4421877DB205F949C41FBB3B69E705F50F544036FA01B61D0C6BAA8269BAE
                                                  Function 00405F3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset$H_prolog
                                                  • String ID: r
                                                  • API String ID: 3013590873-3291565091
                                                  • Opcode ID: adb95f05f7a194937a5df8f484bb6bf36145664ded8c6b0a2324601c3f7e7fd4
                                                  • Instruction ID: fcb346f71e1c6521d09fa93fcec7134e0802dca7d1a5d7d76298086db4932847
                                                  • Opcode Fuzzy Hash: adb95f05f7a194937a5df8f484bb6bf36145664ded8c6b0a2324601c3f7e7fd4
                                                  • Instruction Fuzzy Hash: 880144B17417407AD220EB669C46FEBBAA8DB85B18F00041FB255661C2C7FC5941CA9D
                                                  Function 0041DAD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 0041DAEE
                                                    • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                    • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                  • __getptd.LIBCMT ref: 0041DAFF
                                                  • __getptd.LIBCMT ref: 0041DB0D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                  • String ID: MOC$csm
                                                  • API String ID: 803148776-1389381023
                                                  • Opcode ID: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
                                                  • Instruction ID: 7ce874268d128f0e9cc5e4e4439fd54cca852ebc00a18d755191ea46e2ae681e
                                                  • Opcode Fuzzy Hash: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
                                                  • Instruction Fuzzy Hash: 8EE048755141048FDB50976AC445FA93394EB48318F1504A7E80CC7353D77CE8C0558B
                                                  Function 00421BA7 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 00421BB3
                                                    • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                    • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                  • __amsg_exit.LIBCMT ref: 00421BD3
                                                  • __lock.LIBCMT ref: 00421BE3
                                                  • InterlockedDecrement.KERNEL32(?), ref: 00421C00
                                                  • InterlockedIncrement.KERNEL32(02151690), ref: 00421C2B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                  • String ID:
                                                  • API String ID: 4271482742-0
                                                  • Opcode ID: c07a23924f397adfee97157b358641d3c25638586169e8846753b2e06e7a59ec
                                                  • Instruction ID: 6d4d6cab2ca80c9586acdc371c3e58b42f7918e3e726cea937426c24952e9619
                                                  • Opcode Fuzzy Hash: c07a23924f397adfee97157b358641d3c25638586169e8846753b2e06e7a59ec
                                                  • Instruction Fuzzy Hash: 8401C439B40731ABC728AF56A40679E7760BF10724F94012BE804AB3A1CB3C6991DBDD
                                                  Function 00411E81 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00411E89
                                                  • _wcslen.LIBCMT ref: 00411E9A
                                                  • _wcslen.LIBCMT ref: 00411EAA
                                                  • _wcslen.LIBCMT ref: 00411EB8
                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,00000000,?,?,00000000,?,00409F60,__rar_,00000000,00000006,00000000,?,00000800), ref: 00411ED5
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$CompareString
                                                  • String ID:
                                                  • API String ID: 3397213944-0
                                                  • Opcode ID: a78696411e0fb58170a85e42f91a72465e9b1cb7d1a352a10a0ff52bf1fcbbb8
                                                  • Instruction ID: fd224344e63f22d7e065bf6fa160c6ce473b51916626f6dd2966927fcf662de7
                                                  • Opcode Fuzzy Hash: a78696411e0fb58170a85e42f91a72465e9b1cb7d1a352a10a0ff52bf1fcbbb8
                                                  • Instruction Fuzzy Hash: 5FF02436148148BFDF126F92EC01CDE3F26DB81375B244027FE298A0A0D635C9A29789
                                                  Function 0040272E Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 405COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _swprintf
                                                  • String ID: ;%u
                                                  • API String ID: 589789837-535004727
                                                  • Opcode ID: 8d6632be75e15c05decfb529c35803f2aea70f16b1fc9be6edc689b65e1f5e46
                                                  • Instruction ID: 268b90de5ef8301e543b0e1450f18e5b796866e9caf2f0e9a7a428077d8a2ebb
                                                  • Opcode Fuzzy Hash: 8d6632be75e15c05decfb529c35803f2aea70f16b1fc9be6edc689b65e1f5e46
                                                  • Instruction Fuzzy Hash: ADE114702007445ADB24EF75C699BEE77E5AF40304F04053FE996A72C2DBBCA984CB5A
                                                  Function 00416790 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00416795
                                                    • Part of subcall function 004129F9: _realloc.LIBCMT ref: 00412A51
                                                    • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                  • _memset.LIBCMT ref: 004169F6
                                                  • _memset.LIBCMT ref: 00416BB0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset$H_prolog_malloc_realloc
                                                  • String ID:
                                                  • API String ID: 1826288403-3916222277
                                                  • Opcode ID: e5527970fedf9361396c35484b990f069b2c3a7e4f541cdd1bc40a5546d77403
                                                  • Instruction ID: b2eea235d821e150737843ebb12b5e68f22e0a3d12c725fcd3f3b3fef6346f43
                                                  • Opcode Fuzzy Hash: e5527970fedf9361396c35484b990f069b2c3a7e4f541cdd1bc40a5546d77403
                                                  • Instruction Fuzzy Hash: 92E1BF71A007499FCB10EF65C980BEEB7B1FF14304F11482EE956A7281DB39E991CB59
                                                  Function 00418B3D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy
                                                  • String ID: T
                                                  • API String ID: 3048848545-3187964512
                                                  • Opcode ID: 7b9b9af83664cc87fe2d3df4d2851bf5f64a8acbd8ca5ef161931a2b21923617
                                                  • Instruction ID: 08ee224434b4342d1c159c2c22343cdeaadf414e9d08c0d11a019e9d32988bbe
                                                  • Opcode Fuzzy Hash: 7b9b9af83664cc87fe2d3df4d2851bf5f64a8acbd8ca5ef161931a2b21923617
                                                  • Instruction Fuzzy Hash: 99910871600744AFDF24DF64C884BEAB7F8AF15304F0445AFE95997282CB78AAC4CB65
                                                  Function 00406D02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00406D07
                                                  • _wcscpy.LIBCMT ref: 00406D3A
                                                    • Part of subcall function 00410BC9: _wcslen.LIBCMT ref: 00410BCF
                                                    • Part of subcall function 00410BC9: _wcsncat.LIBCMT ref: 00410BE8
                                                  • SetFileTime.KERNEL32(?,?,?,?,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000), ref: 00406E78
                                                    • Part of subcall function 0040908D: SetFileAttributesW.KERNEL32(00000000,00000000,75923110,00000001,?,0040933D,00000000,?,?,0040941E,?,00000001,00000000,?,?), ref: 004090A8
                                                    • Part of subcall function 0040908D: SetFileAttributesW.KERNEL32(?,00000000,00000000,?,00000800,?,0040933D,00000000,?,?,0040941E,?,00000001,00000000,?,?), ref: 004090D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: File$Attributes$H_prologTime_wcscpy_wcslen_wcsncat
                                                  • String ID: :
                                                  • API String ID: 326910402-336475711
                                                  • Opcode ID: 5e0e7d49851dca55c4deade094d134f4ea512213999111766949daa2ff960fa4
                                                  • Instruction ID: 6639f4f99703ce1112f5787d69d8c123706ab186ca62756c3ad703d048bc38cc
                                                  • Opcode Fuzzy Hash: 5e0e7d49851dca55c4deade094d134f4ea512213999111766949daa2ff960fa4
                                                  • Instruction Fuzzy Hash: D0417F71905258AAEB20EB64CC55EEE737CAF04344F0040ABB556B71C2DB78AF94CF69
                                                  Function 0040D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndDialog.USER32(?,00000001), ref: 0040D5BE
                                                  • GetDlgItemTextW.USER32(?,00000065,?,?), ref: 0040D5D3
                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D5E8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ItemText$Dialog
                                                  • String ID: ASKNEXTVOL
                                                  • API String ID: 1770891597-3402441367
                                                  • Opcode ID: a8a6f44b6775d0cd3294368f2a4b23b4347bfb04fbb05bfaf2c83a68a4392c99
                                                  • Instruction ID: 7c41b1936654f57e10877f1e9afce92132798bffb5e44c1de30f76ec9c95968c
                                                  • Opcode Fuzzy Hash: a8a6f44b6775d0cd3294368f2a4b23b4347bfb04fbb05bfaf2c83a68a4392c99
                                                  • Instruction Fuzzy Hash: 23118135600104BBDB219FA49C45F663775EB0A718F044036FE01FA1E0D77AD825AB59
                                                  Function 0041254D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throw_memset
                                                  • String ID:
                                                  • API String ID: 3963884845-3916222277
                                                  • Opcode ID: 653566bfccebebc550ca30b6af37db387d4266e4fa5bc9fcb69beb97700c845e
                                                  • Instruction ID: ba4e6bc0ef6041dd665025fb65f45a384477b48ee7e133f8ed84bbd0a598a512
                                                  • Opcode Fuzzy Hash: 653566bfccebebc550ca30b6af37db387d4266e4fa5bc9fcb69beb97700c845e
                                                  • Instruction Fuzzy Hash: 60110671E01218BACB14EFA9CAD55DEB776FF54344F10406BE405E7241D6B85BD2CB88
                                                  Function 0040D477 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndDialog.USER32(?,00000001), ref: 0040D4BE
                                                  • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 0040D4D6
                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0040D504
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ItemText$Dialog
                                                  • String ID: GETPASSWORD1
                                                  • API String ID: 1770891597-3292211884
                                                  • Opcode ID: 2c39065e7e84a8441d2400259efe6a077f35be0b7a0eee454e8495a0c984ab02
                                                  • Instruction ID: 3eed9e1ab7e5d8a1da33783b11a95132ac7616313df89bdc2d2bc64375715bf5
                                                  • Opcode Fuzzy Hash: 2c39065e7e84a8441d2400259efe6a077f35be0b7a0eee454e8495a0c984ab02
                                                  • Instruction Fuzzy Hash: 4F11CE329001187ADB219FA1AC44EFB3A6DEF59754F404036FD05B20D0C67CD96A96AA
                                                  Function 00410F29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InitializeCriticalSection.KERNEL32(000001A0,?,000001B8,0044F590,004110EE,00000020,?,00409901,?,?,?,0040BB60,?,?,00000000,?), ref: 00410F62
                                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F6C
                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F7E
                                                  Strings
                                                  • Thread pool initialization failed., xrefs: 00410F96
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                  • String ID: Thread pool initialization failed.
                                                  • API String ID: 3340455307-2182114853
                                                  • Opcode ID: 5d2de00027b14f6e07390935bc826641c20494178e34cc3b56ee4834533d8747
                                                  • Instruction ID: 3f206ddc5264aa259e24750db78c3e6b08f6c9018291aa2998b68a3e9789e537
                                                  • Opcode Fuzzy Hash: 5d2de00027b14f6e07390935bc826641c20494178e34cc3b56ee4834533d8747
                                                  • Instruction Fuzzy Hash: FF115EB1600301AFD3305F659886BE7BBE8FB55315F60482FF6DAC6240D6B458C1CB18
                                                  Function 0040E6CF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                  • API String ID: 0-56093855
                                                  • Opcode ID: 9dc2c4e2a994375845b1e54b9a4a57574d7f38f83bee2a11927b5ffac3eaf025
                                                  • Instruction ID: 0892b1485419df81b4422e2148389c4265d0283c5dc75372e36aae0ff2247616
                                                  • Opcode Fuzzy Hash: 9dc2c4e2a994375845b1e54b9a4a57574d7f38f83bee2a11927b5ffac3eaf025
                                                  • Instruction Fuzzy Hash: AF017576604204BFC712AB55EC44A167BD5E74A751F040837F901E32B0D3764865DB6E
                                                  Function 0041E132 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBCMT ref: 0041E145
                                                    • Part of subcall function 0041E0A0: ___BuildCatchObjectHelper.LIBCMT ref: 0041E0D6
                                                  • _UnwindNestedFrames.LIBCMT ref: 0041E15C
                                                  • ___FrameUnwindToState.LIBCMT ref: 0041E16A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                  • String ID: csm
                                                  • API String ID: 2163707966-1018135373
                                                  • Opcode ID: ffb5442ac62a4f85a48ef68d244cd4b92cff39c7c80ea712eb3c4bba393a9d17
                                                  • Instruction ID: 59b9ad28f981bea14fd5052789bebdc6dccf333051ec123e92fb5a6599f75b08
                                                  • Opcode Fuzzy Hash: ffb5442ac62a4f85a48ef68d244cd4b92cff39c7c80ea712eb3c4bba393a9d17
                                                  • Instruction Fuzzy Hash: 14012479401109BBDF126E52CC45EEB3F6AEF09398F044016FD1815261DB3AA8B1EBA9
                                                  Function 0040C0F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040C105
                                                  • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0040C114
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: FindHandleModuleResource
                                                  • String ID: LTR$RTL
                                                  • API String ID: 3537982541-719208805
                                                  • Opcode ID: f2852aa2e9ae8da3690023ec4cfec567c4dc869793b37f459442400b2d93c3ba
                                                  • Instruction ID: 3bee6f5c2cd76a6cf6446ed83b6680fa0d6a216d229c8f919e909fc3329ffe0a
                                                  • Opcode Fuzzy Hash: f2852aa2e9ae8da3690023ec4cfec567c4dc869793b37f459442400b2d93c3ba
                                                  • Instruction Fuzzy Hash: 69F0243238026467DA2067756C4AFE72B7CAB81310F44057AB605E71C1CFA8D499CBEE
                                                  Function 00423463 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(KERNEL32,0041D860), ref: 00423468
                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00423478
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                  • API String ID: 1646373207-3105848591
                                                  • Opcode ID: 7ab99d9e72488d8bf21e4bf78f78cc33f843bd022a3d825351adfd90e0f12518
                                                  • Instruction ID: 925bd1e911d968a2cf7935e923f91739ef174afc765d351c528eb22c7f6e48fa
                                                  • Opcode Fuzzy Hash: 7ab99d9e72488d8bf21e4bf78f78cc33f843bd022a3d825351adfd90e0f12518
                                                  • Instruction Fuzzy Hash: C7F03060B00A1AD2DB116FA1BC1A67F7B78FB80742FD105D1D6D5E0084DF7885B1D38A
                                                  Function 00419A36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00419A6D
                                                  • RegisterClassExW.USER32(00000030), ref: 00419A8E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ClassCursorLoadRegister
                                                  • String ID: 0$RarHtmlClassName
                                                  • API String ID: 1693014935-3342523147
                                                  • Opcode ID: 191bbc33d2b33050640957ba9683b50acfea39c34108bf4aa43fc12e5a7eb183
                                                  • Instruction ID: b9ed7023dc6f3226d58ddf2044dfc6b29f2317d5cd4a011e6e0fd8f9270d308a
                                                  • Opcode Fuzzy Hash: 191bbc33d2b33050640957ba9683b50acfea39c34108bf4aa43fc12e5a7eb183
                                                  • Instruction Fuzzy Hash: 81F0F2B1D00228ABCB019F9AD844AEEFBF8FF98304F10805BE500B6250D7B916018FA9
                                                  Function 00410E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32,0040FF03,00000001), ref: 00410E21
                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410E31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: SetDllDirectoryW$kernel32
                                                  • API String ID: 1646373207-2052158636
                                                  • Opcode ID: 613fa81eedf6cfefe4bb79f79fd7d80da4da150b27e50d1fb967e6d6e35de1a2
                                                  • Instruction ID: d1dc000951ac042e8af12af71ac4f40d64c7c6d3e89629ddd7054994e9706fe8
                                                  • Opcode Fuzzy Hash: 613fa81eedf6cfefe4bb79f79fd7d80da4da150b27e50d1fb967e6d6e35de1a2
                                                  • Instruction Fuzzy Hash: 2BD0A7B03243215797282B729C1AB2B65584B50F027944D3E7E0AC0080CA6DC0A0853F
                                                  Function 00409135 Relevance: 6.1, APIs: 4, Instructions: 128filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00407536,?,?,?), ref: 004091CD
                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00407536,?,?,?,?), ref: 00409204
                                                  • SetFileTime.KERNEL32(?,00000000,00000000,00000000,?,00407536,?,?,?,?), ref: 00409275
                                                  • CloseHandle.KERNEL32(?,?,00407536,?,?,?,?), ref: 0040927E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: File$Create$CloseHandleTime
                                                  • String ID:
                                                  • API String ID: 2287278272-0
                                                  • Opcode ID: 6a8276f57ee53cdbc91cc020f39a17d418f5c9fb0df3296a94224ec9e042af11
                                                  • Instruction ID: 149005b1c5d3a5dbb79089aff48ec9cca0dae1d541df05bff41c4f18bd56acf5
                                                  • Opcode Fuzzy Hash: 6a8276f57ee53cdbc91cc020f39a17d418f5c9fb0df3296a94224ec9e042af11
                                                  • Instruction Fuzzy Hash: 1141A131A00248BEEF12DBA4CC49FEE7BB89F05304F1445AAF851BB2D2C6789E45D755
                                                  Function 00424FCE Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00425002
                                                  • __isleadbyte_l.LIBCMT ref: 00425036
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0041A9BA,?,00000000,00000000,?,?,?,?,0041A9BA,00000000,?), ref: 00425067
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0041A9BA,00000001,00000000,00000000,?,?,?,?,0041A9BA,00000000,?), ref: 004250D5
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: 5ede48c89caf3767bd10844c4e2adb50473344288511d083f5bbcd5d287f352f
                                                  • Instruction ID: 432046cfce088e341913eb2016d1b5e66f5b1b0e2666f0ac1bd271c546b36d2c
                                                  • Opcode Fuzzy Hash: 5ede48c89caf3767bd10844c4e2adb50473344288511d083f5bbcd5d287f352f
                                                  • Instruction Fuzzy Hash: C831D131B00265EFDB20DF64EC809BA7BA0EF41310F5685AAE4618B2D1D735D981DB99
                                                  Function 00413097 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _memset
                                                  • String ID:
                                                  • API String ID: 2102423945-0
                                                  • Opcode ID: 0d338722b2e3e51696f4e1a05dd7a6835afd7bcab5979c6f78e2f817af711592
                                                  • Instruction ID: dbb621f027503421eccd8689c294ebf88999011181a54c0115c225b35bd7b5a3
                                                  • Opcode Fuzzy Hash: 0d338722b2e3e51696f4e1a05dd7a6835afd7bcab5979c6f78e2f817af711592
                                                  • Instruction Fuzzy Hash: 9811487164478069E220EA7A4C46FE3B6DD9B1931CF44883FF2DEC7183C6AA6846C756
                                                  Function 00411072 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00411077
                                                  • EnterCriticalSection.KERNEL32(0044F590,?,?,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED,?), ref: 00411085
                                                  • LeaveCriticalSection.KERNEL32(0044F590,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED,?,?,?), ref: 004110F5
                                                    • Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4
                                                  • LeaveCriticalSection.KERNEL32(0044F590,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED,?,?,?), ref: 00411100
                                                    • Part of subcall function 00410F29: InitializeCriticalSection.KERNEL32(000001A0,?,000001B8,0044F590,004110EE,00000020,?,00409901,?,?,?,0040BB60,?,?,00000000,?), ref: 00410F62
                                                    • Part of subcall function 00410F29: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F6C
                                                    • Part of subcall function 00410F29: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F7E
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore_malloc
                                                  • String ID:
                                                  • API String ID: 1405584564-0
                                                  • Opcode ID: 3f0bec743d3c3e54beb4ca038bcc84bad5a4a530a73f67f15a7eea00e341295c
                                                  • Instruction ID: 491e5497db774d6ab3e78c5f78b9db4af1dc916e288055147b814ae628d52a75
                                                  • Opcode Fuzzy Hash: 3f0bec743d3c3e54beb4ca038bcc84bad5a4a530a73f67f15a7eea00e341295c
                                                  • Instruction Fuzzy Hash: 1A118234A01321EBD724AF74AC457EABBA4AB0C355F10453BE902E3692DBBC89D1865D
                                                  Function 0042332E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                  • String ID:
                                                  • API String ID: 3016257755-0
                                                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                  • Instruction ID: 44ddc5ebc1807cb1f8dbc3b2ce9dd0a677749795dee404b17e6a32e81244ff51
                                                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                  • Instruction Fuzzy Hash: AE11723250015EFBCF125E85EC418EE3F32BB48355B988456FE1859130CA3ACAB2AB85
                                                  Function 00411A8F Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040C3BF: LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C410
                                                    • Part of subcall function 0040C3BF: LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C422
                                                  • _swprintf.LIBCMT ref: 00411AB8
                                                    • Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29
                                                  • GetLastError.KERNEL32(?), ref: 00411AC0
                                                  • MessageBoxW.USER32(?,00000000,00000096,00000035), ref: 00411AE2
                                                  • SetLastError.KERNEL32(00000000), ref: 00411AEF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastLoadString$Message__vswprintf_c_l_swprintf
                                                  • String ID:
                                                  • API String ID: 2205000856-0
                                                  • Opcode ID: 68bc4feaeb3ec1ded5fc4cddc0e8f758a38e28cbc6004bdae2a7d7facef01b9c
                                                  • Instruction ID: 7f3341f69499fe42e6dffd8e50f304e55c87ac1a4f55305a7eb793650ce5b90b
                                                  • Opcode Fuzzy Hash: 68bc4feaeb3ec1ded5fc4cddc0e8f758a38e28cbc6004bdae2a7d7facef01b9c
                                                  • Instruction Fuzzy Hash: 74F02732140114ABF71137E08C4AECA379CFB087C5F000277FA01F21A2EA79996487BD
                                                  Function 00422313 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 0042231F
                                                    • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                    • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                  • __getptd.LIBCMT ref: 00422336
                                                  • __amsg_exit.LIBCMT ref: 00422344
                                                  • __lock.LIBCMT ref: 00422354
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                  • String ID:
                                                  • API String ID: 3521780317-0
                                                  • Opcode ID: 2067aca802aea6c84e1c6e0627a9ce2a9215c14d0a893de0c815b7a1e0d9c920
                                                  • Instruction ID: ac1e04e8c31356b773b53a495aea9e08dc5a2d3a98daccf88dafce2968103349
                                                  • Opcode Fuzzy Hash: 2067aca802aea6c84e1c6e0627a9ce2a9215c14d0a893de0c815b7a1e0d9c920
                                                  • Instruction Fuzzy Hash: D2F09631B00720EBDB60FBB6A50279D73A07F44724F54416FE844AB2D1CBBC9942DA5E
                                                  Function 00409DF7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: __rar_
                                                  • API String ID: 176396367-2561138058
                                                  • Opcode ID: cc00e60038d7e5b00a294da67532c8ff9d8da0984a3b6968a0dc5b622ff721b3
                                                  • Instruction ID: 2f22db44ea277558b4e0ddbd7bf004989f9b0852302f55cc0e1d63be076b661c
                                                  • Opcode Fuzzy Hash: cc00e60038d7e5b00a294da67532c8ff9d8da0984a3b6968a0dc5b622ff721b3
                                                  • Instruction Fuzzy Hash: 2E41A176A0021966DF21AA65CC81BEF336DAF54384F08087BF905B31D3D63DCD9187A9
                                                  Function 0040CEF5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040CEB6: LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CF0E,00000020,?,?,00405D3C,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CEC4
                                                    • Part of subcall function 0040CEB6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CEDD
                                                    • Part of subcall function 0040CEB6: GetProcAddress.KERNEL32(00438800,CryptUnprotectMemory), ref: 0040CEE9
                                                  • GetCurrentProcessId.KERNEL32(00000020,?,?,00405D3C,?,00000020,00000001,00000000,?,00000010,?,?,?,00000001,?,?), ref: 0040CF7C
                                                  Strings
                                                  • CryptUnprotectMemory failed, xrefs: 0040CF75
                                                  • CryptProtectMemory failed, xrefs: 0040CF3C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$CurrentLibraryLoadProcess
                                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                  • API String ID: 137661620-396321323
                                                  • Opcode ID: fe221cb1f1ebd7538222251a67e743d79676efd4ab4d459fbc5578979eb1af3c
                                                  • Instruction ID: d47b55f9d8946329b2d763cf1c5c736fe64ad30a662938a08eea1033a11e378d
                                                  • Opcode Fuzzy Hash: fe221cb1f1ebd7538222251a67e743d79676efd4ab4d459fbc5578979eb1af3c
                                                  • Instruction Fuzzy Hash: C411C171304213AFDB09AF349CD197F6756CB41B14724423FF902AA2C2DA388C41529E
                                                  Function 0040A19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: _wcschr_wcspbrk
                                                  • String ID: ?*<>|"
                                                  • API String ID: 3305141221-226352099
                                                  • Opcode ID: 7f6a6c1d5428e83731d2b65d13748a0e82632fc7d37b167bce2bcb03fdaf0a03
                                                  • Instruction ID: fc4717308da4314e5704a136f2044a521342e33b833bb001f63317f55d448289
                                                  • Opcode Fuzzy Hash: 7f6a6c1d5428e83731d2b65d13748a0e82632fc7d37b167bce2bcb03fdaf0a03
                                                  • Instruction Fuzzy Hash: 1DF0F42912832254DE38A6659805AB333D49F15784F60447FE8D2BA2C2EA3D8CE3C16F
                                                  Function 0041DEAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A429: __getptd.LIBCMT ref: 0041A42F
                                                    • Part of subcall function 0041A429: __getptd.LIBCMT ref: 0041A43F
                                                  • __getptd.LIBCMT ref: 0041DEBA
                                                    • Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
                                                    • Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4
                                                  • __getptd.LIBCMT ref: 0041DEC8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                  • String ID: csm
                                                  • API String ID: 803148776-1018135373
                                                  • Opcode ID: 2d55cb122b51988d1cc7e6481490fc99cbdc11bcbdbc1298bbf42470784b3229
                                                  • Instruction ID: 7c6b91792d137033b66a9eec197cc920f164d7126653d302a3e0d72df4157e21
                                                  • Opcode Fuzzy Hash: 2d55cb122b51988d1cc7e6481490fc99cbdc11bcbdbc1298bbf42470784b3229
                                                  • Instruction Fuzzy Hash: 040162B5C013148ACF389F25D444AEEB3B6AF14315F24441FE44156791DB38DED1DB49
                                                  Function 00410EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00410FD9,?,?,00411197,?,?,?,?,?,004111E6), ref: 00410EA6
                                                  • GetLastError.KERNEL32(?,?,?,?,?,004111E6), ref: 00410EB2
                                                    • Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441
                                                  Strings
                                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410EBB
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3363237315.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000A.00000002.3363199926.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363282311.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363319064.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3363433671.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_400000_tasksche.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                  • API String ID: 1091760877-2248577382
                                                  • Opcode ID: ac3bcd71a64bb110093b5bec46156cf20680403487952e12d0601c5134127ac2
                                                  • Instruction ID: 79dccacb4fa0009262a18c3e3c709d5502c54047c68cfd859e09497cac206ec9
                                                  • Opcode Fuzzy Hash: ac3bcd71a64bb110093b5bec46156cf20680403487952e12d0601c5134127ac2
                                                  • Instruction Fuzzy Hash: 13D0C23260402037C5013B245C05EAE36116B11331BA00722F831602F1CB6909A2429F