Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phantomtoolsv2.exe

Overview

General Information

Sample name:phantomtoolsv2.exe
Analysis ID:1532357
MD5:0c01cfc0685211b3c655c7a9526f1849
SHA1:864d23804b6e3c98efd1b56863a484b505ddf40b
SHA256:8d6ee227c57e825bc978db47c7587d46e7df06e3656d493486ee26b1426c98a6
Tags:exeuser-aachum
Infos:

Detection

CredGrabber, Meduza Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Creates files in alternative data streams (ADS)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Self deletion via cmd or bat file
Sigma detected: Suspicious Ping/Del Command Combination
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • phantomtoolsv2.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\phantomtoolsv2.exe" MD5: 0C01CFC0685211B3C655C7A9526F1849)
    • phantomtoolsv2.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\phantomtoolsv2.exe" MD5: 0C01CFC0685211B3C655C7A9526F1849)
      • cmd.exe (PID: 7636 cmdline: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 7680 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "79.137.202.152", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "Legenda", "self_destruct": true, "extensions": ".txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite", "links": "", "grabber_max_size": 1048576}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: phantomtoolsv2.exe PID: 7360JoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
    Process Memory Space: phantomtoolsv2.exe PID: 7360JoeSecurity_CredGrabberYara detected CredGrabberJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Ping/Del Command Combination
      Source: Process startedAuthor: Ilya Krestinichev: Data: Command: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\phantomtoolsv2.exe", ParentImage: C:\Users\user\Desktop\phantomtoolsv2.exe, ParentProcessId: 7360, ParentProcessName: phantomtoolsv2.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe", ProcessId: 7636, ProcessName: cmd.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-13T01:38:09.966420+020020494411A Network Trojan was detected192.168.2.44973779.137.202.15215666TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-13T01:38:09.966420+020020508061A Network Trojan was detected192.168.2.44973779.137.202.15215666TCP
      2024-10-13T01:38:09.971752+020020508061A Network Trojan was detected192.168.2.44973779.137.202.15215666TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-13T01:38:09.966420+020020508071A Network Trojan was detected192.168.2.44973779.137.202.15215666TCP
      2024-10-13T01:38:09.971752+020020508071A Network Trojan was detected192.168.2.44973779.137.202.15215666TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for dropped file
      Source: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dllAvira: detection malicious, Label: HEUR/AGEN.1354117
      Found malware configuration
      Source: 1.2.phantomtoolsv2.exe.140000000.0.unpackMalware Configuration Extractor: Meduza Stealer {"C2 url": "79.137.202.152", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "Legenda", "self_destruct": true, "extensions": ".txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite", "links": "", "grabber_max_size": 1048576}
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006FB80 CryptUnprotectData,LocalFree,1_2_000000014006FB80
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400D0090 CryptUnprotectData,1_2_00000001400D0090
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140035E00 CryptUnprotectData,LocalFree,1_2_0000000140035E00
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006FEA0 CryptProtectData,LocalFree,1_2_000000014006FEA0
      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: phantomtoolsv2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError,1_2_00000001400B6740
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B67F0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,1_2_00000001400B67F0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007EF60 GetLogicalDriveStringsW,1_2_000000014007EF60
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\migration\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\migration\wtr\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 4x nop then push rdi0_2_00007FF7B890C950
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF7B890C460
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 4x nop then push rdi1_2_00007FF7B890C950
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 4x nop then sub rsp, 28h1_2_00007FF7B890C460

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49737 -> 79.137.202.152:15666
      Source: Network trafficSuricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49737 -> 79.137.202.152:15666
      Source: Network trafficSuricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49737 -> 79.137.202.152:15666
      Uses ping.exe to check the status of other devices and networks
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
      Source: global trafficTCP traffic: 192.168.2.4:49737 -> 79.137.202.152:15666
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
      Source: Joe Sandbox ViewIP Address: 79.137.202.152 79.137.202.152
      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
      Source: Joe Sandbox ViewASN Name: PSKSET-ASRU PSKSET-ASRU
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: unknownTCP traffic detected without corresponding DNS query: 79.137.202.152
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007C5E0 recv,recv,closesocket,WSACleanup,1_2_000000014007C5E0
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
      Source: phantomtoolsv2.exe, 00000001.00000003.1895778572.00000210210C0000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1895814243.00000210210C4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1725699673.00000210210B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.microsoft.t/Regi
      Source: phantomtoolsv2.exe, 00000001.00000003.1896383235.000002101E9B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
      Source: phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021351000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743933809.0000021021352000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
      Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
      Source: phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021351000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743933809.0000021021352000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
      Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
      Source: phantomtoolsv2.exeString found in binary or memory: https://gcc.gnu.org/bugs/):
      Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
      Source: phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021295000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1738488858.00000210215FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207DB000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020708000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021461000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207D3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102075C000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020754000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021469000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020700000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021209000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
      Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
      Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
      Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
      Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212D4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732301721.0000021021293000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021453000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732566332.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021324000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
      Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
      Source: phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212D4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732301721.0000021021293000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021453000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732566332.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021324000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
      Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
      Source: phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
      Source: phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021295000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1738488858.00000210215FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207DB000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020708000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021461000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207D3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102075C000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020754000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021469000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020700000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021209000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
      Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
      Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
      Source: phantomtoolsv2.exe, 00000001.00000003.1738112892.00000210214D5000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207E3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102070F000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021219000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
      Source: phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
      Source: phantomtoolsv2.exe, 00000001.00000003.1738112892.00000210214D5000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207E3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102070F000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021219000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007D6E0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,1_2_000000014007D6E0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88046A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose,0_2_00007FF7B88046A4
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8803060 GetCurrentProcess,NtQueryInformationProcess,GetTempPathA,strlen,strlen,memcpy,0_2_00007FF7B8803060
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,0_2_00007FF7B8803C70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140082030 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,1_2_0000000140082030
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400D06E8 NtAllocateVirtualMemory,1_2_00000001400D06E8
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400818F0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,NtDuplicateObject,GetCurrentProcess,NtDuplicateObject,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,1_2_00000001400818F0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88034D00_2_00007FF7B88034D0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8803C700_2_00007FF7B8803C70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88FC9500_2_00007FF7B88FC950
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88251400_2_00007FF7B8825140
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88E72200_2_00007FF7B88E7220
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8806A400_2_00007FF7B8806A40
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88034D00_2_00007FF7B88034D0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88072900_2_00007FF7B8807290
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B881DA840_2_00007FF7B881DA84
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8815B200_2_00007FF7B8815B20
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B881D3670_2_00007FF7B881D367
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B881C4A00_2_00007FF7B881C4A0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88264F00_2_00007FF7B88264F0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014005F1401_2_000000014005F140
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400421C01_2_00000001400421C0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007F2101_2_000000014007F210
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014008426B1_2_000000014008426B
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400743A01_2_00000001400743A0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007E3D01_2_000000014007E3D0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014002F6501_2_000000014002F650
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400866801_2_0000000140086680
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007D6E01_2_000000014007D6E0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014003B7401_2_000000014003B740
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014003C7E01_2_000000014003C7E0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B67F01_2_00000001400B67F0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140076BA01_2_0000000140076BA0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007FBA01_2_000000014007FBA0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014003ABE01_2_000000014003ABE0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009ACF01_2_000000014009ACF0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140084CF01_2_0000000140084CF0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007CDF01_2_000000014007CDF0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014003CE801_2_000000014003CE80
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014002EF601_2_000000014002EF60
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009DFA01_2_000000014009DFA0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006E0001_2_000000014006E000
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014004E0001_2_000000014004E000
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400820301_2_0000000140082030
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400360501_2_0000000140036050
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006B0A01_2_000000014006B0A0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400920941_2_0000000140092094
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007E0B01_2_000000014007E0B0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400300C61_2_00000001400300C6
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006A1001_2_000000014006A100
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014003A1101_2_000000014003A110
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400061801_2_0000000140006180
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400282001_2_0000000140028200
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009E21C1_2_000000014009E21C
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009227C1_2_000000014009227C
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B92E01_2_00000001400B92E0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400532E01_2_00000001400532E0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400963001_2_0000000140096300
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400563401_2_0000000140056340
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400263401_2_0000000140026340
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400933441_2_0000000140093344
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400253501_2_0000000140025350
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400553601_2_0000000140055360
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400823801_2_0000000140082380
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006A4001_2_000000014006A400
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400A54641_2_00000001400A5464
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400924641_2_0000000140092464
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009C4981_2_000000014009C498
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006E49A1_2_000000014006E49A
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014004C5001_2_000000014004C500
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400625101_2_0000000140062510
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400705A01_2_00000001400705A0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400066101_2_0000000140006610
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400596B01_2_00000001400596B0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006A7301_2_000000014006A730
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400667501_2_0000000140066750
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400907A01_2_00000001400907A0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009E7A41_2_000000014009E7A4
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009B9681_2_000000014009B968
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400269E01_2_00000001400269E0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140078A401_2_0000000140078A40
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006AA501_2_000000014006AA50
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140092AAC1_2_0000000140092AAC
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140037AAD1_2_0000000140037AAD
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400A6ACC1_2_00000001400A6ACC
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400BBB801_2_00000001400BBB80
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006DBC01_2_000000014006DBC0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014002FC801_2_000000014002FC80
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140006D201_2_0000000140006D20
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014004AD301_2_000000014004AD30
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006AD701_2_000000014006AD70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140005DB01_2_0000000140005DB0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009BE181_2_000000014009BE18
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014006CE401_2_000000014006CE40
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140075E701_2_0000000140075E70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140072EC01_2_0000000140072EC0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014009CF181_2_000000014009CF18
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140038FB01_2_0000000140038FB0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88FC9501_2_00007FF7B88FC950
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B8806A401_2_00007FF7B8806A40
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B881DA841_2_00007FF7B881DA84
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B8815B201_2_00007FF7B8815B20
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B8803C701_2_00007FF7B8803C70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88251401_2_00007FF7B8825140
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88E72201_2_00007FF7B88E7220
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88072901_2_00007FF7B8807290
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B881D3671_2_00007FF7B881D367
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B881C4A01_2_00007FF7B881C4A0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88034D01_2_00007FF7B88034D0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88264F01_2_00007FF7B88264F0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: String function: 00007FF7B8902CD0 appears 32 times
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: String function: 0000000140034B20 appears 41 times
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: String function: 00000001400300A0 appears 58 times
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: String function: 00007FF7B890C0A0 appears 43 times
      Source: phantomtoolsv2.exe_a.dll.0.drStatic PE information: Number of sections : 11 > 10
      Source: phantomtoolsv2.exe, 00000001.00000003.1895939117.0000021021451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
      Source: phantomtoolsv2.exe, 00000001.00000003.1884710900.000002102144D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
      Source: phantomtoolsv2.exe, 00000001.00000003.1894702858.000002102144D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
      Source: phantomtoolsv2.exe, 00000001.00000002.1898356987.0000021021451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs phantomtoolsv2.exe
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/2@1/2
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400835B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,1_2_00000001400835B0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400D0008 AdjustTokenPrivileges,CredEnumerateA,1_2_00000001400D0008
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88046A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose,0_2_00007FF7B88046A4
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400D0730 CoCreateInstance,1_2_00000001400D0730
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile created: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeMutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963A85413CE
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
      Source: phantomtoolsv2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe"
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe"
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe"Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: phantomtoolsv2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: phantomtoolsv2.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: phantomtoolsv2.exeStatic file information: File size 2746880 > 1048576
      Source: phantomtoolsv2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10bc00
      Source: phantomtoolsv2.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16f600
      Source: phantomtoolsv2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,0_2_00007FF7B8803C70
      Source: phantomtoolsv2.exeStatic PE information: section name: .xdata
      Source: phantomtoolsv2.exe_a.dll.0.drStatic PE information: section name: .xdata
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B881AAF6 push rsp; retf 0_2_00007FF7B881AAF9
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B881D857 push rax; iretd 0_2_00007FF7B881D858
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B881AAF6 push rsp; retf 1_2_00007FF7B881AAF9
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B881D857 push rax; iretd 1_2_00007FF7B881D858
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile created: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dllJump to dropped file
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400740C0 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,1_2_00000001400740C0

      Hooking and other Techniques for Hiding and Protection

      barindex
      Creates files in alternative data streams (ADS)
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile created: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dllJump to behavior
      Self deletion via cmd or bat file
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Uses ping.exe to sleep
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeDropped PE file which has not been started: C:\Users\user\Desktop\phantomtoolsv2.exe:a.dllJump to dropped file
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-14088
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-71649
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeAPI coverage: 7.7 %
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError,1_2_00000001400B6740
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B67F0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,1_2_00000001400B67F0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007EF60 GetLogicalDriveStringsW,1_2_000000014007EF60
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140094A30 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,1_2_0000000140094A30
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\migration\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\migration\wtr\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior
      Source: phantomtoolsv2.exe, 00000001.00000003.1882946764.0000021021351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: phantomtoolsv2.exe, 00000001.00000003.1726312341.000002101EA10000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000002.1897542352.000002101E9FA000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1896285771.000002101E9FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWcP;0
      Source: phantomtoolsv2.exe, 00000001.00000002.1897542352.000002101E9C0000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1896285771.000002101E9BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
      Source: phantomtoolsv2.exe, 00000001.00000003.1726312341.000002101EA10000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000002.1897542352.000002101E9FA000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1896285771.000002101E9FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeAPI call chain: ExitProcess graph end nodegraph_1-71598
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeAPI call chain: ExitProcess graph end nodegraph_1-71603
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,0_2_00007FF7B8803C70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400D02C8 IsDebuggerPresent,1_2_00000001400D02C8
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400B8A44 GetLastError,IsDebuggerPresent,OutputDebugStringW,1_2_00000001400B8A44
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8803C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,0_2_00007FF7B8803C70
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B88011D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,0_2_00007FF7B88011D9
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8AA0550 SetUnhandledExceptionFilter,0_2_00007FF7B8AA0550
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00000001400D02D8 SetUnhandledExceptionFilter,1_2_00000001400D02D8
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_000000014008D3D8
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_00007FF7B88011D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,1_2_00007FF7B88011D9

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeNtQueryInformationProcess: Indirect: 0x7FF7B8803CADJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeNtQueryInformationProcess: Indirect: 0x7FF7B8803098Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeNtClose: Indirect: 0x7FF7B8804830
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeMemory written: C:\Users\user\Desktop\phantomtoolsv2.exe base: 140000000 value starts with: 4D5AJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeThread register set: target process: 7360Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_0000000140072EC0 ShellExecuteW,1_2_0000000140072EC0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: C:\Users\user\Desktop\phantomtoolsv2.exe "C:\Users\user\Desktop\phantomtoolsv2.exe"Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B8804350 cpuid 0_2_00007FF7B8804350
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: EnumSystemLocalesW,1_2_00000001400A409C
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: EnumSystemLocalesW,1_2_00000001400A416C
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: EnumSystemLocalesW,1_2_0000000140099354
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: GetLocaleInfoW,1_2_00000001400D0390
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: GetLocaleInfoEx,FormatMessageA,1_2_00000001400B63B0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00000001400A45A8
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00000001400A4784
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: GetLocaleInfoW,1_2_0000000140099898
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,1_2_00000001400A3D50
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyNameJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 0_2_00007FF7B881B500 GetSystemTimeAsFileTime,0_2_00007FF7B881B500
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007DCC0 GetUserNameW,1_2_000000014007DCC0
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeCode function: 1_2_000000014007F210 GetTimeZoneInformation,GlobalMemoryStatusEx,wcsftime,GetModuleFileNameA,1_2_000000014007F210

      Stealing of Sensitive Information

      barindex
      Yara detected CredGrabber
      Source: Yara matchFile source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
      Yara detected Meduza Stealer
      Source: Yara matchFile source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum-LTC\config
      Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash\wallets
      Source: phantomtoolsv2.exe, 00000001.00000003.1758154668.0000021023AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
      Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus\exodus.wallet
      Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
      Source: phantomtoolsv2.exe, 00000001.00000002.1897429096.000002101E999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
      Tries to harvest and steal Bitcoin Wallet information
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCKJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Users\user\Desktop\phantomtoolsv2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

      Remote Access Functionality

      barindex
      Yara detected CredGrabber
      Source: Yara matchFile source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR
      Yara detected Meduza Stealer
      Source: Yara matchFile source: Process Memory Space: phantomtoolsv2.exe PID: 7360, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
      Native API      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		1
      Deobfuscate/Decode Files or Information      		1
      OS Credential Dumping      		12
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Abuse Elevation Control Mechanism      		1
      Abuse Elevation Control Mechanism      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol2
      Data from Local System      		21
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		3
      Obfuscated Files or Information      		Security Account Manager4
      File and Directory Discovery      		SMB/Windows Admin Shares1
      Screen Capture      		1
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      Access Token Manipulation      		1
      DLL Side-Loading      		NTDS34
      System Information Discovery      		Distributed Component Object Model1
      Email Collection      		2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script211
      Process Injection      		1
      File Deletion      		LSA Secrets21
      Security Software Discovery      		SSHKeylogging3
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Masquerading      		Cached Domain Credentials2
      Process Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Access Token Manipulation      		DCSync1
      System Owner/User Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
      Process Injection      		Proc Filesystem1
      Remote System Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      NTFS File Attributes      		/etc/passwd and /etc/shadow11
      System Network Configuration Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll100%AviraHEUR/AGEN.1354117
      C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://api.ipify.org/0%URL Reputationsafe
      https://gcc.gnu.org/bugs/):0%URL Reputationsafe
      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%URL Reputationsafe
      https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg0%URL Reputationsafe
      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
      https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.0%URL Reputationsafe
      https://support.mozilla.org0%URL Reputationsafe
      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      api.ipify.org
      		104.26.13.205
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://api.ipify.org/false
        • URL Reputation: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://gcc.gnu.org/bugs/):phantomtoolsv2.exefalse
        • URL Reputation: safe
        		unknown
        https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFphantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgphantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021351000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743933809.0000021021352000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgphantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiphantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installphantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212D4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732301721.0000021021293000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021453000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732566332.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021324000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743029885.0000021021351000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743933809.0000021021352000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaphantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://support.mozilla.orgphantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021295000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1738488858.00000210215FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207DB000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020708000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021461000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.00000210207D3000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.000002102075C000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020754000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742843881.0000021021469000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020700000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021209000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1742408396.0000021021211000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021348000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesphantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212D4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732301721.0000021021293000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212FE000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021453000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1732566332.0000021021440000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021324000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1730304595.00000210212E5000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17phantomtoolsv2.exe, 00000001.00000003.1730304595.0000021021348000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://ns.microsoft.t/Regiphantomtoolsv2.exe, 00000001.00000003.1895778572.00000210210C0000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1895814243.00000210210C4000.00000004.00000020.00020000.00000000.sdmp, phantomtoolsv2.exe, 00000001.00000003.1725699673.00000210210B1000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brphantomtoolsv2.exe, 00000001.00000003.1737482716.0000021020764000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94phantomtoolsv2.exe, 00000001.00000003.1743619937.0000021021441000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                79.137.202.152
                		unknownRussian Federation
                		42569PSKSET-ASRUtrue
                104.26.13.205
                		api.ipify.orgUnited States
                		13335CLOUDFLARENETUSfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1532357
                Start date and time:2024-10-13 01:37:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 26s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:phantomtoolsv2.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@8/2@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 92%
                • Number of executed functions: 73
                • Number of non-executed functions: 161
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing network information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: phantomtoolsv2.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                19:38:03API Interceptor2x Sleep call for process: phantomtoolsv2.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                79.137.202.152SecuriteInfo.com.Win64.PWSX-gen.30688.21076.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  HS034Ewroq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                    installer.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                      Oldsetup.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        setup_installer.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          WarzoneCheat.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            104.26.13.205file.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousRDPWrap ToolBrowse
                            • api.ipify.org/
                            Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                            • api.ipify.org/

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            api.ipify.orgbot.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 172.67.74.152
                            67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                            • 172.67.74.152
                            ATLANTIC STAR - VESSEL DETAILS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 172.67.74.152
                            024.xlsx.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • 104.26.13.205
                            024.xlsx.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • 172.67.74.152
                            Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                            • 172.67.74.152
                            Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.12.205
                            SecuriteInfo.com.Win64.PWSX-gen.30688.21076.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 104.26.13.205
                            https://www.canva.com/design/DAGTGtfEYnw/CziuYyD8EEWyTr61OD4BbQ/edit?utm_content=DAGTGtfEYnw&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttoGet hashmaliciousHtmlDropperBrowse
                            • 172.67.74.152

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSFluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                            • 104.26.3.16
                            Solara.exeGet hashmaliciousLummaCBrowse
                            • 104.21.77.78
                            file.exeGet hashmaliciousLummaCBrowse
                            • 172.67.206.204
                            file.exeGet hashmaliciousLummaCBrowse
                            • 172.67.206.204
                            https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                            • 23.227.38.65
                            https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                            • 23.227.38.65
                            https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                            • 23.227.38.65
                            https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                            • 23.227.38.65
                            https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADxL8L+GAtO4/UVYp8MqA+Sj5TSCBAjVAdgXYZk0eblTNDmdbfgDu4l4W8iDoNzLFaNYKheJg76tFPqEuw8bYVS19fwe8hhswMobSAd4H/SzCs2QZVam2WjwmfTSoUPGcyvkpmuq0ISpqIb5vzyWcVKqNTTUTopXpL6xGs6pKvxOLPHunpbWiA5Gm+6TueYrrthSZbOadliaedCA22mM2wTV3gNe1fzC90aFBzTBaHWQxrEXzwRC6Xpb34McFMIrdgz9IrbVcDvXBernticMrVIP1TsiiLBaevE/CbzrdEvKiAf8B42dT0tqManmBttR7OtoRCGhXROd01v21If1UCdSvfYAAn1bVRGaJ9z2t8XAOV+QkM7Cqp/NYaWVJFyc+dA9aHG4frM5s9sjjMhd8DDJlA/xoh8DfH8PxQbhenIpHsjrxicNhJW50U6jm9b5vBU2fBUQmACYkRTG3EArpkHaCcm6XS9GA==&c=AAAYKEKcMSJ1NhQeweljhmaJ+T0baps+PAKT1EF6chohNYEP5R3N/C0hM2VhIOm2Tlt7H1sENRf12adWDrfBHT/6guQroYvA1xotjOsoTnpw56aO6JiaFKlDBMZtdU6YKZE3+4BogcMiYQDvUyAIZDGB062Whj/cCyQvRMUpY4wDddIiNr94Kgc6rYiywX8977La5/XVq66oa1ne7RDSJfRtlqqxgm7XClHOdI3OA0B3qp+/4vc9qgP5m9K6oiTuJ4l3/gwYk0AGIFk70mpjAiufUD44SD2hGTqQBZFJxcidB+zxqyjG/eVcsY6bMPspPna712CUEgXxQWyye0KuqXGZwYCsXaY+GFuBxowOIYKDk88Wtn356Ig9rNqxPX0CvkkgfotUXuPAX4wXqch6/QUpTLyadqx9C4Sc9kx1mpdTeUHzvi6Gp/gANpe6MvHTICJXAKMZKOGh4M+g4DVVhDl13yVrsEhLU2KeP1rJQoSuV0TN//J1ytC9xeA0zXi0gdvfANs0by84UFwBhR1PwHWsOwBbEmjwAuhtE0l27s++Cu1oMhZrefHgxts/MCdJtPjWL98LN1t6aP4/1kw0rhJwk2N1AghWHevFg3v4NeNiBDOA4oRqwpcCL3uBJXOIP2dfK01+Get hashmaliciousUnknownBrowse
                            • 23.227.38.65
                            http://servicesopm.com/login.phpGet hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            PSKSET-ASRUSecuriteInfo.com.Win64.PWSX-gen.30688.21076.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 79.137.202.152
                            HS034Ewroq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 79.137.202.152
                            installer.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 79.137.202.152
                            Oldsetup.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 79.137.202.152
                            cpXiB8kFJ7.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                            • 79.137.199.150
                            Aannir04sD.exeGet hashmaliciousNjratBrowse
                            • 79.137.199.150
                            gGcpYEOr8U.exeGet hashmaliciousUnknownBrowse
                            • 79.137.199.150
                            gGcpYEOr8U.exeGet hashmaliciousUnknownBrowse
                            • 79.137.199.150
                            setup_installer.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 79.137.202.152
                            WarzoneCheat.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 79.137.202.152

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19bot.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 104.26.13.205
                            narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                            • 104.26.13.205
                            v.1.5.4__x64__.msiGet hashmaliciousLegionLoaderBrowse
                            • 104.26.13.205
                            SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            SecuriteInfo.com.FileRepMalware.1304.4177.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            Synaptics.exeGet hashmaliciousXRedBrowse
                            • 104.26.13.205
                            Quotation-GINC-19-00204.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.26.13.205
                            Produkttyper.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 104.26.13.205
                            P065.00760_0858_PDF.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.26.13.205
                            Agenda de Pagamento outubro 2024.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.26.13.205

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\Desktop\phantomtoolsv2.exe:a.dll

                            Download File
                            Process:C:\Users\user\Desktop\phantomtoolsv2.exe
                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                            Category:dropped
                            Size (bytes):1430016
                            Entropy (8bit):7.516273947536266
                            Encrypted:false
                            SSDEEP:24576:TjSpDfQz9pRxewMCvnv49hIScHVpwPczeWkL5yS6oMKH95T2FvVJsE0jou:TjS9fQzm/kv49hISc1HeW6YS3jLqFtJc
                            MD5:BC690CC3A740F79F71732E6DBA60B67A
                            SHA1:1B3B7107BDDDCEE5F10781F466A52F195190F342
                            SHA-256:3FB6B027285DB00651F0257DF8F5CA9DB5665A24A5E23F476CD3E71244BFBC7F
                            SHA-512:BD090037334592F7000BE3EC1FF3E77F4303F59F071A7FD6D21EEE6B96D07D8AAF6F51725369F2823DD9E0FE2BC1F437BC0FC32EE7AF2DE2ED49C0B654BF521A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g..........."...)............`..........`.............................@...........`... ..............................................................................0..............................@...(...................@................................text...............................`..`.data....[...0...\..................@....rdata...........0...v..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..............................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

                            \Device\Null

                            Download File
                            Process:C:\Windows\System32\PING.EXE
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):275
                            Entropy (8bit):4.825671547285939
                            Encrypted:false
                            SSDEEP:6:PzXULmWxHLTpUrhaGbsW3CNcwAFeMmvVOIHJFxMVlmJHaVFhZIhIt3:P+pTpchaGbsTDAFSkIrxMVlmJHaV5t3
                            MD5:9EE0B7EDC68864CD9E69E2682823B251
                            SHA1:A89692239FCACCDA7C76743DEDF8EB2F244389D3
                            SHA-256:0736A9B3859B3B86C63FA64B4ED9DD3B44BC6EC639FD3CDB4DC738AE1C9A7065
                            SHA-512:6943B470836443868A1B9A0996F1E866BC7BC0D2EFD7ED22224C53065EB51C4393C369BA8DA99F104D90047C6F021C6F2642C8EC96786790EC6BEE76EF5E963E
                            Malicious:false
                            Reputation:low
                            Preview:..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=8ms TTL=51....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 8ms, Maximum = 8ms, Average = 8ms..

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                            Entropy (8bit):7.220509258321107
                            TrID:
                            • Win64 Executable (generic) (12005/4) 74.95%
                            • Generic Win/DOS Executable (2004/3) 12.51%
                            • DOS Executable Generic (2002/1) 12.50%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                            File name:phantomtoolsv2.exe
                            File size:2'746'880 bytes
                            MD5:0c01cfc0685211b3c655c7a9526f1849
                            SHA1:864d23804b6e3c98efd1b56863a484b505ddf40b
                            SHA256:8d6ee227c57e825bc978db47c7587d46e7df06e3656d493486ee26b1426c98a6
                            SHA512:6024a41f371d77a82608c0e8ff314853404a50decb77838ace61c43a72ef954f4a227849b85e2aa3ef0749120e8361f13145006652596fb22b2f972bf7585719
                            SSDEEP:49152:EZPf0tL9d77T+WScpPNBqB0+i8jS9fQzm/kv49hISc1HeW6YS3jLqFtJc:TVScpPN3D/8Sc1HeW6YSad
                            TLSH:F4D5AF0FEEA748A8C62BC0BC4257A7FA5530F81D126F3DE59AB0DE720EA1DC4571A711
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(..g...............)......)................@.............................`*.......*...`... ............................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x1400014a0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x670ACB28 [Sat Oct 12 19:16:56 2024 UTC]
                            TLS Callbacks:0x4001a380, 0x1, 0x4001a350, 0x1
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:0163d3ec9900198371a13a64f76fc361

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [00274A35h]
                            mov dword ptr [eax], 00000001h
                            call 00007F1B3D70409Fh
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [00274A15h]
                            mov dword ptr [eax], 00000000h
                            call 00007F1B3D70407Fh
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            call 00007F1B3D72A58Ch
                            dec eax
                            cmp eax, 01h
                            sbb eax, eax
                            dec eax
                            add esp, 28h
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            dec eax
                            lea ecx, dword ptr [00000009h]
                            jmp 00007F1B3D7043A9h
                            nop dword ptr [eax+00h]
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            ret
                            nop word ptr [eax+eax+00000000h]
                            nop dword ptr [eax+00h]
                            push esi
                            push ebx
                            dec eax
                            sub esp, 28h
                            call 00007F1B3D72A632h
                            dec eax
                            arpl ax, bx
                            cdq
                            dec eax
                            imul ebx, ebx, 51EB851Fh
                            dec eax
                            sar ebx, 25h
                            sub ebx, edx
                            imul edx, ebx, 64h
                            sub eax, edx
                            mov ebx, eax
                            test eax, eax
                            jle 00007F1B3D704408h
                            xor esi, esi
                            nop dword ptr [eax+00000000h]
                            call 00007F1B3D72A608h
                            dec eax
                            arpl ax, dx

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2a00000x1180.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2810000xaf80.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a40000x1684.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x2748600x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x2a04500x410.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x10bb700x10bc0022459671085291c5063e8c8859bc8f59False0.35506481238328663data6.228388072256253IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x10d0000x30800x32009dd76daa6bcbbd52a7e1f42691b82f36False0.0225data0.27715409108042194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0x1110000x16f4a00x16f6000755f03812b806657c2a38e7b4b3dc65False0.5951468930758761data7.481419958849477IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .pdata0x2810000xaf800xb000e5a1483ef7d2debd266ba4f8a96810caFalse0.5372869318181818data6.036620350568149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .xdata0x28c0000x123240x1240098a30c7b03b41b55b5760cfb36f29449False0.1908042594178082data5.069165535169385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .bss0x29f0000xcb00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0x2a00000x11800x1200639e2c53a8b3a75c1ff57ec93e18be3bFalse0.314453125data4.234187742404477IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .CRT0x2a20000x600x200c763ed33786bdf672a771e19d0ae8b3aFalse0.06640625data0.3124937745953951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .tls0x2a30000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .reloc0x2a40000x16840x18004f4f97b146c1904b770a19b01a0caf58False0.37890625data5.3554449882646145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Imports

                            DLLImport
                            KERNEL32.dllCloseHandle, CreateFileW, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, FormatMessageA, GetCurrentProcess, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadId, InitializeConditionVariable, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, MultiByteToWideChar, Process32First, Process32Next, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualProtect, VirtualQuery, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile
                            msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _filelengthi64, _fileno, _fmode, _fstat64, _get_osfhandle, _initterm, _lseeki64, _onexit, _strlwr, _time64, _wfopen, abort, calloc, exit, fclose, fflush, fgetpos, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getenv, getwc, iswctype, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, putc, putwc, rand, realloc, setlocale, setvbuf, signal, srand, strchr, strcmp, strcoll, strcpy_s, strerror, strftime, strlen, strncmp, strstr, strtoul, strxfrm, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm, _write, _read, _fileno, _fdopen

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-13T01:38:09.966420+02002049441ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt1192.168.2.44973779.137.202.15215666TCP
                            2024-10-13T01:38:09.966420+02002050806ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M21192.168.2.44973779.137.202.15215666TCP
                            2024-10-13T01:38:09.966420+02002050807ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)1192.168.2.44973779.137.202.15215666TCP
                            2024-10-13T01:38:09.971752+02002050806ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M21192.168.2.44973779.137.202.15215666TCP
                            2024-10-13T01:38:09.971752+02002050807ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)1192.168.2.44973779.137.202.15215666TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 01:38:05.071024895 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:05.076750994 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:05.076833010 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:05.149701118 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.149784088 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.149880886 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.159274101 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.159306049 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.664544106 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.664673090 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.751516104 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.751564980 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.752638102 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.752814054 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.753916979 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.795407057 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.867691040 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.867849112 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:05.867904902 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.867904902 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.869215965 CEST49738443192.168.2.4104.26.13.205
                            Oct 13, 2024 01:38:05.869261026 CEST44349738104.26.13.205192.168.2.4
                            Oct 13, 2024 01:38:09.966419935 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.971491098 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971551895 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971580982 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971606970 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971637964 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971664906 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971692085 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971751928 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.971836090 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971879959 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971906900 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.971910954 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.971940994 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.971972942 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.976892948 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.976921082 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.976973057 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.976999998 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977026939 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977054119 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977087021 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.977101088 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977128029 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977155924 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977183104 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977209091 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977226019 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.977257013 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977282047 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.977283955 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.977365017 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982270002 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982296944 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982327938 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982384920 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982459068 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982486010 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982495070 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982547045 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982552052 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982597113 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982601881 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982672930 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982702017 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982728004 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982758999 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982789993 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982804060 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982824087 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982861996 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.982913017 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982940912 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.982990026 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983005047 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983016968 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983043909 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983063936 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983092070 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983094931 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983123064 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983149052 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983150005 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983175993 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983179092 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983222961 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983232975 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983251095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983278990 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983304024 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983309031 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983336926 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.983367920 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.983397007 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.987082958 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987111092 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987173080 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.987277031 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987427950 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987490892 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.987518072 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987546921 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987574100 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987577915 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.987605095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987632036 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.987673044 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.987673044 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987701893 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.987751961 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988127947 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988189936 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988254070 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988281965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988310099 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988346100 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988401890 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988452911 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988480091 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988506079 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988521099 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988558054 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988562107 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988590956 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988616943 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988619089 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988643885 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988656044 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988672018 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988689899 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988699913 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988718987 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988728046 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988746881 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988755941 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988785982 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988806963 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988815069 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988833904 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988861084 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988874912 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988888979 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988904953 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988917112 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988945007 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988971949 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.988974094 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.988998890 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989020109 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989027023 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989067078 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989068985 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989097118 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989097118 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989125967 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989128113 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989155054 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989156008 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989183903 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989185095 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989213943 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989237070 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989238024 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989265919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989290953 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989293098 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989320993 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989346981 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989356995 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989373922 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989397049 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989401102 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989432096 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989440918 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989459038 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989485025 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989485979 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989514112 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989518881 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989541054 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989557028 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989567995 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989581108 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989594936 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989622116 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989624977 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989649057 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989654064 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989675999 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989680052 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989703894 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989706993 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989729881 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989731073 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989758015 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989758968 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989784956 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989793062 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989811897 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989837885 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989847898 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989866018 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989892960 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989897966 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989922047 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.989931107 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989957094 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989984989 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.989988089 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.990027905 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.990053892 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992065907 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992120028 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992296934 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992325068 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992351055 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992366076 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992383003 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992450953 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992537975 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992564917 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992594957 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992631912 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992640972 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992662907 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992691040 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992693901 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992722034 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992749929 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992777109 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992786884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992814064 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992840052 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.992841005 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992871046 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.992899895 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993002892 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993030071 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993081093 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993105888 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993108034 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993134975 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993141890 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993163109 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993170023 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993199110 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993211985 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993223906 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993240118 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993268013 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.993269920 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993299007 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.993325949 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.994812012 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.994846106 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.994875908 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.994893074 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.994908094 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.994921923 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.994939089 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.994977951 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.994978905 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995004892 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995032072 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995050907 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995084047 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995084047 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995111942 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995138884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995156050 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995166063 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995198965 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995215893 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995225906 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995244980 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995271921 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995280981 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995300055 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995316982 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995330095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995347023 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995357037 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995373011 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995415926 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995425940 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995454073 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995481014 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995507956 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995522976 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995538950 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995559931 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995565891 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995593071 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995596886 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995620012 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995625973 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995646954 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995654106 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995675087 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995683908 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995702982 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995712042 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995733023 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995754004 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995759964 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995784998 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995788097 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995812893 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995815039 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995867014 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995867968 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995896101 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995922089 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995949030 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.995961905 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.995980024 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996004105 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996007919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996035099 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996037960 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996062040 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996085882 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996089935 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996113062 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996117115 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996144056 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996145964 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996169090 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996172905 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996201038 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996206999 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996227980 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996241093 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996256113 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996284008 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996284008 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996310949 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996321917 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996336937 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996345043 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996365070 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996377945 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996392965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996419907 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996448040 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996463060 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996496916 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996501923 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996521950 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996534109 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996546030 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996556997 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996568918 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996581078 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996587038 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996592999 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996606112 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996619940 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996632099 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996644974 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996654034 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996656895 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996670008 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996682882 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996695995 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996699095 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996709108 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996721983 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996733904 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996745110 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996752977 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996756077 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996778965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996790886 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996798038 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996803999 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996815920 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996828079 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996840954 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996840954 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996853113 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996865988 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996877909 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996890068 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.996896982 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.996941090 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.997699022 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997730017 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997769117 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997781038 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997802019 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.997834921 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.997845888 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997859955 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997880936 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997893095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.997924089 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.997953892 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.997991085 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998003006 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998035908 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998047113 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998065948 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998069048 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998080969 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998092890 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998106003 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998150110 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998157978 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998172045 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998193979 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998205900 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998217106 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998228073 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998239040 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998248100 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998260975 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998274088 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998285055 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998289108 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998307943 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998320103 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998327017 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998331070 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998353958 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998367071 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998378038 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:09.998383999 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:09.998423100 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000128984 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000170946 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000181913 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000193119 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000214100 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000225067 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000236034 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000253916 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000288963 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000298023 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000300884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000313997 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000336885 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000348091 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000359058 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000368118 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000370026 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000392914 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000406981 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000415087 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000418901 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000431061 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000452042 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000463963 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000463963 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000475883 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000494957 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000526905 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000535011 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000549078 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000561953 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000572920 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000585079 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000596046 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000607014 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000617981 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000622034 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000629902 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000650883 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000663042 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000668049 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000674963 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000686884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000699043 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000710011 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000720978 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000724077 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000731945 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000746965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000758886 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000770092 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.000778913 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.000823021 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.001684904 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001741886 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.001743078 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001756907 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001780987 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001791954 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001827002 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.001862049 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.001868010 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001880884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001903057 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001914978 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001936913 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001949072 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.001957893 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.001993895 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002002001 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002034903 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002043962 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002048016 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002063036 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002111912 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002120972 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002123117 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002140045 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002161026 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002190113 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002197027 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002208948 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002228022 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002259016 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002260923 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002273083 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002298117 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002317905 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002337933 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002346992 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002382040 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002384901 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002396107 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002408981 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002458096 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002470970 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002482891 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002506971 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002518892 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002541065 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002551079 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002557993 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002597094 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002598047 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002612114 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002624989 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002634048 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002645969 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002650023 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002667904 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002680063 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002680063 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002695084 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002716064 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002727032 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002728939 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002759933 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002779007 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002790928 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002811909 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002823114 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002852917 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002863884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002866983 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002911091 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002916098 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002923965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002949953 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002975941 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.002985954 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.002998114 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003010988 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003022909 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003041983 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003072023 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003096104 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003108025 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003120899 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003166914 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003173113 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003210068 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003217936 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003231049 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003252029 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003272057 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003283024 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003288984 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003294945 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003331900 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003365993 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003367901 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003379107 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003411055 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003421068 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003437042 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003438950 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003448009 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003484964 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003490925 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003504992 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003516912 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003528118 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003540993 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003550053 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003552914 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003566027 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003576994 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003587961 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003608942 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003609896 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003635883 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003648996 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003660917 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003665924 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003681898 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003695011 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003705978 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003710032 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003719091 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003731012 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003741980 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003752947 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003752947 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003766060 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003789902 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003796101 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003802061 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003814936 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003827095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003838062 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003842115 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003849983 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003864050 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003875971 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.003878117 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003911018 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.003947020 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.048144102 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.052335024 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.052541018 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.052647114 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.052777052 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.052875996 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053020000 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053118944 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053245068 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053345919 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053468943 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053570986 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053714991 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.053795099 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.063210964 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.063277960 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.063359022 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.063668013 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.063889027 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.064011097 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.064165115 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.064274073 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.064399958 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.064513922 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.105249882 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.108038902 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.155982971 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.160147905 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.163093090 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.163417101 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.163649082 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.163789988 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.163913012 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164017916 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164139032 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164233923 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164381027 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164478064 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164603949 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164697886 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164860010 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.164957047 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.165095091 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.165134907 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.168518066 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.172039986 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.216195107 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.220279932 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.220503092 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.220608950 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.220740080 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.220834970 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.220971107 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.221067905 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.221194029 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.221292019 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.221426010 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.221493959 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.225501060 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.228293896 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.228497982 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.228619099 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.228738070 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.268163919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.272304058 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.272507906 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.272615910 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.299961090 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.300204039 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.300570965 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.300786972 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.300894976 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.301039934 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.301101923 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.305682898 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.308254957 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.308486938 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.308600903 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.308726072 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.308789015 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.348035097 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.352147102 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.365504026 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.365516901 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.365967989 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.366190910 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.366309881 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.366455078 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.366559982 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.366684914 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.366858959 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.367007017 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.367057085 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.371037960 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.372466087 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.372673988 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.372781992 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.372909069 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.373008013 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.373147011 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.373187065 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.412110090 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.416179895 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.425987959 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.426435947 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.428288937 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.428524971 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.428634882 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.428746939 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.428848028 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.428966999 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429066896 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429197073 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429295063 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429429054 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429524899 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429651976 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429750919 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.429897070 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.430000067 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.430114985 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.433500051 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433516026 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433525085 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433547020 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433556080 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433563948 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433579922 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433587074 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433594942 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433700085 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433707952 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433716059 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433732986 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433739901 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433748960 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433757067 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433763981 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433772087 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433866024 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433873892 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433881044 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433887959 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.433893919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433902979 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433909893 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433938980 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433954000 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.433963060 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434034109 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434041977 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434048891 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434056997 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434067011 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.434071064 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434078932 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.434146881 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.475900888 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.476300955 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.476526976 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.476644039 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.476766109 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.476865053 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.476980925 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477077007 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477219105 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477322102 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477452993 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477555037 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477684021 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477790117 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477932930 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.477982044 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.481792927 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.481810093 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.481842995 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.481904030 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.481980085 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.481987953 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482031107 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482038975 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482047081 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482062101 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482069969 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482139111 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482147932 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482156992 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482165098 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482161999 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482203960 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482213020 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482222080 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482229948 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482301950 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482311010 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482321024 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482328892 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482336998 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482342005 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482352972 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482361078 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482368946 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482377052 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482384920 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482459068 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482479095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482489109 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482496977 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482506037 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482513905 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482522011 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482530117 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482537985 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482552052 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482559919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482567072 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482575893 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482584000 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482585907 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482592106 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482600927 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482609034 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482618093 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482626915 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482635021 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482642889 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482650042 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482656956 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482665062 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482671976 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482680082 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482690096 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482697964 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482723951 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482732058 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482739925 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482748032 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482755899 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482842922 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482848883 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482857943 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482865095 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482873917 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482882023 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482888937 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482897043 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482930899 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482943058 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482954025 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.482961893 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482975006 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482983112 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.482991934 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483000040 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483007908 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483016014 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483023882 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483031988 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483040094 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483047962 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483077049 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483089924 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483099937 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483108044 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483115911 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483122110 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483129978 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483138084 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483156919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483160019 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483165979 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483174086 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483181953 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483190060 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483207941 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483216047 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483223915 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483232021 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483241081 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483249903 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483257055 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483264923 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483273029 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483280897 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483288050 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483297110 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483304977 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483313084 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483313084 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483320951 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483329058 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483349085 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483356953 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483365059 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483376026 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483395100 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483402967 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483411074 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483417988 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483421087 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483434916 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483445883 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483454943 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483463049 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483474016 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483496904 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483506918 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483555079 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483592033 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483602047 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483609915 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483618975 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483627081 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483633995 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483643055 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483659029 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483666897 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483673096 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483675003 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483684063 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483692884 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483700991 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483709097 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483716965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483721018 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483724117 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483737946 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483737946 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483745098 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483767033 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483776093 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483797073 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483805895 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483809948 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483813047 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483823061 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483830929 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483839989 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483875036 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483875036 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483894110 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483903885 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483911991 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483918905 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483927965 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483935118 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.483936071 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483954906 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483964920 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483984947 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.483993053 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484000921 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484000921 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.484010935 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484019995 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484028101 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484035969 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484045029 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484051943 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484054089 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.484112024 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.484113932 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484122992 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484131098 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484139919 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484149933 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484158993 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484160900 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.484168053 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484179020 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484186888 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484194994 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484210014 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484214067 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.484217882 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484225988 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484235048 CEST156664973779.137.202.152192.168.2.4
                            Oct 13, 2024 01:38:10.484281063 CEST4973715666192.168.2.479.137.202.152
                            Oct 13, 2024 01:38:10.484297991 CEST156664973779.137.202.152192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 13, 2024 01:38:05.136153936 CEST192.168.2.41.1.1.10x83a0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 13, 2024 01:38:05.142924070 CEST1.1.1.1192.168.2.40x83a0No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                            Oct 13, 2024 01:38:05.142924070 CEST1.1.1.1192.168.2.40x83a0No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                            Oct 13, 2024 01:38:05.142924070 CEST1.1.1.1192.168.2.40x83a0No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449738104.26.13.2054437360C:\Users\user\Desktop\phantomtoolsv2.exe
                            TimestampBytes transferredDirectionData
                            2024-10-12 23:38:05 UTC100OUTGET / HTTP/1.1
                            Accept: text/html; text/plain; */*
                            Host: api.ipify.org
                            Cache-Control: no-cache
                            2024-10-12 23:38:05 UTC211INHTTP/1.1 200 OK
                            Date: Sat, 12 Oct 2024 23:38:05 GMT
                            Content-Type: text/plain
                            Content-Length: 11
                            Connection: close
                            Vary: Origin
                            CF-Cache-Status: DYNAMIC
                            Server: cloudflare
                            CF-RAY: 8d1aebea4f040fa8-EWR
                            2024-10-12 23:38:05 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                            Data Ascii: 8.46.123.33


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:19:38:03
                            Start date:12/10/2024
                            Path:C:\Users\user\Desktop\phantomtoolsv2.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\phantomtoolsv2.exe"
                            Imagebase:0x7ff7b8800000
                            File size:2'746'880 bytes
                            MD5 hash:0C01CFC0685211B3C655C7A9526F1849
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:19:38:04
                            Start date:12/10/2024
                            Path:C:\Users\user\Desktop\phantomtoolsv2.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\phantomtoolsv2.exe"
                            Imagebase:0x7ff7b8800000
                            File size:2'746'880 bytes
                            MD5 hash:0C01CFC0685211B3C655C7A9526F1849
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:19:38:21
                            Start date:12/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\phantomtoolsv2.exe"
                            Imagebase:0x7ff794cc0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:19:38:21
                            Start date:12/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:19:38:21
                            Start date:12/10/2024
                            Path:C:\Windows\System32\PING.EXE
                            Wow64 process (32bit):false
                            Commandline:ping 1.1.1.1 -n 1 -w 3000
                            Imagebase:0x7ff69e050000
                            File size:22'528 bytes
                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:13.4%
                              Total number of Nodes:1614
                              Total number of Limit Nodes:20
                              execution_graph 12182 7ff7b88046a4 12183 7ff7b88046af 12182->12183 12196 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12183->12196 12185 7ff7b88046b7 12186 7ff7b8804705 CreateToolhelp32Snapshot 12185->12186 12187 7ff7b8804860 12185->12187 12191 7ff7b8804747 Process32First 12186->12191 12195 7ff7b88047f5 12186->12195 12189 7ff7b88f5ca0 23 API calls 12187->12189 12190 7ff7b8804870 12189->12190 12194 7ff7b8804778 12191->12194 12192 7ff7b8804630 29 API calls 12192->12194 12193 7ff7b880478c Process32Next 12193->12194 12194->12192 12194->12193 12194->12195 13488 7ff7b88bb7b0 13489 7ff7b88bb875 13488->13489 13490 7ff7b88bb7d5 strlen 13488->13490 13491 7ff7b890bfb0 23 API calls 13489->13491 13492 7ff7b88bb7e5 13490->13492 13493 7ff7b88bb80f 13490->13493 13494 7ff7b88bb881 13491->13494 13495 7ff7b88ae620 23 API calls 13492->13495 13496 7ff7b88bac20 23 API calls 13494->13496 13497 7ff7b88bb7f4 13495->13497 13498 7ff7b88bb8ba 13496->13498 13497->13493 13499 7ff7b88bb801 memcpy 13497->13499 13499->13493 13500 7ff7b881a7ab 13501 7ff7b881a731 13500->13501 13502 7ff7b881a7b5 13500->13502 13502->13501 13503 7ff7b881a8e4 VirtualProtect 13502->13503 13503->13501 13503->13502 13878 7ff7b8805ca0 13879 7ff7b8806900 2 API calls 13878->13879 13880 7ff7b8805ca8 13879->13880 13504 7ff7b8805f9f 13507 7ff7b8805fa6 13504->13507 13505 7ff7b8805bb8 13506 7ff7b8805a20 2 API calls 13506->13507 13507->13505 13507->13506 12432 7ff7b8821db1 12434 7ff7b8821c58 12432->12434 12433 7ff7b88223fd strlen 12437 7ff7b881efa0 3 API calls 12433->12437 12434->12432 12434->12433 12435 7ff7b8822321 wcslen 12434->12435 12441 7ff7b881f140 12434->12441 12451 7ff7b881efa0 12434->12451 12436 7ff7b881f140 6 API calls 12435->12436 12438 7ff7b8822338 12436->12438 12437->12434 12438->12438 12459 7ff7b8826d60 12441->12459 12443 7ff7b881f189 12444 7ff7b881f23a 12443->12444 12447 7ff7b8826d60 3 API calls 12443->12447 12449 7ff7b881f22d 12443->12449 12450 7ff7b881f206 fputc 12443->12450 12444->12434 12445 7ff7b881f16f 12445->12443 12446 7ff7b881f308 fputc 12445->12446 12446->12445 12447->12443 12448 7ff7b881f27c fputc 12448->12449 12449->12444 12449->12448 12450->12443 12452 7ff7b881f0b0 12451->12452 12453 7ff7b881efcb 12451->12453 12452->12453 12454 7ff7b881f110 fputc 12452->12454 12456 7ff7b881f025 fputc 12453->12456 12457 7ff7b881f038 12453->12457 12458 7ff7b881f045 12453->12458 12454->12452 12455 7ff7b881f08c fputc 12455->12457 12456->12453 12456->12457 12457->12455 12457->12458 12458->12434 12460 7ff7b8827630 12459->12460 12461 7ff7b8826d7d ___lc_codepage_func 12460->12461 12464 7ff7b8826cd0 12461->12464 12463 7ff7b8826d95 12463->12445 12465 7ff7b8826d00 WideCharToMultiByte 12464->12465 12466 7ff7b8826ce4 12464->12466 12465->12466 12468 7ff7b8826d44 _errno 12465->12468 12467 7ff7b8826ceb 12466->12467 12466->12468 12467->12463 12468->12463 13116 7ff7b881a6b4 13117 7ff7b881a6b8 GetLastError 13116->13117 13120 7ff7b881a65a 13116->13120 13118 7ff7b881a5f8 13117->13118 13119 7ff7b881a62d VirtualQuery 13118->13119 13119->13120 13121 7ff7b8821e98 13122 7ff7b8821eaf 13121->13122 13126 7ff7b8821ec4 13121->13126 13127 7ff7b8820d20 13122->13127 13123 7ff7b8820d20 24 API calls 13125 7ff7b882225c 13123->13125 13125->13125 13126->13123 13128 7ff7b8820d3d 13127->13128 13129 7ff7b8820e40 13128->13129 13130 7ff7b8820dd6 13128->13130 13133 7ff7b8820f2c 13129->13133 13134 7ff7b881efa0 3 API calls 13129->13134 13135 7ff7b8820800 13130->13135 13132 7ff7b8820de1 13132->13126 13133->13126 13134->13132 13144 7ff7b8820833 13135->13144 13136 7ff7b8820ca8 fputc 13136->13144 13137 7ff7b8820cec fputc 13137->13144 13138 7ff7b8820d09 fputc 13138->13144 13139 7ff7b8820b90 fputc 13139->13144 13140 7ff7b8820ba0 fputc 13140->13144 13141 7ff7b8820ab0 fputc 13141->13144 13142 7ff7b8820c50 fputc 13142->13144 13143 7ff7b881fe10 13 API calls 13143->13144 13144->13136 13144->13137 13144->13138 13144->13139 13144->13140 13144->13141 13144->13142 13144->13143 13145 7ff7b8820ac8 fputc 13144->13145 13145->13144 13885 7ff7b880cc9c 13886 7ff7b8809fa8 13885->13886 13888 7ff7b880cca9 13885->13888 13887 7ff7b880ccfb strcmp 13887->13888 13888->13886 13888->13887 13889 7ff7b880cd34 strcmp 13888->13889 13889->13886 13890 7ff7b8813eb5 strcmp 13889->13890 13890->13888 13891 7ff7b8814381 13890->13891 12469 7ff7b881b5a0 GetThreadId GetThreadId 13149 7ff7b881caa0 13150 7ff7b881cb70 13149->13150 13154 7ff7b881cabc 13149->13154 13153 7ff7b88257b0 2 API calls 13150->13153 13151 7ff7b881cadc memset 13152 7ff7b881cb1d 13151->13152 13153->13154 13154->13151 13154->13152 13895 7ff7b881c4a0 13896 7ff7b88264f0 2 API calls 13895->13896 13897 7ff7b881c4d0 13896->13897 13898 7ff7b881c5f8 13897->13898 13899 7ff7b881c4f5 13897->13899 13900 7ff7b881c770 13898->13900 13901 7ff7b881c5d8 13898->13901 13907 7ff7b881c563 13898->13907 13905 7ff7b88257b0 2 API calls 13899->13905 13899->13907 13902 7ff7b8825f60 5 API calls 13900->13902 13903 7ff7b881c6e0 13902->13903 13903->13901 13904 7ff7b881c790 _errno 13903->13904 13904->13901 13906 7ff7b881c8cb memcpy 13905->13906 13906->13907 13907->13901 13907->13903 13908 7ff7b881c621 13907->13908 13908->13901 13909 7ff7b88257b0 2 API calls 13908->13909 13910 7ff7b881c972 memcpy 13909->13910 13910->13901 13911 7ff7b8821ca4 13912 7ff7b8821ca9 13911->13912 13913 7ff7b881f340 6 API calls 13912->13913 13913->13912 13515 7ff7b8821fa3 13516 7ff7b8821fb3 fputc 13515->13516 13155 7ff7b88216a5 13156 7ff7b88216b3 13155->13156 13157 7ff7b881f140 6 API calls 13156->13157 13158 7ff7b88216e0 13157->13158 13158->13158 13518 7ff7b88247c7 13519 7ff7b88257b0 2 API calls 13518->13519 13520 7ff7b88247dd _errno 13519->13520 13159 7ff7b8821ec9 13161 7ff7b8821ed2 13159->13161 13160 7ff7b882245d strlen 13162 7ff7b881efa0 3 API calls 13160->13162 13161->13160 13164 7ff7b881efa0 3 API calls 13161->13164 13163 7ff7b8822474 13162->13163 13163->13163 13165 7ff7b8821f0c 13164->13165 13165->13160 13914 7ff7b88238cc 13916 7ff7b88238e2 13914->13916 13915 7ff7b8825f60 5 API calls 13915->13916 13916->13915 13917 7ff7b8823d2b 13916->13917 12470 7ff7b8801dc0 12480 7ff7b8902cd0 12470->12480 12472 7ff7b8801d5a 12472->12470 12474 7ff7b8802256 12472->12474 12478 7ff7b8801d30 rand 12472->12478 12479 7ff7b8902cd0 44 API calls 12472->12479 12520 7ff7b88a9390 12472->12520 12531 7ff7b88a95e0 12472->12531 12542 7ff7b8801910 12472->12542 12548 7ff7b88399a0 12472->12548 12478->12472 12479->12472 12481 7ff7b8902d68 12480->12481 12482 7ff7b8902d0a 12480->12482 12483 7ff7b8902d11 12481->12483 12484 7ff7b8902d7a 12481->12484 12482->12483 12485 7ff7b88a95e0 32 API calls 12482->12485 12487 7ff7b88ff8b0 32 API calls 12483->12487 12499 7ff7b8902d1a 12483->12499 12486 7ff7b8902de8 12484->12486 12491 7ff7b8902d88 12484->12491 12485->12481 12486->12499 12551 7ff7b88ff8b0 12486->12551 12487->12491 12488 7ff7b89030f1 12496 7ff7b890acd0 34 API calls 12488->12496 12489 7ff7b8902d9d 12492 7ff7b8902db9 12489->12492 12494 7ff7b88ff8b0 32 API calls 12489->12494 12489->12499 12491->12488 12491->12489 12493 7ff7b8902e53 12491->12493 12495 7ff7b88399a0 memcmp 12491->12495 12498 7ff7b890305c 12492->12498 12492->12499 12512 7ff7b8902f75 12492->12512 12493->12489 12504 7ff7b88ff8b0 32 API calls 12493->12504 12494->12492 12495->12493 12497 7ff7b89030fb 12496->12497 12500 7ff7b8903123 12497->12500 12501 7ff7b890310f 12497->12501 12502 7ff7b8903068 12498->12502 12506 7ff7b89030c8 12498->12506 12503 7ff7b88ff8b0 32 API calls 12499->12503 12509 7ff7b8902d44 12499->12509 12507 7ff7b890b390 34 API calls 12500->12507 12566 7ff7b890ae20 12501->12566 12502->12499 12508 7ff7b88399a0 memcmp 12502->12508 12503->12509 12504->12489 12506->12488 12556 7ff7b890acd0 12506->12556 12518 7ff7b8903128 12507->12518 12508->12499 12509->12472 12512->12499 12514 7ff7b88ff8b0 32 API calls 12512->12514 12514->12499 12517 7ff7b890b390 34 API calls 12517->12518 12518->12517 12519 7ff7b890ae20 34 API calls 12518->12519 12571 7ff7b88a9e00 12518->12571 12575 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12518->12575 12519->12518 12521 7ff7b88a9405 12520->12521 12522 7ff7b88a93bc 12520->12522 12523 7ff7b88a93c3 12521->12523 12527 7ff7b88a9416 12521->12527 12522->12523 12524 7ff7b88a95e0 32 API calls 12522->12524 12526 7ff7b88ff8b0 32 API calls 12523->12526 12529 7ff7b88a93c8 12523->12529 12524->12521 12525 7ff7b88a93f2 12525->12472 12526->12529 12528 7ff7b88ff8b0 32 API calls 12527->12528 12527->12529 12528->12529 12529->12525 12530 7ff7b88ff8b0 32 API calls 12529->12530 12530->12525 12532 7ff7b88a95fd 12531->12532 12541 7ff7b88a964d 12531->12541 12533 7ff7b88a961a 12532->12533 12534 7ff7b88a95e0 32 API calls 12532->12534 12536 7ff7b88a9665 12532->12536 12535 7ff7b88ff8b0 32 API calls 12533->12535 12539 7ff7b88a9623 12533->12539 12534->12536 12535->12539 12536->12533 12537 7ff7b88a9676 12536->12537 12538 7ff7b88ff8b0 32 API calls 12537->12538 12537->12539 12538->12539 12540 7ff7b88ff8b0 32 API calls 12539->12540 12539->12541 12540->12541 12541->12472 12543 7ff7b8902cd0 44 API calls 12542->12543 12547 7ff7b8801932 12543->12547 12544 7ff7b88019a0 12545 7ff7b88399a0 memcmp 12545->12547 12546 7ff7b88a9390 32 API calls 12546->12547 12547->12544 12547->12545 12547->12546 12549 7ff7b8839ab6 memcmp 12548->12549 12549->12472 12552 7ff7b88ff8be 12551->12552 12553 7ff7b88ff8c6 12552->12553 12576 7ff7b890c950 12552->12576 12553->12499 12558 7ff7b890acdd 12556->12558 12557 7ff7b89030db 12557->12518 12561 7ff7b890b390 12557->12561 12558->12557 12636 7ff7b890bd00 12558->12636 12564 7ff7b890b39a 12561->12564 12562 7ff7b890bd00 34 API calls 12562->12564 12564->12562 12565 7ff7b890acd0 34 API calls 12564->12565 12647 7ff7b881bbf0 12564->12647 12565->12564 12568 7ff7b890ae29 12566->12568 12567 7ff7b890ae56 12567->12499 12568->12567 12569 7ff7b890bd00 34 API calls 12568->12569 12570 7ff7b890aea1 12569->12570 12572 7ff7b88a9e1d 12571->12572 12574 7ff7b88a9e3d 12571->12574 12573 7ff7b88ff8b0 32 API calls 12572->12573 12572->12574 12573->12574 12574->12518 12577 7ff7b890c963 12576->12577 12586 7ff7b88bbff0 12577->12586 12579 7ff7b890c989 12595 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12579->12595 12587 7ff7b88bc024 12586->12587 12596 7ff7b88e9bf0 12587->12596 12590 7ff7b88e9bf0 31 API calls 12592 7ff7b88bc0a3 12590->12592 12591 7ff7b88bc041 strlen 12591->12590 12611 7ff7b88d3360 12592->12611 12594 7ff7b88bc0f3 12594->12579 12597 7ff7b88e9d2d 12596->12597 12598 7ff7b88e9c25 12596->12598 12599 7ff7b890c0a0 23 API calls 12597->12599 12601 7ff7b88e9c4b 12598->12601 12602 7ff7b88e9ce8 12598->12602 12600 7ff7b88e9d39 12599->12600 12600->12591 12604 7ff7b88e9c5d 12601->12604 12605 7ff7b88e9cc8 12601->12605 12622 7ff7b88ee690 12602->12622 12607 7ff7b88e9c81 12604->12607 12610 7ff7b88e9c79 memcpy 12604->12610 12614 7ff7b88ea480 12605->12614 12606 7ff7b88e9c9e 12606->12591 12607->12606 12609 7ff7b88e9c90 memcpy 12607->12609 12609->12606 12610->12607 12612 7ff7b88bac20 23 API calls 12611->12612 12613 7ff7b88d338a 12612->12613 12613->12594 12615 7ff7b88ea4ae 12614->12615 12616 7ff7b88ea4b4 12614->12616 12615->12616 12617 7ff7b88ea4bb memcpy 12615->12617 12618 7ff7b88ea4e9 memcpy 12616->12618 12619 7ff7b88ea4e3 12616->12619 12617->12616 12618->12619 12620 7ff7b88ea55d memcpy 12619->12620 12621 7ff7b88ea50e 12619->12621 12620->12621 12621->12606 12623 7ff7b88ee6d2 12622->12623 12624 7ff7b88ee84a 12623->12624 12627 7ff7b88ee6e9 12623->12627 12625 7ff7b890c0a0 23 API calls 12624->12625 12630 7ff7b88ee856 12625->12630 12626 7ff7b890ab80 malloc 12629 7ff7b88ee715 12626->12629 12627->12626 12628 7ff7b88ee735 12632 7ff7b88ee769 12628->12632 12634 7ff7b88ee759 memcpy 12628->12634 12629->12628 12631 7ff7b88ee72a memcpy 12629->12631 12630->12606 12631->12628 12633 7ff7b88ee771 12632->12633 12635 7ff7b88ee7bc memcpy 12632->12635 12633->12606 12634->12632 12635->12633 12643 7ff7b88287d0 12636->12643 12644 7ff7b88287d6 abort 12643->12644 12645 7ff7b890acd0 32 API calls 12644->12645 12646 7ff7b88287e3 abort 12645->12646 12648 7ff7b881bc00 RaiseException 12647->12648 12649 7ff7b881bc32 RaiseException 12647->12649 12648->12564 12650 7ff7b881bc70 abort RaiseException 12649->12650 12651 7ff7b881bce5 12650->12651 12651->12564 12652 7ff7b881b5d0 Sleep 13521 7ff7b881c3d0 fgetpos 13522 7ff7b881c3e2 13521->13522 13921 7ff7b881b8d0 13922 7ff7b881b9ba 13921->13922 13925 7ff7b881b8f3 13921->13925 13923 7ff7b881b9b0 13923->13922 13924 7ff7b881bacc RtlUnwindEx abort RaiseException 13923->13924 13925->13922 13925->13923 13927 7ff7b881ba20 13925->13927 13928 7ff7b881b94e 13925->13928 13926 7ff7b881b9ab abort 13926->13923 13927->13922 13927->13926 13930 7ff7b881ba7a RtlUnwindEx 13927->13930 13928->13922 13928->13926 13929 7ff7b881b97a RaiseException 13928->13929 13929->13926 13930->13926 13931 7ff7b8821cd5 13932 7ff7b8821d14 13931->13932 13933 7ff7b8821cf6 13931->13933 13934 7ff7b881f140 6 API calls 13932->13934 13935 7ff7b881efa0 3 API calls 13933->13935 13936 7ff7b882222b 13934->13936 13935->13932 13936->13936 12657 7ff7b881a1c0 12658 7ff7b881a1c9 12657->12658 12660 7ff7b881a1d3 12657->12660 12658->12660 12661 7ff7b8815b20 12658->12661 12662 7ff7b8815f99 12661->12662 12663 7ff7b8815b51 strncmp 12661->12663 12662->12663 12669 7ff7b8815b6e 12662->12669 12663->12669 12664 7ff7b8815c6b strlen 12664->12669 12670 7ff7b8815f70 12664->12670 12666 7ff7b8815bd1 strlen 12666->12669 12666->12670 12667 7ff7b8809bf0 free strcmp 12667->12669 12668 7ff7b8815c33 strlen 12668->12669 12669->12664 12669->12666 12669->12667 12669->12668 12669->12670 12671 7ff7b8805a20 12669->12671 12670->12660 12673 7ff7b8805a3e 12671->12673 12672 7ff7b8805a8c 12679 7ff7b8805bef 12672->12679 12698 7ff7b8809910 12672->12698 12673->12672 12674 7ff7b8805b38 12673->12674 12676 7ff7b8805b72 12673->12676 12674->12676 12678 7ff7b8806420 12674->12678 12683 7ff7b8805c58 12674->12683 12681 7ff7b8807be0 12676->12681 12682 7ff7b8807a8f 12676->12682 12692 7ff7b8805abd 12676->12692 12694 7ff7b880648f 12678->12694 12708 7ff7b8808d50 12678->12708 12679->12692 12702 7ff7b8806900 12679->12702 12680 7ff7b8805ab8 12686 7ff7b8805a20 strcmp 12680->12686 12687 7ff7b8807290 strcmp 12681->12687 12714 7ff7b8807290 12682->12714 12683->12678 12690 7ff7b8805c7d 12683->12690 12684 7ff7b890c6ae 12684->12669 12685 7ff7b890c6a0 free 12685->12684 12686->12692 12696 7ff7b8807ba8 12687->12696 12693 7ff7b8805a20 strcmp 12690->12693 12692->12669 12693->12692 12694->12684 12694->12685 12695 7ff7b8807b98 12695->12696 12697 7ff7b8808d50 strcmp 12695->12697 12696->12669 12697->12696 12700 7ff7b8809980 12698->12700 12699 7ff7b8805a9c 12699->12679 12699->12680 12699->12692 12700->12699 12732 7ff7b8806650 12700->12732 12703 7ff7b880690f 12702->12703 12704 7ff7b8805a20 2 API calls 12703->12704 12707 7ff7b880692b 12703->12707 12705 7ff7b8806982 12704->12705 12706 7ff7b8806650 2 API calls 12705->12706 12705->12707 12706->12707 12707->12676 12712 7ff7b8808e50 12708->12712 12713 7ff7b8808d6e 12708->12713 12710 7ff7b8805a20 2 API calls 12710->12713 12711 7ff7b8808d50 2 API calls 12711->12713 12712->12694 12713->12710 12713->12711 12713->12712 12736 7ff7b8808b30 12713->12736 12716 7ff7b88072b4 12714->12716 12715 7ff7b88073a7 12759 7ff7b8806760 12715->12759 12716->12715 12719 7ff7b880734a 12716->12719 12728 7ff7b8807430 12716->12728 12718 7ff7b8805a20 2 API calls 12720 7ff7b8807a36 12718->12720 12719->12695 12720->12719 12721 7ff7b8806650 2 API calls 12720->12721 12721->12719 12722 7ff7b8807823 12722->12719 12722->12720 12730 7ff7b8807831 12722->12730 12723 7ff7b8807968 12725 7ff7b8805a20 2 API calls 12723->12725 12724 7ff7b8806a40 2 API calls 12726 7ff7b8807978 12724->12726 12725->12726 12726->12724 12729 7ff7b8807590 12726->12729 12728->12719 12728->12720 12728->12722 12728->12723 12728->12726 12728->12729 12764 7ff7b8806a40 12728->12764 12729->12718 12729->12719 12730->12719 12731 7ff7b8806650 2 API calls 12730->12731 12731->12719 12734 7ff7b880668f 12732->12734 12735 7ff7b8806700 12732->12735 12733 7ff7b8805a20 2 API calls 12733->12734 12734->12733 12734->12735 12735->12700 12737 7ff7b8808b43 12736->12737 12744 7ff7b8808b7a 12736->12744 12738 7ff7b8808b5d 12737->12738 12740 7ff7b8808bd0 12737->12740 12737->12744 12739 7ff7b8805a20 free 12738->12739 12743 7ff7b8808b65 12739->12743 12740->12744 12745 7ff7b8809bf0 12740->12745 12742 7ff7b8808c39 strcmp 12742->12744 12743->12742 12743->12744 12744->12713 12751 7ff7b8807a70 12745->12751 12747 7ff7b8809c1a 12747->12744 12748 7ff7b8805a20 2 API calls 12750 7ff7b8809c04 12748->12750 12749 7ff7b8806650 2 API calls 12749->12750 12750->12747 12750->12748 12750->12749 12752 7ff7b8807be0 12751->12752 12753 7ff7b8807a8f 12751->12753 12754 7ff7b8807290 2 API calls 12752->12754 12755 7ff7b8807290 2 API calls 12753->12755 12756 7ff7b8807ba8 12754->12756 12757 7ff7b8807b98 12755->12757 12756->12750 12757->12756 12758 7ff7b8808d50 2 API calls 12757->12758 12758->12756 12760 7ff7b880677a 12759->12760 12762 7ff7b88067a5 12759->12762 12761 7ff7b8805a20 2 API calls 12760->12761 12760->12762 12763 7ff7b88068cb 12761->12763 12762->12719 12763->12719 12765 7ff7b8806a5f 12764->12765 12766 7ff7b8806a95 12764->12766 12767 7ff7b8806a6c 12765->12767 12773 7ff7b8806b10 12765->12773 12766->12728 12767->12766 12769 7ff7b8806a40 2 API calls 12767->12769 12770 7ff7b8806a88 12767->12770 12768 7ff7b8805a20 2 API calls 12768->12770 12769->12770 12770->12766 12770->12768 12771 7ff7b8805a20 2 API calls 12771->12773 12772 7ff7b8806a40 2 API calls 12772->12773 12773->12766 12773->12771 12773->12772 12774 7ff7b8806c30 12773->12774 12775 7ff7b8805a20 free strcmp 12774->12775 12776 7ff7b8806a40 free strcmp 12774->12776 12777 7ff7b880727e 12774->12777 12775->12774 12776->12774 13529 7ff7b881b7c0 TryEnterCriticalSection 13530 7ff7b88267c0 13531 7ff7b88267fa 13530->13531 13532 7ff7b88257b0 2 API calls 13531->13532 13536 7ff7b8826816 13532->13536 13533 7ff7b882689e 13535 7ff7b8826866 13535->13533 13537 7ff7b8825910 5 API calls 13535->13537 13536->13535 13538 7ff7b8825910 13536->13538 13537->13535 13539 7ff7b8825930 13538->13539 13540 7ff7b88257b0 2 API calls 13539->13540 13544 7ff7b882595b 13539->13544 13541 7ff7b882598b 13540->13541 13542 7ff7b8825993 memcpy 13541->13542 13541->13544 13543 7ff7b88259b2 free 13542->13543 13545 7ff7b88259bf 13542->13545 13543->13544 13544->13536 13545->13544 13546 7ff7b88259e5 LeaveCriticalSection 13545->13546 13546->13544 13547 7ff7b881ebc0 13548 7ff7b881ebcb 13547->13548 13549 7ff7b88257b0 2 API calls 13548->13549 13550 7ff7b881ebd2 13549->13550 13940 7ff7b881acc0 13941 7ff7b881ace0 13940->13941 13942 7ff7b881acd6 13940->13942 13941->13942 13943 7ff7b881acf7 EnterCriticalSection LeaveCriticalSection 13941->13943 13943->13942 13944 7ff7b88090c4 13945 7ff7b88090cf 13944->13945 13949 7ff7b8808f40 13944->13949 13946 7ff7b8809000 13945->13946 13947 7ff7b8805a20 2 API calls 13945->13947 13947->13949 13948 7ff7b8807290 2 API calls 13948->13949 13949->13946 13949->13948 13950 7ff7b8808d50 2 API calls 13949->13950 13950->13949 13170 7ff7b881b6f0 TlsSetValue 13171 7ff7b881b708 GetLastError 13170->13171 13172 7ff7b881b6fe 13170->13172 13551 7ff7b881b3f0 WakeAllConditionVariable 13552 7ff7b8821bf0 13555 7ff7b8821a48 13552->13555 13553 7ff7b88225fc fputc 13553->13555 13554 7ff7b8821b6f 13555->13553 13555->13554 13961 7ff7b881c0f0 13962 7ff7b881c140 13961->13962 13963 7ff7b881c0ff 13961->13963 13964 7ff7b881c112 MultiByteToWideChar 13963->13964 13964->13962 12778 7ff7b88011d9 12781 7ff7b88011e0 12778->12781 12779 7ff7b880142d 12780 7ff7b8801244 SetUnhandledExceptionFilter 12780->12781 12781->12779 12781->12780 12782 7ff7b88012fe malloc 12781->12782 12783 7ff7b8801330 strlen malloc memcpy 12781->12783 12782->12779 12782->12781 12783->12781 12783->12783 13177 7ff7b880d6f5 13178 7ff7b8804cc0 2 API calls 13177->13178 13179 7ff7b880d70d strlen 13178->13179 13180 7ff7b8809fb2 13179->13180 12784 7ff7b881a5d8 12785 7ff7b881a5eb 12784->12785 12787 7ff7b881a65a 12784->12787 12786 7ff7b881a62d VirtualQuery 12785->12786 12786->12787 13181 7ff7b881b6d8 SetLastError 12788 7ff7b8804df0 12792 7ff7b8804cc0 12788->12792 12791 7ff7b8804e23 12795 7ff7b881c470 12792->12795 12798 7ff7b8821990 _errno 12795->12798 12800 7ff7b8804ce4 strlen 12798->12800 12801 7ff7b8821a37 12798->12801 12799 7ff7b88225fc fputc 12799->12801 12800->12791 12801->12799 12801->12800 13563 7ff7b8804bf0 13565 7ff7b8804c50 13563->13565 13567 7ff7b8804c13 13563->13567 13564 7ff7b8804c1a memcpy 13568 7ff7b8804c3d 13564->13568 13566 7ff7b8804c68 realloc 13565->13566 13565->13568 13566->13567 13566->13568 13567->13564 13567->13568 12802 7ff7b881c1e0 strcmp 12803 7ff7b881c1fc strcmp 12802->12803 12806 7ff7b881c2da 12802->12806 12804 7ff7b881c213 strcmp 12803->12804 12803->12806 12805 7ff7b881c22a strcmp 12804->12805 12804->12806 12805->12806 12807 7ff7b881c241 strcmp 12805->12807 12807->12806 12808 7ff7b881c258 strcmp 12807->12808 12808->12806 12809 7ff7b881c26f strcmp 12808->12809 12809->12806 12810 7ff7b881c286 strcmp 12809->12810 12810->12806 12811 7ff7b881c29d strcmp 12810->12811 12811->12806 12812 7ff7b881c2b0 strcmp 12811->12812 12812->12806 12813 7ff7b881c2c3 strcmp 12812->12813 12813->12806 13569 7ff7b881b7e0 13570 7ff7b881b7e9 13569->13570 13571 7ff7b881b7f6 abort 13569->13571 13572 7ff7b881b809 13571->13572 13573 7ff7b881b816 abort 13571->13573 13968 7ff7b880a0e0 13969 7ff7b880a0ed 13968->13969 13970 7ff7b8804cc0 2 API calls 13969->13970 13971 7ff7b88118c3 strlen 13970->13971 13971->13969 13182 7ff7b8821ae2 13185 7ff7b8821a48 13182->13185 13183 7ff7b8821b6f 13184 7ff7b88225fc fputc 13184->13185 13185->13182 13185->13183 13185->13184 13574 7ff7b8821fe3 13575 7ff7b8821fec localeconv 13574->13575 13577 7ff7b8821a48 13574->13577 13576 7ff7b8826ea0 6 API calls 13575->13576 13576->13577 13578 7ff7b8821b6f 13577->13578 13579 7ff7b88225fc fputc 13577->13579 13579->13577 13580 7ff7b8821c08 13581 7ff7b882251b 13580->13581 13582 7ff7b8821c1e 13580->13582 13584 7ff7b881f9c0 13582->13584 13586 7ff7b881f9f3 13584->13586 13585 7ff7b881fade memset 13585->13586 13587 7ff7b881fb03 13585->13587 13586->13585 13586->13587 13592 7ff7b881fb3b 13586->13592 13588 7ff7b881fb47 13587->13588 13589 7ff7b881fdbd 13587->13589 13587->13592 13590 7ff7b881fbaa fputc 13588->13590 13595 7ff7b881fb68 13588->13595 13589->13588 13594 7ff7b881fdd0 memset 13589->13594 13590->13588 13590->13595 13591 7ff7b881fda8 fputc 13591->13592 13592->13588 13592->13591 13593 7ff7b881fbcc 13593->13582 13594->13588 13595->13593 13596 7ff7b881fc13 fputc 13595->13596 13596->13595 13190 7ff7b8801f00 rand 13191 7ff7b8902cd0 44 API calls 13190->13191 13192 7ff7b8801f39 13191->13192 13201 7ff7b88aaff0 13192->13201 13194 7ff7b88399a0 memcmp 13200 7ff7b8801f47 13194->13200 13195 7ff7b8802251 13196 7ff7b88a9390 32 API calls 13196->13200 13197 7ff7b88a95e0 32 API calls 13197->13200 13198 7ff7b8801fb0 rand 13198->13198 13198->13200 13200->13194 13200->13195 13200->13196 13200->13197 13200->13198 13228 7ff7b8828180 13200->13228 13202 7ff7b88ab075 13201->13202 13203 7ff7b88ab020 13201->13203 13204 7ff7b88ab027 13202->13204 13205 7ff7b88ab086 13202->13205 13203->13204 13206 7ff7b88a95e0 32 API calls 13203->13206 13207 7ff7b88ff8b0 32 API calls 13204->13207 13208 7ff7b88ab030 13204->13208 13209 7ff7b88ab130 13205->13209 13210 7ff7b88ab0a4 13205->13210 13213 7ff7b88ab1da 13205->13213 13206->13202 13207->13209 13221 7ff7b88ff8b0 32 API calls 13208->13221 13224 7ff7b88ab05a 13208->13224 13209->13210 13211 7ff7b88399a0 memcmp 13209->13211 13210->13208 13214 7ff7b88ff8b0 32 API calls 13210->13214 13211->13210 13212 7ff7b88ab208 13215 7ff7b890acd0 34 API calls 13212->13215 13218 7ff7b88ab24a 13212->13218 13222 7ff7b890b390 34 API calls 13212->13222 13225 7ff7b890ae20 34 API calls 13212->13225 13226 7ff7b88a9e00 32 API calls 13212->13226 13237 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 13212->13237 13213->13212 13216 7ff7b890acd0 34 API calls 13213->13216 13214->13208 13215->13212 13217 7ff7b88ab1f2 13216->13217 13217->13212 13219 7ff7b890b390 34 API calls 13217->13219 13220 7ff7b890ae20 34 API calls 13218->13220 13219->13212 13223 7ff7b88ab24f 13220->13223 13221->13224 13222->13212 13223->13223 13224->13200 13225->13212 13226->13212 13229 7ff7b8902cd0 44 API calls 13228->13229 13230 7ff7b88281b5 13229->13230 13231 7ff7b88281f8 13230->13231 13235 7ff7b8902cd0 44 API calls 13230->13235 13238 7ff7b88aa3b0 13230->13238 13233 7ff7b88399a0 memcmp 13231->13233 13234 7ff7b882825a 13231->13234 13236 7ff7b88a9390 32 API calls 13231->13236 13233->13231 13235->13230 13236->13231 13239 7ff7b88aa435 13238->13239 13240 7ff7b88aa3e4 13238->13240 13241 7ff7b88aa446 13239->13241 13242 7ff7b88aa3eb 13239->13242 13240->13242 13243 7ff7b88a95e0 32 API calls 13240->13243 13246 7ff7b88aa4f0 13241->13246 13247 7ff7b88aa59a 13241->13247 13253 7ff7b88aa464 13241->13253 13244 7ff7b88ff8b0 32 API calls 13242->13244 13249 7ff7b88aa3f4 13242->13249 13243->13239 13244->13246 13245 7ff7b88aa41e 13245->13230 13248 7ff7b88399a0 memcmp 13246->13248 13246->13253 13252 7ff7b890acd0 34 API calls 13247->13252 13260 7ff7b88aa5c8 13247->13260 13248->13253 13249->13245 13256 7ff7b88ff8b0 32 API calls 13249->13256 13250 7ff7b88ff8b0 32 API calls 13250->13249 13251 7ff7b890acd0 34 API calls 13251->13260 13254 7ff7b88aa5b2 13252->13254 13253->13249 13253->13250 13258 7ff7b890b390 34 API calls 13254->13258 13254->13260 13255 7ff7b88aa60a 13259 7ff7b890ae20 34 API calls 13255->13259 13256->13245 13257 7ff7b890b390 34 API calls 13257->13260 13258->13260 13261 7ff7b88aa60f 13259->13261 13260->13251 13260->13255 13260->13257 13262 7ff7b890ae20 34 API calls 13260->13262 13263 7ff7b88a9e00 32 API calls 13260->13263 13265 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 13260->13265 13261->13261 13262->13260 13263->13260 13600 7ff7b8802000 rand 13601 7ff7b8902cd0 44 API calls 13600->13601 13602 7ff7b8802039 13601->13602 13603 7ff7b88aaff0 44 API calls 13602->13603 13610 7ff7b8802047 13603->13610 13604 7ff7b88399a0 memcmp 13604->13610 13605 7ff7b88a9390 32 API calls 13605->13610 13606 7ff7b8802251 13607 7ff7b88a95e0 32 API calls 13607->13610 13608 7ff7b88020b8 rand 13608->13608 13608->13610 13610->13604 13610->13605 13610->13606 13610->13607 13610->13608 13611 7ff7b8828260 13610->13611 13612 7ff7b8902cd0 44 API calls 13611->13612 13613 7ff7b8828295 13612->13613 13614 7ff7b88282d6 13613->13614 13617 7ff7b8902cd0 44 API calls 13613->13617 13615 7ff7b88399a0 memcmp 13614->13615 13616 7ff7b882833a 13614->13616 13618 7ff7b88a9390 32 API calls 13614->13618 13615->13614 13616->13610 13617->13613 13618->13614 12817 7ff7b8822610 12818 7ff7b882261c 12817->12818 12818->12818 12821 7ff7b88257b0 12818->12821 12822 7ff7b88257bf 12821->12822 12823 7ff7b882581c malloc 12822->12823 12826 7ff7b88257d7 12822->12826 12825 7ff7b882263b 12823->12825 12823->12826 12824 7ff7b88257e7 LeaveCriticalSection 12824->12825 12826->12824 12826->12825 13619 7ff7b881ac10 signal 13620 7ff7b881ac26 signal 13619->13620 13621 7ff7b881ab66 13619->13621 13625 7ff7b881aba4 13620->13625 13622 7ff7b881ac7c signal 13621->13622 13623 7ff7b881abde signal 13621->13623 13621->13625 13622->13625 13623->13621 13624 7ff7b881ac90 signal 13623->13624 13624->13625 13626 7ff7b881b410 WakeConditionVariable 13627 7ff7b8825c10 13629 7ff7b8825d40 13627->13629 13630 7ff7b8825c2a 13627->13630 13628 7ff7b8825c46 13632 7ff7b8825ac0 LeaveCriticalSection malloc memset 13628->13632 13637 7ff7b8825cf9 13628->13637 13639 7ff7b8825cb6 LeaveCriticalSection 13628->13639 13641 7ff7b8825c84 free 13628->13641 13645 7ff7b8825ce8 LeaveCriticalSection 13628->13645 13629->13630 13631 7ff7b88257b0 2 API calls 13629->13631 13630->13628 13633 7ff7b8825de4 13630->13633 13630->13637 13640 7ff7b8825f2d malloc 13630->13640 13643 7ff7b8825ef5 LeaveCriticalSection 13630->13643 13644 7ff7b8825ea4 LeaveCriticalSection 13630->13644 13634 7ff7b8825da9 13631->13634 13632->13628 13633->13628 13635 7ff7b8825ded LeaveCriticalSection 13633->13635 13636 7ff7b8825dff memcpy 13634->13636 13634->13637 13635->13628 13636->13630 13638 7ff7b8825e1e free 13636->13638 13638->13630 13639->13628 13640->13630 13642 7ff7b8825f3f 13640->13642 13641->13628 13643->13640 13644->13630 13645->13628 13645->13637 13978 7ff7b881bd10 RtlCaptureContext 13979 7ff7b881be3a RtlLookupFunctionEntry 13978->13979 13980 7ff7b881bdd0 RtlVirtualUnwind 13979->13980 13982 7ff7b881be5d 13979->13982 13981 7ff7b881be24 13980->13981 13981->13979 13981->13982 12830 7ff7b8821e16 12831 7ff7b8821e2d 12830->12831 12832 7ff7b8821e42 12830->12832 12836 7ff7b8820680 12831->12836 12833 7ff7b8820680 29 API calls 12832->12833 12835 7ff7b882228d 12833->12835 12835->12835 12837 7ff7b8820694 12836->12837 12838 7ff7b88206dc 12837->12838 12841 7ff7b8820758 12837->12841 12845 7ff7b881ffd0 12838->12845 12840 7ff7b881efa0 3 API calls 12843 7ff7b88206f6 12840->12843 12841->12840 12842 7ff7b88206e7 12842->12843 12844 7ff7b882073f fputc 12842->12844 12843->12832 12844->12842 12851 7ff7b881fff4 12845->12851 12846 7ff7b8820309 12850 7ff7b88205eb fputc 12846->12850 12853 7ff7b8820315 12846->12853 12847 7ff7b8820070 12848 7ff7b88203a8 12847->12848 12855 7ff7b88202d1 12847->12855 12861 7ff7b8820079 12847->12861 12854 7ff7b8820638 fputc 12848->12854 12848->12855 12849 7ff7b8820541 fputc 12849->12855 12850->12853 12851->12847 12851->12855 12859 7ff7b88202b0 fputc 12851->12859 12851->12861 12852 7ff7b88200a6 12852->12855 12860 7ff7b88200ae 12852->12860 12857 7ff7b881fe10 13 API calls 12853->12857 12865 7ff7b8820348 12853->12865 12854->12855 12855->12846 12855->12849 12855->12853 12856 7ff7b8820655 fputc 12855->12856 12856->12855 12857->12865 12858 7ff7b8820672 12858->12858 12859->12851 12864 7ff7b8820138 fputc 12860->12864 12868 7ff7b882014e 12860->12868 12871 7ff7b881f140 6 API calls 12860->12871 12861->12852 12861->12855 12862 7ff7b8820450 fputc 12861->12862 12862->12861 12863 7ff7b882015b 12863->12842 12864->12860 12864->12868 12865->12858 12866 7ff7b8820392 fputc 12865->12866 12867 7ff7b8820178 12865->12867 12866->12865 12867->12863 12870 7ff7b88201e0 fputc 12867->12870 12868->12863 12872 7ff7b881fe10 12868->12872 12870->12867 12871->12860 12873 7ff7b881ff38 localeconv 12872->12873 12874 7ff7b881fe2c 12872->12874 12887 7ff7b8826ea0 ___mb_cur_max_func ___lc_codepage_func 12873->12887 12875 7ff7b881fe39 12874->12875 12876 7ff7b881fee0 12874->12876 12881 7ff7b8826d60 3 API calls 12875->12881 12879 7ff7b881ff20 fputc 12876->12879 12880 7ff7b881fef0 12876->12880 12878 7ff7b881ff5e 12884 7ff7b881fecb 12878->12884 12885 7ff7b881ffb6 fputc 12878->12885 12879->12880 12880->12867 12882 7ff7b881fe69 12881->12882 12882->12878 12883 7ff7b881fe71 12882->12883 12883->12884 12886 7ff7b881feb5 fputc 12883->12886 12884->12867 12885->12884 12886->12883 12886->12884 12889 7ff7b8826ef2 12887->12889 12896 7ff7b8826f98 12887->12896 12888 7ff7b8826f78 12891 7ff7b8826fd8 MultiByteToWideChar 12888->12891 12892 7ff7b8826f7d 12888->12892 12889->12888 12890 7ff7b8826f20 IsDBCSLeadByteEx 12889->12890 12893 7ff7b8826f2d 12889->12893 12889->12896 12890->12888 12890->12893 12891->12892 12895 7ff7b8827000 _errno 12891->12895 12892->12878 12894 7ff7b8826f4d MultiByteToWideChar 12893->12894 12893->12896 12894->12895 12897 7ff7b8826f63 12894->12897 12895->12896 12896->12878 12897->12878 13266 7ff7b8805ef8 13267 7ff7b8805a20 2 API calls 13266->13267 13268 7ff7b8805f08 13267->13268 13269 7ff7b8805a20 2 API calls 13268->13269 13270 7ff7b8805bb8 13268->13270 13269->13270 13651 7ff7b880dff8 13654 7ff7b880e00c 13651->13654 13652 7ff7b8804cc0 2 API calls 13653 7ff7b880ed03 strlen 13652->13653 13655 7ff7b8809fb2 13653->13655 13654->13652 13656 7ff7b8801010 13658 7ff7b880104b 13656->13658 13657 7ff7b880106d __set_app_type 13659 7ff7b8801077 13657->13659 13658->13657 13658->13659 13987 7ff7b8801d10 13988 7ff7b8801d30 rand 13987->13988 13993 7ff7b8801d5a 13988->13993 13989 7ff7b8902cd0 44 API calls 13989->13993 13990 7ff7b88399a0 memcmp 13990->13993 13991 7ff7b8802256 13992 7ff7b88a9390 32 API calls 13992->13993 13993->13988 13993->13989 13993->13990 13993->13991 13993->13992 13994 7ff7b88a95e0 32 API calls 13993->13994 13995 7ff7b8801910 44 API calls 13993->13995 13994->13993 13995->13993 12902 7ff7b8825a00 12903 7ff7b8825a0e 12902->12903 12904 7ff7b8825a6d malloc 12903->12904 12905 7ff7b8825a1a 12903->12905 12904->12905 12906 7ff7b8825a2d 12904->12906 12905->12906 12907 7ff7b8825a90 LeaveCriticalSection 12905->12907 12907->12906 13271 7ff7b881ab00 13272 7ff7b881ab21 13271->13272 13273 7ff7b881ac7c signal 13272->13273 13274 7ff7b881abde signal 13272->13274 13276 7ff7b881aba4 13272->13276 13273->13276 13274->13272 13275 7ff7b881ac90 signal 13274->13275 13275->13276 14002 7ff7b881b500 GetSystemTimeAsFileTime 14003 7ff7b881b54f 14002->14003 13660 7ff7b881c401 13661 7ff7b881c41e 13660->13661 13662 7ff7b881c450 13660->13662 13663 7ff7b8821990 2 API calls 13661->13663 13664 7ff7b8821990 2 API calls 13662->13664 13665 7ff7b881c437 13663->13665 13666 7ff7b881c465 13664->13666 13667 7ff7b8808f2a 13668 7ff7b8809000 13667->13668 13669 7ff7b8808f40 13667->13669 13669->13668 13670 7ff7b8807290 2 API calls 13669->13670 13671 7ff7b8808d50 2 API calls 13669->13671 13670->13669 13671->13669 13277 7ff7b880822b 13278 7ff7b8807a70 2 API calls 13277->13278 13280 7ff7b8808235 13278->13280 13279 7ff7b8807a70 2 API calls 13279->13280 13280->13279 13281 7ff7b8808a45 13280->13281 12908 7ff7b881ad30 12909 7ff7b881ad50 EnterCriticalSection 12908->12909 12910 7ff7b881ad42 12908->12910 12911 7ff7b881ad93 LeaveCriticalSection 12909->12911 12912 7ff7b881ad6c 12909->12912 12912->12911 12913 7ff7b881ad8e free 12912->12913 12913->12911 13282 7ff7b8822230 13283 7ff7b8821ec4 13282->13283 13284 7ff7b8821eaf 13282->13284 13285 7ff7b8820d20 24 API calls 13283->13285 13286 7ff7b8820d20 24 API calls 13284->13286 13287 7ff7b882225c 13285->13287 13286->13283 13287->13287 14004 7ff7b881b430 SleepConditionVariableCS 14005 7ff7b881b450 GetLastError 14004->14005 14006 7ff7b881b444 14004->14006 14007 7ff7b881b030 strlen 14008 7ff7b881b0ae 14007->14008 14009 7ff7b881b045 14007->14009 14009->14008 14010 7ff7b881b099 strncmp 14009->14010 14010->14008 14010->14009 13672 7ff7b8808730 13673 7ff7b880873d 13672->13673 13679 7ff7b880875f 13672->13679 13675 7ff7b8808af8 13673->13675 13677 7ff7b8808d50 2 API calls 13673->13677 13673->13679 13674 7ff7b8808b30 2 API calls 13674->13675 13676 7ff7b8805a20 2 API calls 13675->13676 13678 7ff7b8808b08 13676->13678 13677->13679 13679->13674 13679->13675 13679->13678 13292 7ff7b8801e18 rand rand rand 13293 7ff7b8902cd0 44 API calls 13292->13293 13294 7ff7b8801e87 13293->13294 13295 7ff7b8902cd0 44 API calls 13294->13295 13296 7ff7b8801ea9 13295->13296 13297 7ff7b88399a0 memcmp 13296->13297 13298 7ff7b88a9390 32 API calls 13296->13298 13299 7ff7b88a95e0 32 API calls 13296->13299 13300 7ff7b8802256 13296->13300 13302 7ff7b8801640 13296->13302 13297->13296 13298->13296 13299->13296 13303 7ff7b8801655 13302->13303 13304 7ff7b8801800 13302->13304 13307 7ff7b8801665 13303->13307 13322 7ff7b8801862 13303->13322 13325 7ff7b88016cf 13303->13325 13305 7ff7b8902cd0 44 API calls 13304->13305 13306 7ff7b880181c 13305->13306 13311 7ff7b8902cd0 44 API calls 13306->13311 13309 7ff7b8902cd0 44 API calls 13307->13309 13307->13325 13308 7ff7b8902cd0 44 API calls 13310 7ff7b880188c 13308->13310 13314 7ff7b880168b 13309->13314 13315 7ff7b8902cd0 44 API calls 13310->13315 13313 7ff7b8801840 13311->13313 13312 7ff7b8801901 13320 7ff7b8902cd0 44 API calls 13313->13320 13317 7ff7b8902cd0 44 API calls 13314->13317 13316 7ff7b88018ae 13315->13316 13323 7ff7b8902cd0 44 API calls 13316->13323 13321 7ff7b88016ad 13317->13321 13318 7ff7b88399a0 memcmp 13318->13325 13319 7ff7b88a9390 32 API calls 13319->13325 13320->13322 13326 7ff7b8902cd0 44 API calls 13321->13326 13322->13308 13323->13325 13324 7ff7b8902cd0 44 API calls 13324->13325 13325->13312 13325->13318 13325->13319 13325->13324 13326->13325 14015 7ff7b882141a 14016 7ff7b8821489 14015->14016 14017 7ff7b8821510 fputc 14016->14017 14018 7ff7b8821499 fputc 14016->14018 14017->14016 12914 7ff7b8821d19 12918 7ff7b8821d30 12914->12918 12915 7ff7b88222de 12916 7ff7b881efa0 3 API calls 12915->12916 12916->12915 12917 7ff7b88225ba 12918->12915 12918->12917 12919 7ff7b881efa0 3 API calls 12918->12919 12919->12918 13327 7ff7b881e619 13328 7ff7b881e628 _errno 13327->13328 12920 7ff7b8802932 12921 7ff7b88029aa 12920->12921 12938 7ff7b88027e0 12921->12938 12924 7ff7b88027e0 10 API calls 12925 7ff7b8802a8e 12924->12925 12926 7ff7b88027e0 10 API calls 12925->12926 12927 7ff7b8802ade 12926->12927 12928 7ff7b88027e0 10 API calls 12927->12928 12929 7ff7b8802b36 12928->12929 12930 7ff7b88027e0 10 API calls 12929->12930 12931 7ff7b8802b86 12930->12931 12932 7ff7b88027e0 10 API calls 12931->12932 12933 7ff7b8802bb0 12932->12933 12934 7ff7b88027e0 10 API calls 12933->12934 12935 7ff7b8802c0e 12934->12935 12936 7ff7b88027e0 10 API calls 12935->12936 12937 7ff7b8802c76 12936->12937 12947 7ff7b8802600 12938->12947 12941 7ff7b8802804 strlen 12944 7ff7b880281f 12941->12944 12942 7ff7b88028cf 12942->12924 12943 7ff7b880285e strlen 12943->12944 12944->12942 12944->12943 12945 7ff7b88028c1 12944->12945 12946 7ff7b890ab80 malloc 12945->12946 12946->12942 12950 7ff7b8802774 12947->12950 12951 7ff7b880264e 12947->12951 12948 7ff7b88026a0 WideCharToMultiByte 12948->12951 12949 7ff7b880271e 6 API calls 12949->12950 12949->12951 12950->12941 12950->12942 12951->12948 12951->12949 12951->12950 12952 7ff7b8803932 12960 7ff7b8803765 12952->12960 12954 7ff7b8803c06 12956 7ff7b890c0a0 23 API calls 12954->12956 12955 7ff7b88f5ae0 27 API calls 12955->12960 12964 7ff7b8803c12 12956->12964 12957 7ff7b8803a9c 12958 7ff7b8803544 CreateFileW 12959 7ff7b8803580 WriteFile 12958->12959 12965 7ff7b88035c3 12958->12965 12961 7ff7b88038c0 CloseHandle 12959->12961 12962 7ff7b88035ae CloseHandle 12959->12962 12960->12952 12960->12954 12960->12955 12960->12957 12960->12958 12967 7ff7b88f07f0 12960->12967 12962->12965 12966 7ff7b890c0a0 23 API calls 12964->12966 12982 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12964->12982 12966->12964 12968 7ff7b88f0825 12967->12968 12969 7ff7b88f092e 12967->12969 12972 7ff7b88f084b 12968->12972 12973 7ff7b88f08e8 12968->12973 12970 7ff7b890c0a0 23 API calls 12969->12970 12971 7ff7b88f093a 12970->12971 12971->12960 12975 7ff7b88f085d 12972->12975 12976 7ff7b88f08c9 12972->12976 12974 7ff7b88f5d20 26 API calls 12973->12974 12977 7ff7b88f08a0 12974->12977 12978 7ff7b88f0882 12975->12978 12980 7ff7b88f0879 memcpy 12975->12980 12983 7ff7b88f1210 12976->12983 12977->12960 12978->12977 12981 7ff7b88f0891 memcpy 12978->12981 12980->12978 12981->12977 12984 7ff7b88f123e 12983->12984 12985 7ff7b88f1244 12983->12985 12984->12985 12986 7ff7b88f124d memcpy 12984->12986 12987 7ff7b88f127a 12985->12987 12988 7ff7b88f1282 memcpy 12985->12988 12986->12985 12989 7ff7b88f1313 memcpy 12987->12989 12990 7ff7b88f12ad 12987->12990 12988->12987 12989->12990 12990->12977 14020 7ff7b880c01b 14021 7ff7b880c028 14020->14021 14023 7ff7b8809fa8 14020->14023 14022 7ff7b880c05f strcmp 14021->14022 14021->14023 14022->14023 12991 7ff7b8801530 12992 7ff7b880153b 12991->12992 12993 7ff7b880158d 12992->12993 12994 7ff7b8801560 rand 12992->12994 12994->12993 12994->12994 13329 7ff7b8805e30 13330 7ff7b8805bb8 13329->13330 13331 7ff7b8805e44 13329->13331 13331->13330 13332 7ff7b8805a20 2 API calls 13331->13332 13332->13330 13684 7ff7b8802f30 13685 7ff7b8802f70 13684->13685 13685->13685 13686 7ff7b8802f7e LoadLibraryA 13685->13686 13687 7ff7b8802fb8 13686->13687 13687->13687 13688 7ff7b8802fc8 GetProcAddress 13687->13688 13689 7ff7b8802fe2 13688->13689 13690 7ff7b8803040 13689->13690 13691 7ff7b8803013 wcslen 13689->13691 13692 7ff7b8803050 13689->13692 13690->13691 13693 7ff7b8802ea0 24 API calls 13691->13693 13694 7ff7b890bfb0 23 API calls 13692->13694 13695 7ff7b880302a 13693->13695 13696 7ff7b880305c 13694->13696 14024 7ff7b881a420 14025 7ff7b881a43f 14024->14025 14026 7ff7b881a47d fprintf 14025->14026 13697 7ff7b880ab21 13699 7ff7b880ab34 13697->13699 13700 7ff7b8804cc0 2 API calls 13699->13700 13702 7ff7b8804ec0 13699->13702 13701 7ff7b880ad6c strlen 13700->13701 13701->13699 13705 7ff7b8804ed9 13702->13705 13703 7ff7b8804cc0 2 API calls 13704 7ff7b8804f0c strlen 13703->13704 13706 7ff7b8804f1d 13704->13706 13705->13703 13706->13699 13333 7ff7b8823e21 13334 7ff7b882404a 13333->13334 13336 7ff7b8823e47 13333->13336 13335 7ff7b8825f60 5 API calls 13334->13335 13338 7ff7b8823060 13334->13338 13335->13338 13336->13334 13337 7ff7b8825910 LeaveCriticalSection malloc memcpy free LeaveCriticalSection 13336->13337 13336->13338 13337->13336 13339 7ff7b8821e47 13340 7ff7b8821e5e 13339->13340 13341 7ff7b8821e73 13339->13341 13345 7ff7b8820f70 13340->13345 13343 7ff7b8820f70 39 API calls 13341->13343 13344 7ff7b88222be 13343->13344 13344->13344 13346 7ff7b8820f8a 13345->13346 13347 7ff7b88210a0 13345->13347 13346->13347 13348 7ff7b8820fcc 13346->13348 13349 7ff7b881efa0 3 API calls 13347->13349 13350 7ff7b8821060 13348->13350 13352 7ff7b8820fe1 13348->13352 13354 7ff7b882100d 13349->13354 13351 7ff7b8821064 strlen 13350->13351 13353 7ff7b882106f 13350->13353 13351->13353 13355 7ff7b8821158 strlen 13352->13355 13356 7ff7b8820fe9 13352->13356 13357 7ff7b8820800 21 API calls 13353->13357 13354->13341 13355->13356 13358 7ff7b881ffd0 25 API calls 13356->13358 13357->13354 13360 7ff7b8820ffe 13358->13360 13359 7ff7b882104b fputc 13359->13360 13360->13354 13360->13359 13361 7ff7b8803642 13362 7ff7b8803664 wcslen 13361->13362 13363 7ff7b8803649 13361->13363 13386 7ff7b88f5930 13362->13386 13363->13362 13365 7ff7b88036d2 13366 7ff7b88f5ae0 27 API calls 13365->13366 13373 7ff7b8803c12 13365->13373 13368 7ff7b88036ff 13366->13368 13367 7ff7b890c0a0 23 API calls 13367->13373 13369 7ff7b8803c55 13368->13369 13370 7ff7b880371a 13368->13370 13371 7ff7b890c0a0 23 API calls 13369->13371 13372 7ff7b88f5ae0 27 API calls 13370->13372 13371->13373 13379 7ff7b8803728 13372->13379 13373->13367 13399 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 13373->13399 13374 7ff7b8803c06 13376 7ff7b890c0a0 23 API calls 13374->13376 13376->13373 13377 7ff7b88f5ae0 27 API calls 13377->13379 13378 7ff7b88f07f0 31 API calls 13378->13379 13379->13374 13379->13377 13379->13378 13380 7ff7b8803a9c 13379->13380 13381 7ff7b8803544 CreateFileW 13379->13381 13382 7ff7b8803580 WriteFile 13381->13382 13385 7ff7b88035c3 13381->13385 13383 7ff7b88038c0 CloseHandle 13382->13383 13384 7ff7b88035ae CloseHandle 13382->13384 13384->13385 13388 7ff7b88f594d 13386->13388 13387 7ff7b88f5956 13387->13365 13388->13387 13389 7ff7b88f5a3f 13388->13389 13390 7ff7b88f597b 13388->13390 13391 7ff7b890c0a0 23 API calls 13389->13391 13392 7ff7b890ab80 malloc 13390->13392 13393 7ff7b88f5a4b 13391->13393 13394 7ff7b88f5995 13392->13394 13395 7ff7b88f5a94 13393->13395 13398 7ff7b88f5a82 memcpy 13393->13398 13396 7ff7b88f59c4 13394->13396 13397 7ff7b88f59b1 memcpy 13394->13397 13395->13365 13396->13365 13397->13396 13398->13395 14030 7ff7b881e44c _errno 14040 7ff7b881d588 14030->14040 14031 7ff7b881e5d9 14032 7ff7b881ec89 14031->14032 14033 7ff7b881e7ec 14031->14033 14037 7ff7b88257b0 2 API calls 14032->14037 14034 7ff7b881e853 14033->14034 14035 7ff7b881e812 memset 14033->14035 14035->14034 14036 7ff7b881c9b0 3 API calls 14036->14040 14038 7ff7b881ec98 14037->14038 14039 7ff7b8825f60 5 API calls 14039->14040 14040->14031 14040->14036 14040->14039 14041 7ff7b881e140 _errno 14040->14041 14042 7ff7b881e44d _errno 14040->14042 14043 7ff7b881e628 _errno 14040->14043 14044 7ff7b881de0d memset 14040->14044 14041->14040 14042->14040 14042->14043 14044->14040 13400 7ff7b881b650 TlsAlloc 13401 7ff7b881b667 13400->13401 13402 7ff7b881b680 GetLastError 13400->13402 13402->13401 13707 7ff7b881a350 13708 7ff7b881a359 13707->13708 13709 7ff7b881a35d 13708->13709 13712 7ff7b881adc0 13708->13712 13711 7ff7b881a375 13713 7ff7b881add3 13712->13713 13719 7ff7b881aef0 13712->13719 13714 7ff7b881add5 13713->13714 13717 7ff7b881ae08 13713->13717 13715 7ff7b881ae88 13714->13715 13716 7ff7b881addd 13714->13716 13720 7ff7b881af08 EnterCriticalSection 13715->13720 13721 7ff7b881ae92 13715->13721 13718 7ff7b881adeb 13716->13718 13722 7ff7b881af70 InitializeCriticalSection 13716->13722 13717->13718 13723 7ff7b881ae17 EnterCriticalSection 13717->13723 13718->13711 13719->13711 13725 7ff7b881af5c LeaveCriticalSection 13720->13725 13732 7ff7b881af24 13720->13732 13721->13718 13727 7ff7b881aec1 DeleteCriticalSection 13721->13727 13729 7ff7b881aeb0 free 13721->13729 13722->13732 13724 7ff7b881ae74 LeaveCriticalSection 13723->13724 13731 7ff7b881ae33 13723->13731 13724->13718 13725->13721 13726 7ff7b881af38 TlsGetValue GetLastError 13726->13732 13727->13718 13728 7ff7b881ae48 TlsGetValue GetLastError 13728->13731 13729->13727 13729->13729 13730 7ff7b881af91 13730->13725 13731->13724 13731->13728 13733 7ff7b881afa5 13731->13733 13732->13725 13732->13726 13732->13730 13733->13724 13734 7ff7b881ab50 signal 13735 7ff7b881aca4 signal 13734->13735 13737 7ff7b881ab66 13734->13737 13736 7ff7b881acb8 13735->13736 13738 7ff7b881ac7c signal 13737->13738 13739 7ff7b881abde signal 13737->13739 13741 7ff7b881aba4 13737->13741 13738->13741 13739->13737 13740 7ff7b881ac90 signal 13739->13740 13740->13741 13407 7ff7b8808652 13408 7ff7b880865f 13407->13408 13409 7ff7b8808202 13408->13409 13412 7ff7b8807f10 13408->13412 13413 7ff7b8807f2c 13412->13413 13416 7ff7b8807f3b 13412->13416 13414 7ff7b8807a70 2 API calls 13413->13414 13413->13416 13414->13416 13415 7ff7b8807f51 13416->13415 13417 7ff7b8805a20 2 API calls 13416->13417 13418 7ff7b8806650 2 API calls 13416->13418 13417->13416 13418->13416 12998 7ff7b8803539 13005 7ff7b88f5b70 12998->13005 13001 7ff7b8803580 WriteFile 13002 7ff7b88038c0 CloseHandle 13001->13002 13003 7ff7b88035ae CloseHandle 13001->13003 13004 7ff7b88035c3 13003->13004 13006 7ff7b8803544 CreateFileW 13005->13006 13007 7ff7b88f5b87 13005->13007 13006->13001 13006->13004 13008 7ff7b88f5ba4 13007->13008 13009 7ff7b88f5bdb 13007->13009 13010 7ff7b88f5c8d 13007->13010 13008->13006 13011 7ff7b88f5c14 memcpy 13008->13011 13014 7ff7b890ab80 malloc 13009->13014 13012 7ff7b890c0a0 23 API calls 13010->13012 13011->13006 13013 7ff7b88f5c99 13012->13013 13014->13008 13742 7ff7b8809f54 13743 7ff7b8809f6a 13742->13743 13744 7ff7b8804cc0 2 API calls 13743->13744 13746 7ff7b8809fa4 13743->13746 13745 7ff7b8810412 strlen 13744->13745 13745->13746 13419 7ff7b8808256 13420 7ff7b880825a 13419->13420 13421 7ff7b880826c 13419->13421 13420->13421 13422 7ff7b8808a70 13420->13422 13423 7ff7b8807f10 2 API calls 13421->13423 13424 7ff7b8807f10 2 API calls 13422->13424 13426 7ff7b8808240 13423->13426 13424->13426 13425 7ff7b8807a70 2 API calls 13425->13426 13426->13425 13427 7ff7b8808a45 13426->13427 13015 7ff7b881a93a 13016 7ff7b881a948 13015->13016 13019 7ff7b881a7b8 13015->13019 13017 7ff7b881a731 13018 7ff7b881a8e4 VirtualProtect 13018->13017 13018->13019 13019->13017 13019->13018 13747 7ff7b8804350 13748 7ff7b88043a0 13747->13748 13749 7ff7b8804465 13748->13749 13750 7ff7b8804406 strcmp 13748->13750 13750->13749 13751 7ff7b8804415 strcmp 13750->13751 13751->13749 13020 7ff7b8825140 13022 7ff7b882516b 13020->13022 13021 7ff7b88251a2 13022->13021 13023 7ff7b88253a1 memset 13022->13023 13023->13021 13753 7ff7b881c340 13754 7ff7b881c352 13753->13754 13758 7ff7b881c35d 13753->13758 13755 7ff7b881c3be _errno 13754->13755 13754->13758 13756 7ff7b881c36f 13755->13756 13757 7ff7b881c362 fsetpos 13757->13756 13758->13756 13758->13757 13759 7ff7b881d367 13760 7ff7b881d37d 13759->13760 13792 7ff7b881d495 13759->13792 13762 7ff7b881d3dc 13760->13762 13763 7ff7b881e02e 13760->13763 13761 7ff7b881e140 _errno 13761->13792 13764 7ff7b8825f60 5 API calls 13762->13764 13765 7ff7b881d431 13762->13765 13762->13792 13767 7ff7b881e05c 13763->13767 13768 7ff7b881ebc3 13763->13768 13764->13765 13794 7ff7b88264f0 13765->13794 13772 7ff7b881e081 memset 13767->13772 13767->13792 13773 7ff7b88257b0 2 API calls 13768->13773 13770 7ff7b881e44d _errno 13771 7ff7b881e628 _errno 13770->13771 13770->13792 13772->13792 13774 7ff7b881ebd2 13773->13774 13775 7ff7b881dad8 13800 7ff7b881ed30 13775->13800 13776 7ff7b881d479 13780 7ff7b881db98 13776->13780 13781 7ff7b881dccc 13776->13781 13776->13792 13777 7ff7b8825f60 5 API calls 13777->13792 13779 7ff7b8825f60 5 API calls 13779->13792 13782 7ff7b8825f60 5 API calls 13780->13782 13781->13777 13783 7ff7b881db21 13782->13783 13784 7ff7b881e5d9 13785 7ff7b881ec89 13784->13785 13786 7ff7b881e7ec 13784->13786 13790 7ff7b88257b0 2 API calls 13785->13790 13787 7ff7b881e853 13786->13787 13788 7ff7b881e812 memset 13786->13788 13788->13787 13789 7ff7b881c9b0 3 API calls 13789->13792 13791 7ff7b881ec98 13790->13791 13792->13761 13792->13770 13792->13771 13792->13779 13792->13783 13792->13784 13792->13789 13793 7ff7b881de0d memset 13792->13793 13793->13792 13795 7ff7b882650c 13794->13795 13797 7ff7b8826619 malloc 13795->13797 13798 7ff7b882651c 13795->13798 13796 7ff7b8826644 LeaveCriticalSection 13796->13798 13797->13798 13799 7ff7b881d44a 13797->13799 13798->13796 13798->13799 13799->13775 13799->13776 13799->13781 13801 7ff7b881ed4e 13800->13801 13802 7ff7b88257b0 2 API calls 13801->13802 13803 7ff7b881ed65 13802->13803 13804 7ff7b88257b0 2 API calls 13803->13804 13806 7ff7b881ee4a 13803->13806 13805 7ff7b881ee7b memcpy 13804->13805 13805->13806 13806->13792 13024 7ff7b8802560 strlen 13025 7ff7b880257d 13024->13025 13811 7ff7b880876f 13812 7ff7b880877c 13811->13812 13813 7ff7b8808202 13812->13813 13814 7ff7b8807f10 2 API calls 13812->13814 13815 7ff7b880878e 13814->13815 14053 7ff7b881a070 14054 7ff7b881a08c 14053->14054 14059 7ff7b881a11e 14053->14059 14055 7ff7b8815b20 6 API calls 14054->14055 14054->14059 14056 7ff7b881a0c5 14055->14056 14057 7ff7b881a1a0 free 14056->14057 14058 7ff7b881a0d2 14056->14058 14057->14059 14058->14059 14060 7ff7b881a0f2 strlen 14058->14060 14061 7ff7b881a180 free 14060->14061 14062 7ff7b881a104 memcpy free 14060->14062 14061->14059 14062->14059 13026 7ff7b8824971 13027 7ff7b88249a9 13026->13027 13028 7ff7b88257b0 2 API calls 13027->13028 13029 7ff7b88249bc 13028->13029 13030 7ff7b88249cb memset 13029->13030 13031 7ff7b88249e9 13029->13031 13030->13031 14063 7ff7b8801c58 14065 7ff7b8801c5b 14063->14065 14066 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 14065->14066 13816 7ff7b881e758 13817 7ff7b881e760 13816->13817 13830 7ff7b881d588 13816->13830 13818 7ff7b8825f60 5 API calls 13817->13818 13817->13830 13818->13830 13819 7ff7b8825f60 5 API calls 13819->13830 13820 7ff7b881e5d9 13821 7ff7b881ec89 13820->13821 13822 7ff7b881e7ec 13820->13822 13825 7ff7b88257b0 2 API calls 13821->13825 13823 7ff7b881e853 13822->13823 13824 7ff7b881e812 memset 13822->13824 13824->13823 13826 7ff7b881ec98 13825->13826 13827 7ff7b881e140 _errno 13827->13830 13828 7ff7b881e44d _errno 13829 7ff7b881e628 _errno 13828->13829 13828->13830 13830->13819 13830->13820 13830->13827 13830->13828 13830->13829 13831 7ff7b881de0d memset 13830->13831 13832 7ff7b881c9b0 3 API calls 13830->13832 13831->13830 13832->13830 14067 7ff7b8821c58 14068 7ff7b8822321 wcslen 14067->14068 14074 7ff7b8821c79 14067->14074 14069 7ff7b881f140 6 API calls 14068->14069 14070 7ff7b8822338 14069->14070 14070->14070 14071 7ff7b881f140 6 API calls 14071->14074 14072 7ff7b88223fd strlen 14073 7ff7b881efa0 3 API calls 14072->14073 14073->14074 14074->14067 14074->14071 14074->14072 14075 7ff7b881efa0 3 API calls 14074->14075 14075->14074 14079 7ff7b8806073 14080 7ff7b880607f 14079->14080 14081 7ff7b890c6ae 14080->14081 14082 7ff7b890c6a0 free 14080->14082 14082->14081 12203 7ff7b8803c70 GetCurrentProcess 12204 7ff7b8803cad 12203->12204 12205 7ff7b8803cb5 12204->12205 12206 7ff7b8804160 12204->12206 12244 7ff7b8803060 GetCurrentProcess 12205->12244 12208 7ff7b880418f 12206->12208 12210 7ff7b8804314 12206->12210 12211 7ff7b8802ea0 24 API calls 12208->12211 12209 7ff7b8803ce0 GetTempPathW wcslen 12312 7ff7b8802ea0 12209->12312 12350 7ff7b890bfb0 12210->12350 12227 7ff7b8803d57 12211->12227 12215 7ff7b8804320 12217 7ff7b890c0a0 23 API calls 12215->12217 12216 7ff7b8803d4c 12219 7ff7b88f5ae0 27 API calls 12216->12219 12221 7ff7b88042c7 12217->12221 12218 7ff7b8802e10 24 API calls 12218->12227 12219->12227 12318 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12221->12318 12222 7ff7b8803e16 strlen 12264 7ff7b8802d70 12222->12264 12225 7ff7b8803ece LoadLibraryA GetProcAddress 12225->12227 12226 7ff7b88040f2 12227->12218 12227->12222 12227->12225 12227->12226 12227->12227 12228 7ff7b8803f3e GetProcAddress 12227->12228 12229 7ff7b8803f8e GetProcAddress 12227->12229 12230 7ff7b8803fbb 12227->12230 12270 7ff7b88034d0 12227->12270 12228->12227 12229->12226 12229->12227 12299 7ff7b8802e10 12230->12299 12233 7ff7b8804006 12305 7ff7b88f5ae0 12233->12305 12234 7ff7b88042f3 12319 7ff7b890c0a0 12234->12319 12238 7ff7b8804031 12239 7ff7b8804093 LdrLoadDll 12238->12239 12239->12226 12240 7ff7b88040aa GetProcAddress 12239->12240 12241 7ff7b88040cd VirtualProtect 12240->12241 12242 7ff7b88040cb 12240->12242 12241->12226 12243 7ff7b88040ea LdrUnloadDll 12241->12243 12242->12241 12243->12226 12245 7ff7b8803098 12244->12245 12246 7ff7b88030a0 GetTempPathA 12245->12246 12247 7ff7b8803250 12245->12247 12248 7ff7b88030f6 12246->12248 12249 7ff7b88032bd 12246->12249 12252 7ff7b8803294 strlen 12247->12252 12253 7ff7b88032d6 memcpy 12247->12253 12248->12247 12251 7ff7b8803100 12248->12251 12373 7ff7b88ee610 12249->12373 12364 7ff7b883ee70 12251->12364 12255 7ff7b8802d70 24 API calls 12252->12255 12263 7ff7b8803308 12253->12263 12255->12249 12258 7ff7b88031e4 strlen 12368 7ff7b883f710 12258->12368 12260 7ff7b8802d70 24 API calls 12262 7ff7b8803164 12260->12262 12261 7ff7b88031fd 12261->12209 12262->12258 12262->12263 12265 7ff7b8802dd0 12264->12265 12269 7ff7b8802d8e 12264->12269 12266 7ff7b88ee610 23 API calls 12265->12266 12266->12269 12267 7ff7b8802d97 12267->12227 12268 7ff7b8802dec memcpy 12268->12227 12269->12267 12269->12268 12377 7ff7b890ab80 malloc 12270->12377 12272 7ff7b8803503 memcpy 12273 7ff7b8803544 CreateFileW 12272->12273 12274 7ff7b88035f8 12272->12274 12276 7ff7b8803580 WriteFile 12273->12276 12283 7ff7b88035c3 12273->12283 12275 7ff7b8803650 12274->12275 12278 7ff7b88f5ca0 23 API calls 12274->12278 12275->12275 12277 7ff7b8803664 wcslen 12275->12277 12298 7ff7b8803728 12275->12298 12279 7ff7b88038c0 CloseHandle 12276->12279 12280 7ff7b88035ae CloseHandle 12276->12280 12281 7ff7b88f5930 25 API calls 12277->12281 12278->12275 12280->12283 12282 7ff7b88036d2 12281->12282 12284 7ff7b88f5ae0 27 API calls 12282->12284 12294 7ff7b8803c12 12282->12294 12283->12227 12288 7ff7b88036ff 12284->12288 12285 7ff7b8803c06 12287 7ff7b890c0a0 23 API calls 12285->12287 12286 7ff7b890c0a0 23 API calls 12286->12294 12287->12294 12290 7ff7b8803c55 12288->12290 12291 7ff7b880371a 12288->12291 12289 7ff7b88f5ae0 27 API calls 12289->12298 12292 7ff7b890c0a0 23 API calls 12290->12292 12293 7ff7b88f5ae0 27 API calls 12291->12293 12292->12294 12293->12298 12294->12286 12296 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12294->12296 12295 7ff7b8803a9c 12296->12294 12297 7ff7b88f07f0 31 API calls 12297->12298 12298->12273 12298->12285 12298->12289 12298->12295 12298->12297 12300 7ff7b8802e50 12299->12300 12302 7ff7b8802e38 12299->12302 12379 7ff7b88f5ca0 12300->12379 12303 7ff7b8802e41 wcslen 12302->12303 12304 7ff7b8802e90 memcpy 12302->12304 12303->12233 12303->12234 12304->12303 12306 7ff7b88f5afd 12305->12306 12307 7ff7b88f5b06 12306->12307 12308 7ff7b88f5b38 12306->12308 12309 7ff7b8804011 12307->12309 12311 7ff7b88f5b15 memcpy 12307->12311 12384 7ff7b88f5d20 12308->12384 12309->12221 12309->12238 12311->12309 12313 7ff7b8802ee0 12312->12313 12314 7ff7b8802ec8 12312->12314 12315 7ff7b88f5ca0 23 API calls 12313->12315 12316 7ff7b8802ed1 wcslen 12314->12316 12317 7ff7b8802f20 memcpy 12314->12317 12315->12314 12316->12215 12316->12216 12317->12316 12320 7ff7b890c0b3 12319->12320 12398 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12320->12398 12351 7ff7b890bfc3 12350->12351 12399 7ff7b88b9910 12351->12399 12353 7ff7b890bfd1 12412 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 12353->12412 12365 7ff7b883ee87 12364->12365 12367 7ff7b8803130 12364->12367 12366 7ff7b883eea6 memchr 12365->12366 12365->12367 12366->12365 12366->12367 12367->12258 12367->12260 12371 7ff7b883f731 12368->12371 12372 7ff7b883f795 12368->12372 12369 7ff7b883f764 memchr 12370 7ff7b883f774 memcmp 12369->12370 12369->12372 12370->12371 12370->12372 12371->12369 12371->12372 12372->12261 12376 7ff7b88ee626 12373->12376 12374 7ff7b890c0a0 23 API calls 12375 7ff7b88ee677 12374->12375 12375->12253 12376->12374 12378 7ff7b890aba7 12377->12378 12380 7ff7b88f5d01 12379->12380 12383 7ff7b88f5cb6 12379->12383 12381 7ff7b890c0a0 23 API calls 12380->12381 12382 7ff7b88f5d0d 12381->12382 12382->12302 12385 7ff7b88f5d5e 12384->12385 12386 7ff7b88f5ec7 12385->12386 12387 7ff7b88f5d75 12385->12387 12388 7ff7b890c0a0 23 API calls 12386->12388 12389 7ff7b890ab80 malloc 12387->12389 12394 7ff7b88f5ed3 12388->12394 12390 7ff7b88f5dca 12389->12390 12391 7ff7b88f5deb 12390->12391 12392 7ff7b88f5ddf memcpy 12390->12392 12393 7ff7b88f5e23 12391->12393 12397 7ff7b88f5e0f memcpy 12391->12397 12392->12391 12395 7ff7b88f5e2b 12393->12395 12396 7ff7b88f5e67 memcpy 12393->12396 12394->12309 12395->12309 12396->12395 12397->12393 12400 7ff7b88b99d5 12399->12400 12401 7ff7b88b9935 strlen 12399->12401 12404 7ff7b890bfb0 21 API calls 12400->12404 12402 7ff7b88b9945 12401->12402 12403 7ff7b88b9988 12401->12403 12413 7ff7b88ae620 12402->12413 12403->12353 12406 7ff7b88b99e1 12404->12406 12420 7ff7b88bac20 12406->12420 12407 7ff7b88b9954 12410 7ff7b88b9961 memcpy 12407->12410 12411 7ff7b88b996f 12407->12411 12409 7ff7b88b9a1a 12409->12353 12410->12411 12411->12353 12414 7ff7b88ae692 12413->12414 12415 7ff7b88ae637 12413->12415 12416 7ff7b890c0a0 23 API calls 12414->12416 12417 7ff7b890ab80 malloc 12415->12417 12418 7ff7b88ae69e 12416->12418 12419 7ff7b88ae681 12417->12419 12418->12407 12419->12407 12421 7ff7b88bac90 12420->12421 12425 7ff7b88bac36 12420->12425 12421->12409 12422 7ff7b88bac3f 12424 7ff7b88ae620 22 API calls 12422->12424 12423 7ff7b890bfb0 22 API calls 12423->12425 12426 7ff7b88bac4e 12424->12426 12425->12420 12425->12422 12425->12423 12427 7ff7b88bac69 12426->12427 12428 7ff7b88bac5b memcpy 12426->12428 12427->12409 12428->12427 13032 7ff7b8805d70 13033 7ff7b8805d78 13032->13033 13034 7ff7b88064d8 13033->13034 13035 7ff7b8805af9 13033->13035 13037 7ff7b8805d9a 13033->13037 13036 7ff7b8808d50 2 API calls 13034->13036 13036->13035 13037->13035 13038 7ff7b8808d50 2 API calls 13037->13038 13038->13035 13039 7ff7b881c160 ___lc_codepage_func WideCharToMultiByte 13040 7ff7b881c1b4 13039->13040 13833 7ff7b881b760 TryEnterCriticalSection 13834 7ff7b881b789 13833->13834 13835 7ff7b881b772 13833->13835 13836 7ff7b881b77a 13835->13836 13837 7ff7b881b780 LeaveCriticalSection 13835->13837 13837->13834 14088 7ff7b881b460 GetSystemTimeAsFileTime 14089 7ff7b881b4b8 14088->14089 14090 7ff7b881b4d6 SleepConditionVariableCS 14088->14090 14089->14090 14091 7ff7b881b4f0 GetLastError 14090->14091 14092 7ff7b881b4e6 14090->14092 13432 7ff7b8822261 13433 7ff7b8821e2d 13432->13433 13437 7ff7b8821e42 13432->13437 13435 7ff7b8820680 29 API calls 13433->13435 13434 7ff7b8820680 29 API calls 13436 7ff7b882228d 13434->13436 13435->13437 13436->13436 13437->13434 13041 7ff7b8801d68 13042 7ff7b8902cd0 44 API calls 13041->13042 13043 7ff7b8801d7d 13042->13043 13044 7ff7b88399a0 memcmp 13043->13044 13045 7ff7b8802256 13043->13045 13047 7ff7b8801d9f 13043->13047 13044->13047 13046 7ff7b88a9390 32 API calls 13048 7ff7b8801dab 13046->13048 13047->13045 13047->13046 13049 7ff7b88a95e0 32 API calls 13048->13049 13050 7ff7b8801db3 13049->13050 13059 7ff7b88019b0 rand 13050->13059 13060 7ff7b8801ac2 13059->13060 13061 7ff7b88019f2 13059->13061 13062 7ff7b8801a10 rand 13061->13062 13063 7ff7b8801a3b 13061->13063 13062->13062 13062->13063 13064 7ff7b8902cd0 44 API calls 13063->13064 13065 7ff7b8801a57 13064->13065 13065->13060 13066 7ff7b88399a0 memcmp 13065->13066 13067 7ff7b88a9390 32 API calls 13065->13067 13068 7ff7b88a95e0 32 API calls 13065->13068 13066->13065 13067->13065 13068->13065 13438 7ff7b8803a86 13445 7ff7b8803765 13438->13445 13439 7ff7b8803a9c 13440 7ff7b8803544 CreateFileW 13441 7ff7b8803580 WriteFile 13440->13441 13444 7ff7b88035c3 13440->13444 13442 7ff7b88038c0 CloseHandle 13441->13442 13443 7ff7b88035ae CloseHandle 13441->13443 13443->13444 13445->13439 13445->13440 13446 7ff7b88f07f0 31 API calls 13445->13446 13447 7ff7b8803c06 13445->13447 13448 7ff7b88f5ae0 27 API calls 13445->13448 13446->13445 13449 7ff7b890c0a0 23 API calls 13447->13449 13448->13445 13451 7ff7b8803c12 13449->13451 13452 7ff7b890c0a0 23 API calls 13451->13452 13453 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 13451->13453 13452->13451 13069 7ff7b882198e 13070 7ff7b8821994 _errno 13069->13070 13072 7ff7b8821b6f 13070->13072 13073 7ff7b8821a37 13070->13073 13071 7ff7b88225fc fputc 13071->13073 13073->13071 13073->13072 14111 7ff7b8804480 14114 7ff7b88044c0 14111->14114 14112 7ff7b8804602 GetModuleHandleA 14113 7ff7b8804620 14112->14113 14112->14114 14114->14112 14115 7ff7b8804615 14114->14115 12429 7ff7b881b690 TlsFree 12430 7ff7b881b6a8 GetLastError 12429->12430 12431 7ff7b881b69e 12429->12431 13838 7ff7b8821b90 13839 7ff7b882250d 13838->13839 13840 7ff7b8821ba2 13838->13840 13840->13839 13841 7ff7b882243b 13840->13841 13842 7ff7b8821bd5 13840->13842 13843 7ff7b881f9c0 5 API calls 13841->13843 13853 7ff7b881f340 13842->13853 13843->13839 13845 7ff7b8821be2 13846 7ff7b88223fd strlen 13845->13846 13847 7ff7b8822321 wcslen 13845->13847 13851 7ff7b881efa0 3 API calls 13845->13851 13852 7ff7b881f140 6 API calls 13845->13852 13849 7ff7b881efa0 3 API calls 13846->13849 13848 7ff7b881f140 6 API calls 13847->13848 13850 7ff7b8822338 13848->13850 13849->13845 13850->13850 13851->13845 13852->13845 13855 7ff7b881f364 13853->13855 13854 7ff7b881f62d memset 13859 7ff7b881f42a 13854->13859 13855->13854 13855->13855 13855->13859 13856 7ff7b881f552 13856->13845 13857 7ff7b881f75b 13860 7ff7b881f4d6 13857->13860 13861 7ff7b881f434 13857->13861 13863 7ff7b881f8e7 memset 13857->13863 13858 7ff7b881f792 13858->13860 13858->13861 13864 7ff7b881f7c9 memset 13858->13864 13859->13857 13859->13858 13859->13860 13859->13861 13860->13856 13862 7ff7b881f53a fputc 13860->13862 13867 7ff7b881f54d 13860->13867 13861->13860 13865 7ff7b881f9b8 13861->13865 13866 7ff7b881f4bd fputc 13861->13866 13862->13860 13862->13867 13863->13860 13864->13860 13865->13865 13866->13860 13866->13861 13867->13856 13868 7ff7b881f58d fputc 13867->13868 13868->13856 13868->13867 13454 7ff7b8822292 13455 7ff7b8821e5e 13454->13455 13456 7ff7b8821e73 13454->13456 13457 7ff7b8820f70 39 API calls 13455->13457 13458 7ff7b8820f70 39 API calls 13456->13458 13457->13456 13459 7ff7b88222be 13458->13459 13459->13459 14120 7ff7b8823495 14121 7ff7b88234b8 14120->14121 14122 7ff7b88234b0 14120->14122 14124 7ff7b8823f3d 14121->14124 14128 7ff7b88234cf 14121->14128 14123 7ff7b8825f60 5 API calls 14122->14123 14123->14121 14125 7ff7b88257b0 2 API calls 14124->14125 14126 7ff7b8823f45 memcpy 14125->14126 14127 7ff7b8825f60 5 API calls 14126->14127 14131 7ff7b8823628 14127->14131 14129 7ff7b8823ffc 14128->14129 14128->14131 14133 7ff7b8825910 LeaveCriticalSection malloc memcpy free LeaveCriticalSection 14128->14133 14130 7ff7b8825f60 5 API calls 14129->14130 14134 7ff7b8823060 14129->14134 14130->14134 14131->14129 14132 7ff7b8825910 LeaveCriticalSection malloc memcpy free LeaveCriticalSection 14131->14132 14131->14134 14132->14131 14133->14128 12197 7ff7b8801294 12201 7ff7b880121c 12197->12201 12198 7ff7b88012fe malloc 12199 7ff7b880142d 12198->12199 12198->12201 12200 7ff7b8801330 strlen malloc memcpy 12200->12200 12200->12201 12201->12198 12201->12199 12201->12200 12202 7ff7b8801244 SetUnhandledExceptionFilter 12201->12202 12202->12201 13074 7ff7b881d57b 13084 7ff7b881d588 13074->13084 13075 7ff7b881e5d9 13076 7ff7b881ec89 13075->13076 13077 7ff7b881e7ec 13075->13077 13081 7ff7b88257b0 2 API calls 13076->13081 13078 7ff7b881e853 13077->13078 13079 7ff7b881e812 memset 13077->13079 13079->13078 13082 7ff7b881ec98 13081->13082 13084->13075 13085 7ff7b881e140 _errno 13084->13085 13086 7ff7b881e44d _errno 13084->13086 13087 7ff7b881e628 _errno 13084->13087 13088 7ff7b881de0d memset 13084->13088 13089 7ff7b8825f60 13084->13089 13099 7ff7b881c9b0 13084->13099 13085->13084 13086->13084 13086->13087 13088->13084 13090 7ff7b8825f8d 13089->13090 13091 7ff7b88257b0 2 API calls 13090->13091 13092 7ff7b8825f9f 13091->13092 13093 7ff7b88260ed 13092->13093 13094 7ff7b8825fb3 memset 13092->13094 13095 7ff7b8825fc7 13092->13095 13093->13084 13094->13095 13096 7ff7b8826110 13095->13096 13097 7ff7b88260e5 free 13095->13097 13096->13093 13098 7ff7b8826137 LeaveCriticalSection 13096->13098 13097->13093 13098->13093 13100 7ff7b881c9d0 13099->13100 13101 7ff7b881c9e7 13100->13101 13102 7ff7b88257b0 2 API calls 13100->13102 13101->13084 13103 7ff7b881ca33 memcpy 13102->13103 13103->13101 13104 7ff7b8802590 strcpy_s strcpy_s _strlwr _strlwr 13105 7ff7b88025e8 13104->13105 14135 7ff7b8801c90 rand 14136 7ff7b8801ced 14135->14136 14137 7ff7b8801cb7 14135->14137 14143 7ff7b8801ad0 _time64 14136->14143 14139 7ff7b8801cc0 rand 14137->14139 14139->14136 14139->14139 14140 7ff7b8801cf2 14141 7ff7b8801ad0 27 API calls 14140->14141 14142 7ff7b8801cfc 14141->14142 14144 7ff7b8801af9 14143->14144 14145 7ff7b8801b10 rand 14144->14145 14147 7ff7b8801b70 rand 14144->14147 14150 7ff7b8801c47 14144->14150 14151 7ff7b88e89e0 14144->14151 14145->14144 14146 7ff7b8801c6e 14145->14146 14160 7ff7b881bb40 RtlCaptureContext RtlUnwindEx abort 14146->14160 14147->14144 14147->14147 14150->14140 14152 7ff7b88e8a16 14151->14152 14153 7ff7b88e8ac8 14151->14153 14156 7ff7b890ab80 malloc 14152->14156 14154 7ff7b890c0a0 23 API calls 14153->14154 14155 7ff7b88e8ad4 14154->14155 14157 7ff7b88e8a4c 14156->14157 14158 7ff7b88e8a88 memcpy 14157->14158 14159 7ff7b88e8a61 14157->14159 14158->14159 14159->14144 13106 7ff7b881b580 CloseHandle 13869 7ff7b881a380 13870 7ff7b881a392 13869->13870 13871 7ff7b881adc0 11 API calls 13870->13871 13872 7ff7b881a3a2 13870->13872 13873 7ff7b881a3f5 13871->13873 14161 7ff7b881b880 RtlLookupFunctionEntry 14162 7ff7b881b899 14161->14162 13463 7ff7b8808283 13464 7ff7b8807a70 2 API calls 13463->13464 13466 7ff7b8808240 13464->13466 13465 7ff7b8808a45 13466->13463 13466->13465 13467 7ff7b881da84 13477 7ff7b881d588 13467->13477 13468 7ff7b881e5d9 13469 7ff7b881ec89 13468->13469 13470 7ff7b881e7ec 13468->13470 13474 7ff7b88257b0 2 API calls 13469->13474 13471 7ff7b881e853 13470->13471 13472 7ff7b881e812 memset 13470->13472 13472->13471 13473 7ff7b881c9b0 3 API calls 13473->13477 13475 7ff7b881ec98 13474->13475 13476 7ff7b8825f60 5 API calls 13476->13477 13477->13467 13477->13468 13477->13473 13477->13476 13478 7ff7b881e140 _errno 13477->13478 13479 7ff7b881e44d _errno 13477->13479 13480 7ff7b881e628 _errno 13477->13480 13481 7ff7b881de0d memset 13477->13481 13478->13477 13479->13477 13479->13480 13481->13477

                              Executed Functions

                              Function 00007FF7B8803C70 Relevance: 40.6, APIs: 14, Strings: 9, Instructions: 376libraryloadermemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ff7b8803c70-7ff7b8803caf GetCurrentProcess call 7ff7b8802d50 3 7ff7b8803cb5-7ff7b8803cdb call 7ff7b8803060 0->3 4 7ff7b8804160-7ff7b8804184 0->4 8 7ff7b8803ce0-7ff7b8803d46 GetTempPathW wcslen call 7ff7b8802ea0 wcslen 3->8 6 7ff7b8804186-7ff7b8804189 4->6 7 7ff7b880418f-7ff7b88041a5 call 7ff7b8802ea0 4->7 6->7 9 7ff7b8804314-7ff7b880431b call 7ff7b890bfb0 6->9 16 7ff7b88041b0-7ff7b88041dc call 7ff7b8802e10 7->16 15 7ff7b8804320-7ff7b880432f call 7ff7b890c0a0 8->15 17 7ff7b8803d4c-7ff7b8803d71 call 7ff7b88f5ae0 8->17 9->15 24 7ff7b88042d1-7ff7b88042f1 call 7ff7b88f07d0 call 7ff7b881bb40 call 7ff7b88f07d0 15->24 26 7ff7b88041e8-7ff7b88041fb 16->26 17->26 27 7ff7b8803d77-7ff7b8803d83 17->27 47 7ff7b88042c7-7ff7b88042cc call 7ff7b88f07d0 24->47 29 7ff7b88041fd-7ff7b8804204 26->29 30 7ff7b880422b-7ff7b8804230 26->30 31 7ff7b8803d8b-7ff7b8803db5 27->31 33 7ff7b8804206-7ff7b880420c 29->33 34 7ff7b8804212-7ff7b8804216 29->34 37 7ff7b8804234-7ff7b8804246 30->37 35 7ff7b8803dc9-7ff7b8803e01 31->35 36 7ff7b8803db7-7ff7b8803dc4 call 7ff7b890ab40 31->36 33->34 34->31 39 7ff7b880421c-7ff7b8804226 34->39 41 7ff7b8803e08-7ff7b8803e14 35->41 36->35 37->37 42 7ff7b8804248-7ff7b8804250 37->42 39->31 41->41 44 7ff7b8803e16-7ff7b8803e70 strlen call 7ff7b8802d70 call 7ff7b88034d0 41->44 42->29 52 7ff7b8803e83-7ff7b8803e86 44->52 53 7ff7b8803e72-7ff7b8803e7e call 7ff7b890ab40 44->53 47->24 55 7ff7b8804111-7ff7b880411c 52->55 56 7ff7b8803e8c-7ff7b8803eba 52->56 53->52 57 7ff7b8804130-7ff7b8804138 55->57 58 7ff7b880411e-7ff7b880412b call 7ff7b890ab40 55->58 59 7ff7b8803ec0-7ff7b8803ecc 56->59 61 7ff7b880414a-7ff7b880415d 57->61 62 7ff7b880413a-7ff7b8804149 call 7ff7b890ab40 57->62 58->57 59->59 63 7ff7b8803ece-7ff7b8803f28 LoadLibraryA GetProcAddress 59->63 62->61 65 7ff7b8803f30-7ff7b8803f3c 63->65 65->65 67 7ff7b8803f3e-7ff7b8803f7d GetProcAddress 65->67 68 7ff7b8803f80-7ff7b8803f8c 67->68 68->68 69 7ff7b8803f8e-7ff7b8803fa0 GetProcAddress 68->69 69->55 70 7ff7b8803fa6-7ff7b8803fac 69->70 70->55 71 7ff7b8803fb2-7ff7b8803fb5 70->71 71->16 72 7ff7b8803fbb-7ff7b8804000 call 7ff7b8802e10 wcslen 71->72 75 7ff7b8804006-7ff7b880402b call 7ff7b88f5ae0 72->75 76 7ff7b88042f3-7ff7b8804302 call 7ff7b890c0a0 72->76 81 7ff7b8804252-7ff7b8804265 75->81 82 7ff7b8804031-7ff7b880403d 75->82 76->47 84 7ff7b8804295-7ff7b880429a 81->84 85 7ff7b8804267-7ff7b880426e 81->85 83 7ff7b8804045-7ff7b880406d 82->83 87 7ff7b8804081-7ff7b88040a8 LdrLoadDll 83->87 88 7ff7b880406f-7ff7b880407c call 7ff7b890ab40 83->88 86 7ff7b880429e-7ff7b88042b0 84->86 89 7ff7b8804270-7ff7b8804276 85->89 90 7ff7b880427c-7ff7b8804280 85->90 86->86 92 7ff7b88042b2-7ff7b88042ba 86->92 95 7ff7b88040f2-7ff7b88040fd 87->95 96 7ff7b88040aa-7ff7b88040c9 GetProcAddress 87->96 88->87 89->90 90->83 91 7ff7b8804286-7ff7b8804290 90->91 91->83 92->47 92->85 95->55 97 7ff7b88040ff-7ff7b880410c call 7ff7b890ab40 95->97 98 7ff7b88040cd-7ff7b88040e8 VirtualProtect 96->98 99 7ff7b88040cb 96->99 97->55 98->95 101 7ff7b88040ea-7ff7b88040ef LdrUnloadDll 98->101 99->98 101->95
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressProc$wcslen$CurrentLoadPathProcessTempstrlen$LibraryProtectUnloadVirtualmemcpy
                              • String ID: 4.&.Z{,-$:a.dll$B$LdrLoadDll$Z{,-$a.dll$basic_string: construction from null is not valid$basic_string::append$zSJlTWS\Execute
                              • API String ID: 2265943254-318193387
                              • Opcode ID: e7bbd5f123d5df9470509c441783b5eb9e2c02f86aa84f5f481f50c67e0b9a61
                              • Instruction ID: 4918ad2fc6817e1bd663775ab98959120967658cd985375c3d3901559d9192f4
                              • Opcode Fuzzy Hash: e7bbd5f123d5df9470509c441783b5eb9e2c02f86aa84f5f481f50c67e0b9a61
                              • Instruction Fuzzy Hash: A8F1C422619B8682DB24EB19E4403AAF7A1FB96B84FC04131DB9E47B9CDF3CD516C714
                              Function 00007FF7B88034D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 298COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 102 7ff7b88034d0-7ff7b8803533 call 7ff7b890ab80 memcpy 105 7ff7b8803544-7ff7b880357a CreateFileW 102->105 106 7ff7b88035f8-7ff7b880363c 102->106 109 7ff7b88038d0-7ff7b88038da 105->109 110 7ff7b8803580-7ff7b88035a8 WriteFile 105->110 107 7ff7b8803650-7ff7b8803662 106->107 108 7ff7b88038e8-7ff7b880391a call 7ff7b88f5ca0 106->108 107->107 113 7ff7b8803664-7ff7b88036ec wcslen call 7ff7b88f5930 107->113 108->107 122 7ff7b8803928-7ff7b880392c 108->122 111 7ff7b88035c3-7ff7b88035cd call 7ff7b890ab40 109->111 112 7ff7b88038e0 109->112 115 7ff7b88038c0-7ff7b88038c6 CloseHandle 110->115 116 7ff7b88035ae-7ff7b88035c1 CloseHandle 110->116 117 7ff7b88035d2-7ff7b88035f4 call 7ff7b890ab40 111->117 112->117 124 7ff7b8803c44-7ff7b8803c53 call 7ff7b890c0a0 113->124 125 7ff7b88036f2-7ff7b8803714 call 7ff7b88f5ae0 113->125 116->111 116->117 126 7ff7b8803776-7ff7b880378e 122->126 127 7ff7b88039bc-7ff7b88039c4 122->127 146 7ff7b8803c27-7ff7b8803c3f call 7ff7b88f07d0 call 7ff7b890ab40 call 7ff7b881bb40 124->146 141 7ff7b8803c55-7ff7b8803c61 call 7ff7b890c0a0 125->141 142 7ff7b880371a-7ff7b8803747 call 7ff7b88f5ae0 125->142 131 7ff7b8803c06-7ff7b8803c0d call 7ff7b890c0a0 126->131 132 7ff7b8803794-7ff7b88037b9 call 7ff7b88f5ae0 126->132 130 7ff7b88039c8-7ff7b88039cb 127->130 136 7ff7b8803a20-7ff7b8803a2c 130->136 137 7ff7b88039cd-7ff7b88039d1 130->137 140 7ff7b8803c12-7ff7b8803c22 call 7ff7b88f07d0 * 2 131->140 154 7ff7b88037bf-7ff7b88037cb 132->154 155 7ff7b8803a68-7ff7b8803a7b 132->155 148 7ff7b8803a38-7ff7b8803a43 136->148 143 7ff7b8803b1e-7ff7b8803b2a 137->143 144 7ff7b88039d7-7ff7b88039df 137->144 140->146 141->140 142->122 172 7ff7b880374d-7ff7b8803755 142->172 143->136 152 7ff7b88039e5-7ff7b88039e9 144->152 153 7ff7b8803b2f-7ff7b8803b62 144->153 146->124 148->127 157 7ff7b8803a49-7ff7b8803a57 148->157 163 7ff7b88039ef-7ff7b88039f2 152->163 164 7ff7b8803bac-7ff7b8803bd8 152->164 165 7ff7b8803a09-7ff7b8803a1e 153->165 166 7ff7b8803b68-7ff7b8803b6b 153->166 167 7ff7b88037d3-7ff7b88037ed 154->167 159 7ff7b8803a7d-7ff7b8803a96 155->159 160 7ff7b8803aab-7ff7b8803ab0 155->160 157->155 159->167 176 7ff7b8803a9c-7ff7b8803aa1 159->176 170 7ff7b8803ab4-7ff7b8803ac5 160->170 163->136 173 7ff7b88039f4-7ff7b8803a03 163->173 164->136 165->136 174 7ff7b8803b6d-7ff7b8803b7d 166->174 175 7ff7b88037f2-7ff7b88037fd 167->175 170->170 177 7ff7b8803ac7-7ff7b8803ace 170->177 172->126 179 7ff7b8803757-7ff7b880375f 172->179 173->165 180 7ff7b8803bdd-7ff7b8803c01 173->180 174->174 181 7ff7b8803b7f 174->181 175->148 182 7ff7b8803803-7ff7b8803816 175->182 177->159 185 7ff7b8803765-7ff7b8803770 179->185 186 7ff7b8803ad0 179->186 180->136 181->165 182->130 183 7ff7b880381c-7ff7b880383b 182->183 187 7ff7b8803875-7ff7b8803880 183->187 188 7ff7b880383d-7ff7b8803861 183->188 185->126 189 7ff7b8803950-7ff7b880397e call 7ff7b88f07f0 185->189 194 7ff7b8803ada-7ff7b8803aec 186->194 192 7ff7b8803894-7ff7b880389f 187->192 193 7ff7b8803882-7ff7b880388f call 7ff7b890ab40 187->193 188->187 190 7ff7b8803863-7ff7b8803870 call 7ff7b890ab40 188->190 189->194 201 7ff7b8803984-7ff7b8803990 189->201 190->187 192->105 198 7ff7b88038a5-7ff7b880393a call 7ff7b890ab40 192->198 193->192 199 7ff7b8803b84-7ff7b8803b89 194->199 200 7ff7b8803af2-7ff7b8803af8 194->200 198->185 211 7ff7b8803940-7ff7b8803943 198->211 205 7ff7b8803b8d-7ff7b8803b9e 199->205 203 7ff7b8803b06-7ff7b8803b09 200->203 204 7ff7b8803afa-7ff7b8803b00 200->204 206 7ff7b8803998-7ff7b88039b7 201->206 203->206 208 7ff7b8803b0f-7ff7b8803b19 203->208 204->203 205->205 209 7ff7b8803ba0-7ff7b8803ba7 205->209 206->175 208->206 209->200 211->132
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: mallocmemcpy
                              • String ID: basic_string::append
                              • API String ID: 4276657696-3811946249
                              • Opcode ID: 478d52fa18d52d4defbd28d3cf3a57e33f6739e4ce9177ee6136c2b9cf404ec1
                              • Instruction ID: a3170213af9eabd2335e6d4ce007a75ff09eea06577a0b188108f95c17933914
                              • Opcode Fuzzy Hash: 478d52fa18d52d4defbd28d3cf3a57e33f6739e4ce9177ee6136c2b9cf404ec1
                              • Instruction Fuzzy Hash: 00D1963261CBC582EA60AB19E50076EE3A1FB96790F804231DBAD47B9DDF3CD456C718
                              Function 00007FF7B8803060 Relevance: 7.7, APIs: 5, Instructions: 231stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 212 7ff7b8803060-7ff7b8803093 GetCurrentProcess call 7ff7b8802d50 214 7ff7b8803098-7ff7b880309a 212->214 215 7ff7b88030a0-7ff7b88030f0 GetTempPathA 214->215 216 7ff7b8803268-7ff7b88032bd call 7ff7b8827860 strlen call 7ff7b8802d70 214->216 217 7ff7b88030f6-7ff7b88030fa 215->217 218 7ff7b88032c8-7ff7b88032e3 call 7ff7b88ee610 215->218 216->218 221 7ff7b8803250-7ff7b8803253 217->221 222 7ff7b8803100-7ff7b8803134 call 7ff7b883ee70 217->222 229 7ff7b88032e8-7ff7b88032f8 memcpy 218->229 226 7ff7b8803461-7ff7b8803464 221->226 227 7ff7b8803259 221->227 232 7ff7b88031e4-7ff7b880320c strlen call 7ff7b883f710 222->232 233 7ff7b880313a-7ff7b880316f call 7ff7b8802d70 222->233 226->229 227->216 235 7ff7b8803308-7ff7b8803310 229->235 241 7ff7b880320e-7ff7b8803217 call 7ff7b890ab40 232->241 242 7ff7b880321c-7ff7b8803224 232->242 233->235 244 7ff7b8803175-7ff7b8803185 233->244 238 7ff7b8803312-7ff7b880331d 235->238 239 7ff7b8803340-7ff7b8803348 235->239 243 7ff7b8803322-7ff7b880332f 238->243 245 7ff7b8803350-7ff7b8803353 239->245 241->242 247 7ff7b8803226-7ff7b880322f call 7ff7b890ab40 242->247 248 7ff7b8803234-7ff7b8803247 242->248 243->239 244->245 249 7ff7b880318b-7ff7b88031aa 244->249 250 7ff7b8803355-7ff7b8803359 245->250 251 7ff7b8803393-7ff7b880339d 245->251 247->248 249->243 253 7ff7b88031b0-7ff7b88031d1 249->253 254 7ff7b88033b0-7ff7b88033c5 250->254 255 7ff7b880335b-7ff7b8803360 250->255 251->254 253->232 256 7ff7b88031d3-7ff7b88031df call 7ff7b890ab40 253->256 254->251 257 7ff7b8803362-7ff7b8803365 255->257 258 7ff7b88033d0-7ff7b8803403 255->258 256->232 262 7ff7b8803425-7ff7b8803442 257->262 263 7ff7b880336b-7ff7b880336d 257->263 259 7ff7b8803383-7ff7b8803388 258->259 260 7ff7b8803409-7ff7b880340c 258->260 265 7ff7b880338d-7ff7b8803390 259->265 266 7ff7b880340e-7ff7b880341e 260->266 262->265 264 7ff7b880336f-7ff7b880337d 263->264 263->265 264->259 267 7ff7b8803447-7ff7b880345c 264->267 265->251 266->266 268 7ff7b8803420 266->268 267->265 268->259
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlen$CurrentPathProcessTempmemchrmemcpy
                              • String ID:
                              • API String ID: 1237187527-0
                              • Opcode ID: b8ce6924fedb661b87884fb1d263ab3edc801dc2d5a500a0fb930ce7753d2c66
                              • Instruction ID: 04ce81bc967ca1c5d2d944a41b424c57d0a0eccb9b6a6248310eabb2d85f633c
                              • Opcode Fuzzy Hash: b8ce6924fedb661b87884fb1d263ab3edc801dc2d5a500a0fb930ce7753d2c66
                              • Instruction Fuzzy Hash: C0A19322618B8582EB109B19E44036AE7A1FB96BD0F944235EFAD47BDCDF7CD016CB14
                              Function 00007FF7B88011D9 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62107a3d02b81b5234c88d95762d057ed00c24eaffb834b4604cbe2bde97a6a7
                              • Instruction ID: 8239d3963cb419e2b5a469c8baffa7394d82785ef4b7c88553857d72cca3e8ca
                              • Opcode Fuzzy Hash: 62107a3d02b81b5234c88d95762d057ed00c24eaffb834b4604cbe2bde97a6a7
                              • Instruction Fuzzy Hash: FC419328A2E64686EA11BF5DE451678E3D5AF27B90FC44034CB1C4735DDE2CE4238328
                              Function 00007FF7B88046A4 Relevance: 4.6, APIs: 3, Instructions: 128processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CaptureContextCreateFirstProcess32SnapshotToolhelp32Unwindabort
                              • String ID:
                              • API String ID: 1927501140-0
                              • Opcode ID: 4b6a83684ab022a88defd8bcf5abd0d0cb42e06d483728e8715a84bc4aae11ba
                              • Instruction ID: 37546f53057cfab7b4f4763bdd8832101b55644b6a7322cf59b578cde26927d1
                              • Opcode Fuzzy Hash: 4b6a83684ab022a88defd8bcf5abd0d0cb42e06d483728e8715a84bc4aae11ba
                              • Instruction Fuzzy Hash: 4541E72261868682EA24BB19E4002BEE3A1FB97794FC44531EF5D0779EDF7CD4538714
                              Function 00007FF7B8803539 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseFileHandle$CreateWrite
                              • String ID:
                              • API String ID: 3602564925-0
                              • Opcode ID: 394c0e051cec6e34f4efdc98b69a1e23df70269413b6b1c3fb0bf7fe79d9565c
                              • Instruction ID: 5f00c2508c001f642ad69ca3496d05a8d3cc37ff09261c5b36bb7aaaa6469424
                              • Opcode Fuzzy Hash: 394c0e051cec6e34f4efdc98b69a1e23df70269413b6b1c3fb0bf7fe79d9565c
                              • Instruction Fuzzy Hash: 3711A32271954683F620AB19F41476BE291BB95BA8F800230DF6D0BAD8CF3CE44A8758
                              Function 00007FF7B8801294 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: malloc$memcpystrlen
                              • String ID:
                              • API String ID: 3553820921-0
                              • Opcode ID: 543d9a2a041976af41462432e31a9754b6760f675d962eca3c3379e79177352a
                              • Instruction ID: 517c292c76a2f95ecb518a089f383652a8b04a73aef38b547042cb0784babe93
                              • Opcode Fuzzy Hash: 543d9a2a041976af41462432e31a9754b6760f675d962eca3c3379e79177352a
                              • Instruction Fuzzy Hash: 8A31A129A2E64686E711BF5DE851774E3D5AF63790FC44038CF1C07399EE2DA426C728
                              Function 00007FF7B8801289 Relevance: 5.1, APIs: 4, Instructions: 74stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: malloc$memcpystrlen
                              • String ID:
                              • API String ID: 3553820921-0
                              • Opcode ID: 56020effcdf1f183f441924a68ad24072c27b0678ef036c8d0d284124bb19e98
                              • Instruction ID: 65392593c8a84e136a3c923601edd2817952fada968d89c28b1ada0b7b8a2d8d
                              • Opcode Fuzzy Hash: 56020effcdf1f183f441924a68ad24072c27b0678ef036c8d0d284124bb19e98
                              • Instruction Fuzzy Hash: 5D317029E2E60686E601BF5DE841778E390AF62791F844074DF1C07399DE3CE463C728
                              Function 00007FF7B881B690 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Free
                              • String ID:
                              • API String ID: 3978063606-0
                              • Opcode ID: 348af94818ab9c865733835cec085adb7e283a79ab7aac6c44221e6ed0fb0604
                              • Instruction ID: d5db7deaeef3d550e1a92f826f69ab1022a36da14ab16d5a3f8f0d00268f4f04
                              • Opcode Fuzzy Hash: 348af94818ab9c865733835cec085adb7e283a79ab7aac6c44221e6ed0fb0604
                              • Instruction Fuzzy Hash: B7C04C14F5B543C2E654377A5C42522D1D07B6AB40FD05434C60895554DD6CA1E74675
                              Function 00007FF7B890AB80 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: 988b4ae5ae706df390a6233965e24e8829ae3f9e1bccf5fff257dc606ecde792
                              • Instruction ID: db2ed813a7801957f066c1f95215c65cc6c94eab385234984bd4916bade7fa57
                              • Opcode Fuzzy Hash: 988b4ae5ae706df390a6233965e24e8829ae3f9e1bccf5fff257dc606ecde792
                              • Instruction Fuzzy Hash: 34D0C710B1A3474AFD5D769919513B4C1C10FBA702F480434DF5E853C6ED1C74424775

                              Non-executed Functions

                              Function 00007FF7B8815B20 Relevance: 15.7, APIs: 4, Strings: 6, Instructions: 698stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlenstrncmp
                              • String ID: Z$Z$_$_$_$_GLOBAL_
                              • API String ID: 1310274236-662103887
                              • Opcode ID: 67900ba0dafbe8d0e4433077726af768059a8f719d3a5e9100497bef6a6a133d
                              • Instruction ID: e1f5d2aae648cb32d16db648bedbda8c2896f6cfe8ec4d55d1177f5aa629a19b
                              • Opcode Fuzzy Hash: 67900ba0dafbe8d0e4433077726af768059a8f719d3a5e9100497bef6a6a133d
                              • Instruction Fuzzy Hash: 4462C572A286828BF764EE29C4543F9E7A0BB2A748F904035DB4E47789CF39D552C714
                              Function 00007FF7B881D367 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 431COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memset
                              • String ID: $P$P
                              • API String ID: 2221118986-3733749394
                              • Opcode ID: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
                              • Instruction ID: 3bd357a90efdfc30838ec67fa8bb92fd3805cbe79c008201424f2698b6ed4190
                              • Opcode Fuzzy Hash: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
                              • Instruction Fuzzy Hash: E612823292C28287E760BF29D0407BEF791FBAA744F804135DB4947689DF7CE4568B64
                              Function 00007FF7B8804350 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 77stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: B$B$B$I^2$$h}/9
                              • API String ID: 1004003707-632112022
                              • Opcode ID: e456b41c8218c5c2878edad117f7d1c39dace70967b1e9da172d671df5be1f19
                              • Instruction ID: 76c101f178a4d2c4408261cccc7fcf3712666e2a7c6c2ebe59865dcfdf5d0fef
                              • Opcode Fuzzy Hash: e456b41c8218c5c2878edad117f7d1c39dace70967b1e9da172d671df5be1f19
                              • Instruction Fuzzy Hash: 61312772A0D78587DB219F29E0402AAFBA0E7A6788FC44135EB8D07B48DB7CC512CF54
                              Function 00007FF7B881DA84 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 359COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: $!$P
                              • API String ID: 0-2344582389
                              • Opcode ID: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
                              • Instruction ID: 9ef4b1e6db54fe38d39d0e339fc83112036844567e9c950130fed250da0eafef
                              • Opcode Fuzzy Hash: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
                              • Instruction Fuzzy Hash: 09F1E33292C68587E770BF18D0443BAF7A2EBAA340F808135DB4953789DF7CE4568B24
                              Function 00007FF7B881C4A0 Relevance: 4.8, APIs: 3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2e773bbcf05a206fa72d67c052939a87a5037e1002fc13afee4ac7b2a9d1dd5
                              • Instruction ID: 488f7bbb2fe322a9fe9cae434a4d91b1f2fa1c8efafac6c0182307fa59645b07
                              • Opcode Fuzzy Hash: b2e773bbcf05a206fa72d67c052939a87a5037e1002fc13afee4ac7b2a9d1dd5
                              • Instruction Fuzzy Hash: FEC1DB72A281428BE764EE1AD44067EF791FBA9744F845034EB0A4779DDE3CE8128F54
                              Function 00007FF7B8825140 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 345COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 7722b09541f8c3a1042df91a4b64b4147f17cf3696f4ae9f4b099ea08ef108bb
                              • Instruction ID: 9d8f18ccb3d0953f7f72f0987129a53e1dbbbf72c623e13f1b6173fb93a42182
                              • Opcode Fuzzy Hash: 7722b09541f8c3a1042df91a4b64b4147f17cf3696f4ae9f4b099ea08ef108bb
                              • Instruction Fuzzy Hash: D9D1E362B6859147EBA49F1D850437DEB92BBA6784FC8C131DB1D473C8DA3CEA22C714
                              Function 00007FF7B88264F0 Relevance: 2.6, APIs: 2, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalLeaveSectionmalloc
                              • String ID:
                              • API String ID: 2116668948-0
                              • Opcode ID: 40c92fb735db31c4a03f034ad08b64e87eddef291a1e133e22cfab3f13ba580c
                              • Instruction ID: c5e081e4684bd14313baadda97098aab351258b065b61dc7efc18752c08320a2
                              • Opcode Fuzzy Hash: 40c92fb735db31c4a03f034ad08b64e87eddef291a1e133e22cfab3f13ba580c
                              • Instruction Fuzzy Hash: 5751F6B1A2824287E71C9F1DF504B76BA91EBB1744F918139CB0A07BD8CA3CD552C794
                              Function 00007FF7B88E7220 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: Result of
                              • API String ID: 0-1275385331
                              • Opcode ID: df9895d686224d2dd2c7e99c3ab68119a663b6e2dd92d436c381b666f5179717
                              • Instruction ID: ea5cc48deee741046bfffa42cab7caf6571e8054d08a1f3c1767bad800676c9e
                              • Opcode Fuzzy Hash: df9895d686224d2dd2c7e99c3ab68119a663b6e2dd92d436c381b666f5179717
                              • Instruction Fuzzy Hash: 4382EA64D09A4781FB01BB0DE8457B5F3A0BF66B46FC00235CA6C87269DF7DA14793A8
                              Function 00007FF7B88FC950 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: Result of
                              • API String ID: 0-1275385331
                              • Opcode ID: 71862e91d9851ec66f4449fbeb5876b1467cb8c043c6da86588d3d223f86607d
                              • Instruction ID: c776825f421c8a9b5a6053a6cafa675400ce41597975b9257ddd5b2c8039d69a
                              • Opcode Fuzzy Hash: 71862e91d9851ec66f4449fbeb5876b1467cb8c043c6da86588d3d223f86607d
                              • Instruction Fuzzy Hash: 7AF1C232A14B8283E314DF29E4543AEB3A0FB65748F808625CBAD07795DF7CE1A5D348
                              Function 00007FF7B881B500 Relevance: 1.5, APIs: 1, Instructions: 29timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Time$FileSystem
                              • String ID:
                              • API String ID: 2086374402-0
                              • Opcode ID: 9942ccc97f5f8416b775898699d47bf50dda6b0e8bd8ff5c80a888a791faa8a4
                              • Instruction ID: ab609dc9328a27be77a32296d9a1f5d1e66b3b53c80318ac9da3a192ca276232
                              • Opcode Fuzzy Hash: 9942ccc97f5f8416b775898699d47bf50dda6b0e8bd8ff5c80a888a791faa8a4
                              • Instruction Fuzzy Hash: C8F02793B2560883CF18DB78E865174D362AB58FC9B489831CB0F8BB38EE2CD1428200
                              Function 00007FF7B890C460 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              • not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 00007FF7B890C472
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/):
                              • API String ID: 0-1835032153
                              • Opcode ID: 8e620f959c4aa112b31ede506d0c5fb51523c1f977658e3e8e59d1e508d8e11f
                              • Instruction ID: 3bd5d926d8782ba0a9717b676c0862d85bfd860f39a1df94a753c8c461d8f724
                              • Opcode Fuzzy Hash: 8e620f959c4aa112b31ede506d0c5fb51523c1f977658e3e8e59d1e508d8e11f
                              • Instruction Fuzzy Hash: 3E31B511B1964796EE24FB2998502AAE361BF66BC4FC00132EB6D177DDDE2CE107C354
                              Function 00007FF7B8806A40 Relevance: .5, Instructions: 513COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
                              • Instruction ID: bfa7b3209dc0f98e0906998880f1b7a85756b6adc66b10db8c00574d3ef76f5a
                              • Opcode Fuzzy Hash: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
                              • Instruction Fuzzy Hash: 6B12B662E2EB4282FB60A708E44177AE6D1DF63780FD58431CB6C07789DE3DE5668364
                              Function 00007FF7B8807290 Relevance: .5, Instructions: 486COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d695400308593cf20877fba39419934d70e09c66bbd3b3c0be29ad461eb275a
                              • Instruction ID: 751f1021127655ae3bfd62adc36dcc68e9997e95274269d337e8b82a80e8c594
                              • Opcode Fuzzy Hash: 7d695400308593cf20877fba39419934d70e09c66bbd3b3c0be29ad461eb275a
                              • Instruction Fuzzy Hash: BD12C572E1974287E724BF19944037AE6D1EB66B84F944034CB6D0778DDE3EE862C394
                              Function 00007FF7B890C950 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CaptureContextUnwindabortstrlen
                              • String ID:
                              • API String ID: 1885994862-0
                              • Opcode ID: 0c9b34f1559c4bde3c9d00a4327f081f1601058a817002645cea0a004f1f74ca
                              • Instruction ID: 208b4f9c4153614bf702c4d4c1350fb50cae9af25030cf49f41a44feceed78c6
                              • Opcode Fuzzy Hash: 0c9b34f1559c4bde3c9d00a4327f081f1601058a817002645cea0a004f1f74ca
                              • Instruction Fuzzy Hash: CB411C50D1D28749FE21B72DA8043B5EA806F77B85F840235DA6D4639ECFACA0478379
                              Function 00007FF7B8AA0550 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 345812ff67cbd8d8fae4febdf0f35f1a69c95c8bef43ce55a609d45bba2dc031
                              • Instruction ID: d9c1874a3ea145252839816673f952b7f84862dcd1ae49567733a36ef0fc09e0
                              • Opcode Fuzzy Hash: 345812ff67cbd8d8fae4febdf0f35f1a69c95c8bef43ce55a609d45bba2dc031
                              • Instruction Fuzzy Hash: 73E03087E1FEC7C5F352A15C0CA942DEDD09A73500B4DD06ACB482A6979C1B2C0543A5
                              Function 00007FF7B881C1E0 Relevance: 33.1, APIs: 11, Strings: 11, Instructions: 88stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: alnum$alpha$cntrl$digit$graph$lower$print$punct$space$upper$xdigit
                              • API String ID: 1004003707-2937198513
                              • Opcode ID: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
                              • Instruction ID: 02e630f69285345c8a206e23744784a2df13370dbae9f189872e1d73f7e91f1e
                              • Opcode Fuzzy Hash: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
                              • Instruction Fuzzy Hash: 0D31EA64A2E20383FA54BF5F9801775D2465F6A380FC46031DB0D866CDEE5CE866E23D
                              Function 00007FF7B881B8D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExceptionRaiseUnwindabort
                              • String ID: CCG $CCG $CCG!$CCG!$CCG"
                              • API String ID: 4140830120-3297834124
                              • Opcode ID: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
                              • Instruction ID: 1d53d645c5d6e4cda7000674acce4fcea8d5104b57afb763fc25b23b7e491779
                              • Opcode Fuzzy Hash: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
                              • Instruction Fuzzy Hash: 0D51C632A14B8182E760AB59E4447A9B370F79EB84F505226EF8D13768EF3DD993C704
                              Function 00007FF7B881FFD0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 446COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID: UUUU
                              • API String ID: 1992160199-1798160573
                              • Opcode ID: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
                              • Instruction ID: 1c6bcf170e97eebd1e41345d29a30d77e0b82f43322699474aeda622261c03f4
                              • Opcode Fuzzy Hash: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
                              • Instruction Fuzzy Hash: B5127772D2810287E765AF2DC150739F7E1EB66B58F948235CB0D466CCDA38E852CB68
                              Function 00007FF7B881ADC0 Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalSection$DeleteEnterErrorInitializeLastLeaveValuefree
                              • String ID:
                              • API String ID: 100439675-0
                              • Opcode ID: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
                              • Instruction ID: 7d992e43b2596a16d3dbbc4e9fc4816c17d4d064b4d823b47f4e26cc2158f521
                              • Opcode Fuzzy Hash: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
                              • Instruction Fuzzy Hash: D8412E21A2E50287FA55BB59E840678E250AF7BB91FDC4435CB0D47698EF3CE8538368
                              Function 00007FF7B8820800 Relevance: 12.4, APIs: 8, Instructions: 355COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
                              • Instruction ID: 61e25ce6bcb22854549b2a7df8ada9f839f9436a871eaf9d3151e7afb4576115
                              • Opcode Fuzzy Hash: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
                              • Instruction Fuzzy Hash: 6DE188B2A241018BE774AF29C150739F7E1EB66B58FA58235CB094778CDA38EC52CF54
                              Function 00007FF7B8802F30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProcwcslen
                              • String ID: 4.&.$J$TEMP$basic_string: construction from null is not valid
                              • API String ID: 1064947497-679671853
                              • Opcode ID: 2b3813a550977f849a814cab301f845937e69ffc04f6b1439139e8e5e0fef5e4
                              • Instruction ID: b8f04a880d77ab0e59db24c152d29ec9f335aa637cdc36f0a1e11ccb38eaad12
                              • Opcode Fuzzy Hash: 2b3813a550977f849a814cab301f845937e69ffc04f6b1439139e8e5e0fef5e4
                              • Instruction Fuzzy Hash: 8831E432619A8693EB12AB18E4006AAF760FB96B84FC04032DB9D17B5CDF3CD517C758
                              Function 00007FF7B881BBF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExceptionRaise$abort
                              • String ID: CCG $CCG"$CCG"
                              • API String ID: 3325032505-1179968548
                              • Opcode ID: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
                              • Instruction ID: 0b8a6adebb48c40bd0660d5dc0db1d1ed6ca430e3a10adc7277ace55c66f73e0
                              • Opcode Fuzzy Hash: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
                              • Instruction Fuzzy Hash: C7219133A25B8187E340DF58E4403A97760F7D9788F60A22AEA8D57764EF7AC1928700
                              Function 00007FF7B8825C10 Relevance: 11.5, APIs: 9, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalLeaveSectionfree
                              • String ID:
                              • API String ID: 1679108487-0
                              • Opcode ID: 0ec2b4e6d6c535e2a887363803070b15498508364dcae1917e8e010573d5d365
                              • Instruction ID: 1412ca6f12abc74460b03ead7f8725540503f0a1e29805ebfece82d622953c04
                              • Opcode Fuzzy Hash: 0ec2b4e6d6c535e2a887363803070b15498508364dcae1917e8e010573d5d365
                              • Instruction Fuzzy Hash: D0917331A5A64286EB94AF1DD945378E2A1BF26780FC44532CB0D0779CEF3CE4638368
                              Function 00007FF7B8802600 Relevance: 10.6, APIs: 7, Instructions: 105stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcpy_s$_strlwr$ByteCharMultiWidestrstr
                              • String ID:
                              • API String ID: 606828236-0
                              • Opcode ID: c9a725f9162f59c41cee2fa39016cf96b5296817a48e5951eed084d6514580bc
                              • Instruction ID: ed20c43e651065d40d348aacd5dd802e9c45fe48de6fde3cc156a905358ad263
                              • Opcode Fuzzy Hash: c9a725f9162f59c41cee2fa39016cf96b5296817a48e5951eed084d6514580bc
                              • Instruction Fuzzy Hash: 6F419362208BC1D6DB219F19E8407AAE7A5F79ABD4F804121EF4D17B98CF7CD142C704
                              Function 00007FF7B881F340 Relevance: 9.4, APIs: 6, Instructions: 414COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
                              • Instruction ID: 5236659b8bfcb8fb7feaf862593e814572aa2b847969d7f5805c4e7ff6bfd7ef
                              • Opcode Fuzzy Hash: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
                              • Instruction Fuzzy Hash: 60F1DA62E2858247E761BF2D9004739E691AB2A768F948234CB1D57BC8CE3CFC53C764
                              Function 00007FF7B8826EA0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
                              • String ID:
                              • API String ID: 2785433807-0
                              • Opcode ID: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
                              • Instruction ID: 62a70c5c421fe129b6ff5ccdad0238f9b936d3ebd1856f8d07055812e7f60570
                              • Opcode Fuzzy Hash: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
                              • Instruction Fuzzy Hash: C3314E23B192128BEB52AF19E800779E5506F627B8F844236EF68477C8DE3DD057C714
                              Function 00007FF7B8801E18 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: rand
                              • String ID: and $+-*/$Performing arithmetic operations on:
                              • API String ID: 415692148-3864222635
                              • Opcode ID: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
                              • Instruction ID: 4111870597fb064845dc8e3534a5d5ef0671d5b364bc2731dbf3a1dd748c6219
                              • Opcode Fuzzy Hash: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
                              • Instruction Fuzzy Hash: C5214902F1A61746EA15BA2E884527DD2926FD3B80FC89031DF1D0B39EDD3CE9028368
                              Function 00007FF7B8804480 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID: >$@$@$MF3A
                              • API String ID: 4139908857-2332176444
                              • Opcode ID: 328f68d8ccde1d471623e3a916f8d5002275435361e7f0ce1315f7b9a25dafef
                              • Instruction ID: 1c4fc895c93ca8fe385ae989af06836db4e5fc0da9a232b9b4f0a669a90514ef
                              • Opcode Fuzzy Hash: 328f68d8ccde1d471623e3a916f8d5002275435361e7f0ce1315f7b9a25dafef
                              • Instruction Fuzzy Hash: 6B41B132A09BC582DB219B18F0407AAF7A0F79A748FC14526DB8D03B5CEB7DD556CB44
                              Function 00007FF7B88F0A00 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: basic_string::_M_create
                              • API String ID: 0-3122258987
                              • Opcode ID: 20fa1f9c38397dc2b23d1681f4029f1745706513a81d31012c60e506a3e6e86a
                              • Instruction ID: 3d8c2585763da543424a8c75d215488018768c3fe1df2abff2dc060a936849f5
                              • Opcode Fuzzy Hash: 20fa1f9c38397dc2b23d1681f4029f1745706513a81d31012c60e506a3e6e86a
                              • Instruction Fuzzy Hash: 0EA1FD62B2564689ED24BF19D8400B8E251AF76BE4FD88631DF2D473D5DF2CE4A2C314
                              Function 00007FF7B881F9C0 Relevance: 7.8, APIs: 5, Instructions: 293COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
                              • Instruction ID: ea3a16e4bd8444678ebc841e2bf61648690cb61ee83fa8306aa05157ec32abb8
                              • Opcode Fuzzy Hash: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
                              • Instruction Fuzzy Hash: 93C16372E2915287E761BE28C014339F7A1EB69B58F998231CB0D57389CE3CEC52C764
                              Function 00007FF7B88EE690 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpy
                              • String ID: Result of $basic_string::_M_create
                              • API String ID: 3510742995-1160149181
                              • Opcode ID: b576b05e5929d0f36fddaa43a352fc9423e68f72584ed5aec93aa7cb1d61b280
                              • Instruction ID: 48f197325ab64fe895bd921d12e11bba02ed8e223d36681de3f64f81ccde95b4
                              • Opcode Fuzzy Hash: b576b05e5929d0f36fddaa43a352fc9423e68f72584ed5aec93aa7cb1d61b280
                              • Instruction Fuzzy Hash: A8413826B1A69652EB21BA19844027AE351AB22BD9FD44933CF1C07B8CDF2CE413C324
                              Function 00007FF7B881A7AB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 209memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Unknown pseudo relocation bit size %d., xrefs: 00007FF7B881AA74
                              • Unknown pseudo relocation protocol version %d., xrefs: 00007FF7B881AA96
                              • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7B881AA8A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                              • API String ID: 544645111-1286557213
                              • Opcode ID: 8fbf73ca66cf12792ec4443d84e4f446cfa418b5437152a325ab49fbedd29060
                              • Instruction ID: 0a934b2caf6ab5de9118e822de127190f46cf213511479f5348d0d5dabae78cc
                              • Opcode Fuzzy Hash: 8fbf73ca66cf12792ec4443d84e4f446cfa418b5437152a325ab49fbedd29060
                              • Instruction Fuzzy Hash: 1F71D926F6951243EA20771CD540679E361AF7A7B4F948231CB2D17BDCDE2CE8638368
                              Function 00007FF7B881AB00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: CCG
                              • API String ID: 0-1584390748
                              • Opcode ID: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
                              • Instruction ID: ab82929384c68d686b40af2b673ba23911195f0c40cd869c557a2fdf9b1a4957
                              • Opcode Fuzzy Hash: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
                              • Instruction Fuzzy Hash: 5D215E60F2918247FA68726DD151338E1829FAF760F984935C71D863DDDD1CA8E3413D
                              Function 00007FF7B881A070 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: freememcpystrlen
                              • String ID:
                              • API String ID: 2208669145-0
                              • Opcode ID: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
                              • Instruction ID: 9c5d4cdfd26ad83e7099dba629c5e9ec85fa04a65d3d3fea2497901b9ffe0062
                              • Opcode Fuzzy Hash: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
                              • Instruction Fuzzy Hash: A331ED61A2964287F9627E19EA00379D2515F66BE0F988230DF5E87BCCDE3CD4534314
                              Function 00007FF7B880A8F8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 269stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlen
                              • String ID: t$ty$y
                              • API String ID: 39653677-1920740250
                              • Opcode ID: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
                              • Instruction ID: 9969eeaad12e045a87b017ed43eeb7b22423e61e7e0659d368b949abfa48d99c
                              • Opcode Fuzzy Hash: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
                              • Instruction Fuzzy Hash: 20E11D725087C2C6E7568F38C0143E87AA1EB2AF4CF4C8135CB990B799DBBE94959335
                              Function 00007FF7B880CC9C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 211stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: (
                              • API String ID: 1004003707-3887548279
                              • Opcode ID: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
                              • Instruction ID: 94dabf9e697950c76e69a86c816919048374b30b2ab3230f57a4128bdee662db
                              • Opcode Fuzzy Hash: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
                              • Instruction Fuzzy Hash: A3A1A07261878682E715AF29C4043F9A7A1EB66F84F884032CF5E0B78ACF7DD495C364
                              Function 00007FF7B880BC30 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 205stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlen
                              • String ID: a$a$rm
                              • API String ID: 39653677-3573517395
                              • Opcode ID: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
                              • Instruction ID: 9adbfd3911a9886e65eff134c8e9bb3d1b2a56ede65b5da16a9419f54562e62b
                              • Opcode Fuzzy Hash: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
                              • Instruction Fuzzy Hash: 7EB142725087C2C6E7569F28C0043E87A91EB2AF4CF5C8135CB890F799DFBE94569325
                              Function 00007FF7B88F5D20 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 185COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpy
                              • String ID: basic_string::_M_create
                              • API String ID: 3510742995-3122258987
                              • Opcode ID: a8466455f48f34cbcacbad28185616ab40d0001ae848e4642dd8ce78300a4c7c
                              • Instruction ID: 16ddf591df137dba9e0276584d9fd0432a390f2a622047c018f498a4474854b3
                              • Opcode Fuzzy Hash: a8466455f48f34cbcacbad28185616ab40d0001ae848e4642dd8ce78300a4c7c
                              • Instruction Fuzzy Hash: 8961E562A26A4592EA15AB19C4042B9E391EF32BD4FC48B31DB1D437D8EF3CE463C314
                              Function 00007FF7B881FE10 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ___lc_codepage_funcfputclocaleconv
                              • String ID:
                              • API String ID: 1339002523-0
                              • Opcode ID: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
                              • Instruction ID: 80d1493028db7d17207ab805f5678f7b4a451b6fcfd3f16cd66835cda06a12fe
                              • Opcode Fuzzy Hash: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
                              • Instruction Fuzzy Hash: 3D516073A255418AE720BF29D141369E7E1EB2AB58F944235EB0C4B38DCE28ED52C764
                              Function 00007FF7B88E9BF0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpy
                              • String ID: basic_ios::clear$basic_string::_M_replace
                              • API String ID: 3510742995-1781676995
                              • Opcode ID: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
                              • Instruction ID: d2edbde710f519c517ed686d39aa3e68f79ce87071c00dd12bda330f47981643
                              • Opcode Fuzzy Hash: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
                              • Instruction Fuzzy Hash: 23310A21B2965582EA207B29D9046B8F6909B72BD5FD44233EF6C077DECD6CE013C358
                              Function 00007FF7B880C01B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: $ : $new
                              • API String ID: 1004003707-2075650739
                              • Opcode ID: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
                              • Instruction ID: 5122e325eeb6711a9387a96b6b22c23d553d716c963f981806a41d3fcdacbead
                              • Opcode Fuzzy Hash: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
                              • Instruction Fuzzy Hash: FA41AF72B5474282E715BA1AE8003E9E751EBA7BD4F844032CF1E0B78ADE7CD492C364
                              Function 00007FF7B88BB7B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpystrlen
                              • String ID: basic_string::_M_replace$basic_string::_S_construct null not valid
                              • API String ID: 3412268980-2381965344
                              • Opcode ID: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
                              • Instruction ID: 000e5a0bd3517947a470c0c333af9d323ad2361a663f37fa9a6cfbae63cf668e
                              • Opcode Fuzzy Hash: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
                              • Instruction Fuzzy Hash: 2921D221A0AA4685EA11BB1EE4501ADE760AF66BC4FC44431EB4C0B369DE3CD463C354
                              Function 00007FF7B8802590 Relevance: 6.0, APIs: 4, Instructions: 34stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _strlwrstrcpy_s
                              • String ID:
                              • API String ID: 3746470816-0
                              • Opcode ID: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
                              • Instruction ID: e30748ed539c7d1e61d913905733a7fe04082f4356b91869a9333246b0a0132f
                              • Opcode Fuzzy Hash: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
                              • Instruction Fuzzy Hash: C6F0EC6131468686FE11AB23BD007A983099B96FC0F8C00328E4D17B98CC3CE2878308
                              Function 00007FF7B881A6B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorLastQueryVirtual
                              • String ID: VirtualProtect failed with code 0x%x
                              • API String ID: 504369486-733738292
                              • Opcode ID: 99177e9ec303cbc10e2a1adfcf84c78f0c9713cc82238b0c7c753296c4067b14
                              • Instruction ID: 5bdd8885bd1d4e4b3df96b2896dcb3d8c6f1a469560240cd2d3a53a03d9948e1
                              • Opcode Fuzzy Hash: 99177e9ec303cbc10e2a1adfcf84c78f0c9713cc82238b0c7c753296c4067b14
                              • Instruction Fuzzy Hash: C7118272A1A64683EA11BB58E800968F394BF6AB54FC54234C71D07398EE3CE566C728
                              Function 00007FF7B881A420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-3474627141
                              • Opcode ID: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
                              • Instruction ID: 3f889e3ac87623ed78a611fc70f7d890d33ea12766c05bb439bdc7913b6e7a15
                              • Opcode Fuzzy Hash: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
                              • Instruction Fuzzy Hash: 9201E562919E84C2D202AF1CD8411FAF374FFAA75AF645321EB8C26264DF29D553C704
                              Function 00007FF7B881A4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-4283191376
                              • Opcode ID: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
                              • Instruction ID: f2432d1bf54d572cf9840d31791f9a7637f2d6232bfb5de2b3d4112598f149c7
                              • Opcode Fuzzy Hash: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
                              • Instruction Fuzzy Hash: 0EF0AF52819E8882D202AF1CA4000ABF324FF9E789F681325EB8D26168DF28E5438714
                              Function 00007FF7B881A4C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-2713391170
                              • Opcode ID: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
                              • Instruction ID: a304c2a7c3383c22e66033ed15dbd16ddcbc8f45ac3130a88a2204468fde1acf
                              • Opcode Fuzzy Hash: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
                              • Instruction Fuzzy Hash: 12F0C252919E8882D202EF1CE4000EBF374FF9E789F681325EF8D26168DF28D5438714
                              Function 00007FF7B881A4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-2187435201
                              • Opcode ID: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
                              • Instruction ID: 47c98e2b87dfd7b212ccef89f7740a3053a11abf697651173c76498833394039
                              • Opcode Fuzzy Hash: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
                              • Instruction Fuzzy Hash: A7F0AF52819E8482D202AF1CA4000ABF324FF9E789F681325EB8D26168DF28D5438714
                              Function 00007FF7B881A4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-4064033741
                              • Opcode ID: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
                              • Instruction ID: 991735c550df227ff58a0fe34e4c697c695971ed2343a7135e675d856cb5e6d2
                              • Opcode Fuzzy Hash: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
                              • Instruction Fuzzy Hash: 9FF0C256819E8882D202EF1CE4000EBF374FF9E789F681325EF8D26168DF28D5439714
                              Function 00007FF7B881A500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-4273532761
                              • Opcode ID: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
                              • Instruction ID: 7cbcaeb4c041705d94570af20f1bd40bc1cb4ab3b74e58ad93d5983b38a79c46
                              • Opcode Fuzzy Hash: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
                              • Instruction Fuzzy Hash: 1BF0AF52819E8482D202EF1CA8000ABF324FF9E799F681325EB8D26168DF28D5438714
                              Function 00007FF7B881A458 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1714965277.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000000.00000002.1714951537.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715040912.00007FF7B890D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715059386.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715152051.00007FF7B8AA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715165795.00007FF7B8AA1000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715181719.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-2468659920
                              • Opcode ID: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
                              • Instruction ID: d9414889897181edb48c86ac07903b5a4de699689b73277313565bf6fe0c4944
                              • Opcode Fuzzy Hash: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
                              • Instruction Fuzzy Hash: 72F06256915E8882D202EF1CA4000ABF364FF5E799F545325EF8D2A164DF28D5438714

                              Execution Graph

                              Execution Coverage:6.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:12.3%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:53
                              execution_graph 70441 140041685 70450 1400a9be8 70441->70450 70444 1400a9be8 std::_Facet_Register 43 API calls 70445 1400416c6 70444->70445 70457 140057de0 70445->70457 70447 1400416ec 70447->70447 70469 1400a9aa0 70447->70469 70449 140041923 70453 1400a9bf3 std::_Facet_Register 70450->70453 70451 140041697 70451->70444 70452 1400a9c1d 70477 14002b510 43 API calls 2 library calls 70452->70477 70453->70451 70453->70452 70476 1400aab1c RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 70453->70476 70456 1400a9c23 70458 140057e12 70457->70458 70468 140057eb2 70457->70468 70459 1400a9be8 std::_Facet_Register 43 API calls 70458->70459 70460 140057e2d 70459->70460 70478 14003fcd0 70460->70478 70462 140057e4b 70490 140041620 70462->70490 70465 140057de0 43 API calls 70466 140057e9f 70465->70466 70467 140057de0 43 API calls 70466->70467 70467->70468 70468->70447 70472 1400a9aa9 70469->70472 70470 1400a9f9c IsProcessorFeaturePresent 70473 1400a9fb4 70470->70473 70471 1400a9ab4 70471->70449 70472->70470 70472->70471 70496 1400aa194 RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 70473->70496 70475 1400a9fc7 70475->70449 70476->70452 70477->70456 70481 14003fcfe 70478->70481 70482 14003fd4a 70481->70482 70483 14003fda2 70481->70483 70484 14003fd1a ctype 70481->70484 70489 14003fddd 70481->70489 70485 1400a9be8 std::_Facet_Register 43 API calls 70482->70485 70487 14003fd60 70482->70487 70486 1400a9be8 std::_Facet_Register 43 API calls 70483->70486 70484->70462 70485->70487 70486->70484 70487->70484 70494 14002b510 43 API calls 2 library calls 70487->70494 70495 14002b5d0 43 API calls 70489->70495 70491 14004166e 70490->70491 70492 1400a9aa0 _Strcoll 3 API calls 70491->70492 70493 140041923 70492->70493 70493->70465 70494->70489 70496->70475 70497 140084569 70498 140084594 70497->70498 70511 14008457f 70497->70511 70501 14008459d 70498->70501 70503 140084760 70498->70503 70499 1400847c9 70500 140084210 3 API calls 70499->70500 70500->70511 70507 1400845fa memcpy_s 70501->70507 70516 1400457e0 70501->70516 70502 1400a9aa0 _Strcoll 3 API calls 70505 140084b53 70502->70505 70503->70499 70506 140084210 3 API calls 70503->70506 70504 1400846ea 70509 140084210 3 API calls 70504->70509 70506->70503 70507->70504 70512 140084210 70507->70512 70509->70511 70511->70502 70513 140084240 70512->70513 70514 1400a9aa0 _Strcoll 3 API calls 70513->70514 70515 140084b53 70514->70515 70515->70507 70517 14004596f 70516->70517 70520 14004580f 70516->70520 70528 14002b5d0 43 API calls 70517->70528 70519 140045974 70529 14002b510 43 API calls 2 library calls 70519->70529 70523 1400458a8 70520->70523 70524 14004586c 70520->70524 70525 140045879 70520->70525 70527 14004585f memcpy_s ctype _Receive_impl 70520->70527 70521 1400a9be8 std::_Facet_Register 43 API calls 70521->70527 70526 1400a9be8 std::_Facet_Register 43 API calls 70523->70526 70524->70519 70524->70525 70525->70521 70526->70527 70527->70507 70529->70527 70530 14008426b 70531 140084291 70530->70531 70550 14008427c 70530->70550 70532 14008429a 70531->70532 70546 14008445f 70531->70546 70549 1400842f2 70532->70549 70564 14003fb40 70532->70564 70533 14008450f 70538 140084cf0 43 API calls 70533->70538 70535 1400a9aa0 _Strcoll 3 API calls 70536 140084b53 70535->70536 70537 140084cf0 43 API calls 70537->70546 70539 140084528 70538->70539 70541 140084210 3 API calls 70539->70541 70540 1400843c2 70544 140084cf0 43 API calls 70540->70544 70541->70550 70542 140084210 3 API calls 70542->70546 70545 1400843fb 70544->70545 70547 140084210 3 API calls 70545->70547 70546->70533 70546->70537 70546->70542 70547->70550 70548 140084210 3 API calls 70548->70549 70549->70540 70549->70548 70551 140084cf0 70549->70551 70550->70535 70552 140084d2f 70551->70552 70555 140084f32 70551->70555 70557 140084f2d 70552->70557 70570 1400595d0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry _Strcoll 70552->70570 70554 140084fc9 70571 140044520 70554->70571 70555->70549 70557->70555 70560 140044520 43 API calls 70557->70560 70561 14008503d 70560->70561 70562 1400ac0c8 Concurrency::cancel_current_task RaiseException 70561->70562 70563 14008504e 70562->70563 70565 14003fb64 70564->70565 70566 14003fb4d 70564->70566 70567 1400457e0 43 API calls 70565->70567 70569 14003fb7e memcpy_s 70565->70569 70566->70549 70568 14003fbcc 70567->70568 70568->70549 70569->70549 70570->70554 70572 140044577 70571->70572 70583 14002e800 70572->70583 70575 1400445b5 _Receive_impl 70577 140044784 70575->70577 70595 1400ab980 70575->70595 70576 140044704 _Receive_impl 70576->70577 70578 1400a9aa0 _Strcoll 3 API calls 70576->70578 70579 140044776 70578->70579 70580 1400ac0c8 70579->70580 70582 1400ac0e7 Concurrency::cancel_current_task 70580->70582 70581 1400ac132 RaiseException 70581->70557 70582->70581 70584 14002e83b 70583->70584 70586 14002e970 70584->70586 70601 140045670 70584->70601 70587 14002ea13 _Receive_impl 70586->70587 70589 14002ea4c 70586->70589 70588 1400a9aa0 _Strcoll 3 API calls 70587->70588 70590 14002ea38 70588->70590 70613 1400aba10 70589->70613 70590->70575 70593 1400aba10 __std_exception_destroy 7 API calls 70594 14002eaa2 _Receive_impl 70593->70594 70594->70575 70596 1400ab9a1 70595->70596 70600 1400ab9eb 70595->70600 70597 1400ab9d6 70596->70597 70596->70600 70620 1400949d0 41 API calls 2 library calls 70596->70620 70621 14008cab0 7 API calls 3 library calls 70597->70621 70600->70576 70602 1400457c5 70601->70602 70606 14004569f 70601->70606 70617 14002b5d0 43 API calls 70602->70617 70603 140045704 70607 1400a9be8 std::_Facet_Register 43 API calls 70603->70607 70605 1400457ca 70618 14002b510 43 API calls 2 library calls 70605->70618 70606->70603 70609 1400456f7 70606->70609 70610 140045733 70606->70610 70612 1400456ea ctype _Receive_impl 70606->70612 70607->70612 70609->70603 70609->70605 70611 1400a9be8 std::_Facet_Register 43 API calls 70610->70611 70611->70612 70612->70586 70614 1400aba1f 70613->70614 70615 14002ea95 70613->70615 70619 14008cab0 7 API calls 3 library calls 70614->70619 70615->70593 70618->70612 70619->70615 70620->70597 70621->70600 70622 14009548c 70633 1400952f0 70622->70633 70624 1400954e9 70626 140095529 70624->70626 70627 1400954b2 70624->70627 70651 140099fe0 41 API calls 2 library calls 70624->70651 70639 140095318 70626->70639 70631 14009551d 70631->70626 70652 14009a6bc 70631->70652 70634 1400952f9 70633->70634 70638 140095309 70633->70638 70657 140091b6c 6 API calls _get_daylight 70634->70657 70636 1400952fe 70658 14008d6a8 41 API calls _invalid_parameter_noinfo 70636->70658 70638->70624 70638->70627 70650 140095410 41 API calls _fread_nolock 70638->70650 70640 1400952f0 _fread_nolock 41 API calls 70639->70640 70641 14009533d 70640->70641 70642 14009534c 70641->70642 70643 1400953dd 70641->70643 70645 14009536a 70642->70645 70647 140095388 70642->70647 70668 140098808 41 API calls 2 library calls 70643->70668 70667 140098808 41 API calls 2 library calls 70645->70667 70648 140095378 70647->70648 70659 14009b310 70647->70659 70648->70627 70650->70624 70651->70631 70701 1400992a8 70652->70701 70657->70636 70658->70638 70660 14009b340 70659->70660 70669 14009b13c 70660->70669 70662 14009b359 70663 14009b37f 70662->70663 70676 14008b668 41 API calls 3 library calls 70662->70676 70665 14009b394 70663->70665 70677 14008b668 41 API calls 3 library calls 70663->70677 70665->70648 70667->70648 70668->70648 70670 14009b185 70669->70670 70673 14009b169 70669->70673 70671 14009b213 70670->70671 70674 14009b1bd 70670->70674 70683 14008d5d8 41 API calls 2 library calls 70671->70683 70673->70662 70674->70673 70678 14009b264 70674->70678 70676->70663 70677->70665 70684 1400a0968 70678->70684 70681 14009b2a2 SetFilePointerEx 70682 14009b291 __std_fs_convert_narrow_to_wide _fread_nolock 70681->70682 70682->70673 70683->70673 70685 1400a0971 70684->70685 70686 1400a0986 70684->70686 70696 140091b4c 6 API calls _get_daylight 70685->70696 70693 14009b28b 70686->70693 70698 140091b4c 6 API calls _get_daylight 70686->70698 70689 1400a0976 70697 140091b6c 6 API calls _get_daylight 70689->70697 70690 1400a09c1 70699 140091b6c 6 API calls _get_daylight 70690->70699 70693->70681 70693->70682 70694 1400a09c9 70700 14008d6a8 41 API calls _invalid_parameter_noinfo 70694->70700 70696->70689 70697->70693 70698->70690 70699->70694 70700->70693 70702 1400992b9 std::_Facet_Register wcsftime 70701->70702 70704 140099308 70702->70704 70710 140091b6c 6 API calls _get_daylight 70702->70710 70705 140098c40 70704->70705 70706 140098c76 70705->70706 70707 140098c45 HeapFree 70705->70707 70706->70626 70707->70706 70708 140098c60 __std_fs_convert_narrow_to_wide __free_lconv_num 70707->70708 70711 140091b6c 6 API calls _get_daylight 70708->70711 70710->70704 70711->70706 70712 140040fc4 70713 140040fd7 70712->70713 70714 14004132d 70712->70714 70726 140045c20 70713->70726 70738 14003e810 43 API calls _Receive_impl 70714->70738 70717 140041338 70718 140040fe4 70721 14004104f _Receive_impl 70718->70721 70737 1400499d0 43 API calls 2 library calls 70718->70737 70720 140041272 _Receive_impl 70723 1400a9aa0 _Strcoll 3 API calls 70720->70723 70722 1400411f7 70721->70722 70724 1400499d0 43 API calls 70721->70724 70722->70714 70722->70720 70725 14004130f 70723->70725 70724->70721 70727 140045c57 70726->70727 70728 140045cb1 70726->70728 70730 140045c92 70727->70730 70731 140045c6e 70727->70731 70735 140045c60 70727->70735 70740 14002b510 43 API calls 2 library calls 70728->70740 70732 1400a9be8 std::_Facet_Register 43 API calls 70730->70732 70731->70728 70734 1400a9be8 std::_Facet_Register 43 API calls 70731->70734 70732->70735 70734->70735 70736 140045cd7 _Receive_impl 70735->70736 70739 140049e50 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry _Strcoll 70735->70739 70736->70718 70737->70718 70738->70717 70739->70728 70740->70736 70741 140077790 70742 1400777c0 70741->70742 70747 1400b67f0 70742->70747 70745 1400a9aa0 _Strcoll 3 API calls 70746 140077816 70745->70746 70749 1400b6832 70747->70749 70748 1400a9aa0 _Strcoll 3 API calls 70751 1400777d9 70748->70751 70750 1400b694d 70749->70750 70752 1400b6893 GetFileAttributesExW 70749->70752 70762 1400b683b __std_fs_convert_narrow_to_wide 70749->70762 70779 1400b6bc4 CreateFileW __std_fs_convert_narrow_to_wide 70750->70779 70751->70745 70755 1400b68f8 70752->70755 70756 1400b68a7 __std_fs_convert_narrow_to_wide 70752->70756 70754 1400b6970 70757 1400b6a43 70754->70757 70758 1400b69a5 GetFileInformationByHandleEx 70754->70758 70770 1400b6976 ProcessCodePage 70754->70770 70755->70750 70755->70762 70759 1400b68b6 FindFirstFileW 70756->70759 70756->70762 70761 1400b6a5e GetFileInformationByHandleEx 70757->70761 70757->70770 70760 1400b69e5 70758->70760 70767 1400b69bf __std_fs_convert_narrow_to_wide ProcessCodePage 70758->70767 70759->70762 70763 1400b68d5 FindClose 70759->70763 70760->70757 70765 1400b6a06 GetFileInformationByHandleEx 70760->70765 70769 1400b6a74 __std_fs_convert_narrow_to_wide ProcessCodePage 70761->70769 70761->70770 70762->70748 70763->70755 70764 1400b6b05 70780 140095298 41 API calls __std_fs_directory_iterator_open 70764->70780 70765->70757 70771 1400b6a22 __std_fs_convert_narrow_to_wide ProcessCodePage 70765->70771 70773 1400b6b16 70767->70773 70776 1400b698f 70767->70776 70768 1400b6b0a 70781 140095298 41 API calls __std_fs_directory_iterator_open 70768->70781 70774 1400b6b10 70769->70774 70769->70776 70770->70762 70770->70764 70770->70776 70771->70768 70771->70776 70783 140095298 41 API calls __std_fs_directory_iterator_open 70773->70783 70782 140095298 41 API calls __std_fs_directory_iterator_open 70774->70782 70776->70762 70779->70754 70784 140077bd0 70785 140077c63 _Receive_impl 70784->70785 70787 1400781d7 70785->70787 70838 14002e700 70785->70838 70904 14002de50 44 API calls Concurrency::cancel_current_task 70787->70904 70788 140077d36 70788->70787 70831 140077d97 _Receive_impl 70788->70831 70789 140077cf4 memcpy_s 70789->70788 70844 140086ce0 70789->70844 70791 1400a9aa0 _Strcoll 3 API calls 70794 140077dc9 70791->70794 70793 140077e19 70837 1400780a0 70793->70837 70861 1400854d0 70793->70861 70795 1400781ff 70905 14002c9d0 43 API calls 70795->70905 70799 140077e92 70803 140077f32 70799->70803 70804 140077eaf 70799->70804 70800 140078226 70801 1400ac0c8 Concurrency::cancel_current_task RaiseException 70800->70801 70802 140078237 70801->70802 70906 14002c9d0 43 API calls 70802->70906 70868 140083d50 70803->70868 70804->70795 70806 140077ee1 70804->70806 70808 140083b90 44 API calls 70806->70808 70807 140077f46 70813 140077fe0 70807->70813 70814 140077f5d 70807->70814 70810 140077eee 70808->70810 70889 140050970 42 API calls 70810->70889 70811 140078260 70812 1400ac0c8 Concurrency::cancel_current_task RaiseException 70811->70812 70822 140078274 70812->70822 70815 140083d50 43 API calls 70813->70815 70814->70802 70816 140077f8f 70814->70816 70818 140077ff4 70815->70818 70879 140083b90 70816->70879 70820 140083d50 43 API calls 70818->70820 70824 140078003 70820->70824 70821 140077f9c 70890 140050970 42 API calls 70821->70890 70907 14002c9d0 43 API calls 70822->70907 70891 140062300 70824->70891 70825 14007829e 70827 1400ac0c8 Concurrency::cancel_current_task RaiseException 70825->70827 70830 1400782b2 70827->70830 70828 140078013 70828->70822 70832 140083b90 44 API calls 70828->70832 70831->70791 70833 140078053 70832->70833 70834 14003fcd0 43 API calls 70833->70834 70835 140078063 70834->70835 70902 140050970 42 API calls 70835->70902 70837->70831 70903 140051660 42 API calls 70837->70903 70839 14002e731 70838->70839 70840 1400b67f0 48 API calls 70839->70840 70841 14002e74d 70840->70841 70842 1400a9aa0 _Strcoll 3 API calls 70841->70842 70843 14002e7d2 70842->70843 70843->70789 70908 140041960 70844->70908 70851 140086def 70934 140051c20 41 API calls _Strcoll 70851->70934 70852 140086e78 70860 140086e28 70852->70860 70936 14002c9d0 43 API calls 70852->70936 70854 140086e01 70935 140053690 58 API calls 4 library calls 70854->70935 70856 140086ee2 70858 1400ac0c8 Concurrency::cancel_current_task RaiseException 70856->70858 70859 140086ef3 70858->70859 70860->70793 71138 140040730 70861->71138 70863 140085506 71148 1400889c0 70863->71148 70867 140085575 70867->70799 70869 140083dee 70868->70869 70870 140083d6f 70868->70870 70871 140044520 43 API calls 70869->70871 70872 140083daa 70870->70872 71504 140085d50 43 API calls 3 library calls 70870->71504 70873 140083e1b 70871->70873 70872->70807 70874 1400ac0c8 Concurrency::cancel_current_task RaiseException 70873->70874 70875 140083e2c 70874->70875 70877 140083ddd 70878 1400ac0c8 Concurrency::cancel_current_task RaiseException 70877->70878 70878->70869 70882 140083ba2 70879->70882 71505 140051d20 42 API calls 70879->71505 70881 140083bd0 70881->70821 70882->70881 71506 14002c9d0 43 API calls 70882->71506 70884 140083c16 70885 1400ac0c8 Concurrency::cancel_current_task RaiseException 70884->70885 70886 140083c27 70885->70886 70887 140083c57 70886->70887 71507 14008cab0 7 API calls 3 library calls 70886->71507 70887->70821 70889->70831 70890->70831 70892 14006233d 70891->70892 70895 14006237e 70891->70895 70893 14006235c 70892->70893 71508 1400414b0 70892->71508 70893->70828 70896 140044520 43 API calls 70895->70896 70897 1400623b1 70896->70897 70898 1400ac0c8 Concurrency::cancel_current_task RaiseException 70897->70898 70901 1400623c2 70898->70901 70899 1400623f6 70899->70828 70901->70899 71514 1400b6720 42 API calls __std_fs_directory_iterator_open 70901->71514 70902->70837 70903->70788 70905->70800 70906->70811 70907->70825 70909 1400419c1 70908->70909 70910 1400a9be8 std::_Facet_Register 43 API calls 70908->70910 70937 1400b782c 70909->70937 70910->70909 70912 1400419d1 70946 140041cc0 70912->70946 70915 140041a5e 70916 140041a6b 70915->70916 70961 1400b7af8 EnterCriticalSection FreeLibrary GetProcAddress std::_Lockit::_Lockit 70915->70961 70923 140052100 70916->70923 70918 140041a86 70962 14002c9d0 43 API calls 70918->70962 70920 140041ac6 70921 1400ac0c8 Concurrency::cancel_current_task RaiseException 70920->70921 70922 140041ad7 70921->70922 70974 1400413b0 70923->70974 70926 1400b7d68 70927 1400b7dae 70926->70927 70929 140086de6 70927->70929 70980 1400b9758 70927->70980 70929->70851 70929->70852 70930 1400b7de1 70930->70929 70997 14008d284 41 API calls ProcessCodePage 70930->70997 70932 1400b7dfc 70932->70929 70998 14008c020 42 API calls ProcessCodePage 70932->70998 70934->70854 70935->70860 70936->70856 70963 1400b71cc 70937->70963 70939 1400b784e 70945 1400b7892 Concurrency::cancel_current_task ctype 70939->70945 70967 1400b7a24 43 API calls std::_Facet_Register 70939->70967 70941 1400b7866 70968 1400b7a54 42 API calls std::locale::_Setgloballocale 70941->70968 70943 1400b7871 70943->70945 70969 14008cab0 7 API calls 3 library calls 70943->70969 70945->70912 70947 1400b71cc std::_Lockit::_Lockit 3 API calls 70946->70947 70948 140041cf0 70947->70948 70949 1400b71cc std::_Lockit::_Lockit 3 API calls 70948->70949 70951 140041d15 70948->70951 70949->70951 70950 140041d8d 70952 1400a9aa0 _Strcoll 3 API calls 70950->70952 70951->70950 70971 14002c670 61 API calls 6 library calls 70951->70971 70953 140041a02 70952->70953 70953->70915 70953->70918 70955 140041d9f 70956 140041da5 70955->70956 70957 140041e06 70955->70957 70972 1400b77ec 43 API calls std::_Facet_Register 70956->70972 70973 14002c1b0 43 API calls 2 library calls 70957->70973 70960 140041e0b 70961->70916 70962->70920 70964 1400b71db 70963->70964 70965 1400b71e0 70963->70965 70970 140097e08 EnterCriticalSection FreeLibrary GetProcAddress std::_Lockit::_Lockit 70964->70970 70965->70939 70967->70941 70968->70943 70969->70945 70971->70955 70972->70950 70973->70960 70975 1400413b5 70974->70975 70976 1400a9be8 std::_Facet_Register 43 API calls 70975->70976 70977 140041427 70976->70977 70978 1400b782c 47 API calls 70977->70978 70979 140041437 70978->70979 70979->70852 70979->70926 70981 1400b9684 70980->70981 70982 1400b96aa 70981->70982 70984 1400b96dd 70981->70984 71008 140091b6c 6 API calls _get_daylight 70982->71008 70987 1400b96f0 70984->70987 70988 1400b96e3 70984->70988 70985 1400b96af 71009 14008d6a8 41 API calls _invalid_parameter_noinfo 70985->71009 70999 140098f20 70987->70999 71010 140091b6c 6 API calls _get_daylight 70988->71010 70991 1400b96fa 70992 1400b9704 70991->70992 70993 1400b9711 70991->70993 71011 140091b6c 6 API calls _get_daylight 70992->71011 71003 1400baef0 70993->71003 70996 1400b96ba 70996->70930 70997->70932 70998->70929 71000 140098f37 70999->71000 71012 140098f94 71000->71012 71002 140098f42 71002->70991 71021 1400bab50 71003->71021 71006 1400baf4a 71006->70996 71008->70985 71009->70996 71010->70996 71011->70996 71018 140098fc5 71012->71018 71013 14009904a 71013->71002 71014 1400992a8 _get_daylight 6 API calls 71015 140099020 71014->71015 71016 140098c40 __free_lconv_num 6 API calls 71015->71016 71017 14009902a 71016->71017 71017->71013 71020 140099a48 FreeLibrary GetProcAddress InitializeCriticalSectionAndSpinCount __crtLCMapStringW 71017->71020 71018->71013 71018->71014 71018->71018 71020->71013 71026 1400bab8b __crtLCMapStringW 71021->71026 71023 1400bae29 71040 14008d6a8 41 API calls _invalid_parameter_noinfo 71023->71040 71025 1400bad5b 71025->71006 71033 1400bc608 71025->71033 71031 1400bad52 71026->71031 71036 1400a73ac 44 API calls 4 library calls 71026->71036 71028 1400badbd 71028->71031 71037 1400a73ac 44 API calls 4 library calls 71028->71037 71030 1400baddc 71030->71031 71038 1400a73ac 44 API calls 4 library calls 71030->71038 71031->71025 71039 140091b6c 6 API calls _get_daylight 71031->71039 71041 1400bbabc 71033->71041 71035 1400bc635 71035->71006 71036->71028 71037->71030 71038->71031 71039->71023 71040->71025 71042 1400bbad3 71041->71042 71043 1400bbaf1 71041->71043 71092 140091b6c 6 API calls _get_daylight 71042->71092 71043->71042 71046 1400bbb0d 71043->71046 71045 1400bbad8 71093 14008d6a8 41 API calls _invalid_parameter_noinfo 71045->71093 71050 1400bc218 71046->71050 71049 1400bbae4 71049->71035 71094 1400bbdf8 71050->71094 71052 1400bc25f 71053 1400bc28d 71052->71053 71054 1400bc2a5 71052->71054 71117 140091b4c 6 API calls _get_daylight 71053->71117 71110 1400a076c 71054->71110 71057 1400bc292 71118 140091b6c 6 API calls _get_daylight 71057->71118 71058 1400bc2aa 71059 1400bc2ca CreateFileW 71058->71059 71060 1400bc2b1 71058->71060 71063 1400bc3b0 GetFileType 71059->71063 71064 1400bc335 71059->71064 71119 140091b4c 6 API calls _get_daylight 71060->71119 71065 1400bc40e 71063->71065 71066 1400bc3bd __std_fs_convert_narrow_to_wide 71063->71066 71068 1400bc37d __std_fs_convert_narrow_to_wide 71064->71068 71069 1400bc343 CreateFileW 71064->71069 71124 1400a0684 7 API calls 2 library calls 71065->71124 71122 140091ae0 6 API calls 2 library calls 71066->71122 71067 1400bc2b6 71120 140091b6c 6 API calls _get_daylight 71067->71120 71121 140091ae0 6 API calls 2 library calls 71068->71121 71069->71063 71069->71068 71074 1400bc430 71075 1400bc484 71074->71075 71125 1400bc004 46 API calls 2 library calls 71074->71125 71080 1400bc48b 71075->71080 71127 1400bbb80 45 API calls 2 library calls 71075->71127 71078 1400bc4c2 71078->71080 71082 1400bc4d1 71078->71082 71079 1400bc3cc ProcessCodePage 71079->71057 71123 140091b6c 6 API calls _get_daylight 71079->71123 71126 140098db8 42 API calls ProcessCodePage 71080->71126 71083 1400bc29e 71082->71083 71085 1400bc551 ProcessCodePage 71082->71085 71083->71049 71086 1400bc55a CreateFileW 71085->71086 71087 1400bc5c6 71086->71087 71088 1400bc598 __std_fs_convert_narrow_to_wide 71086->71088 71087->71083 71128 140091ae0 6 API calls 2 library calls 71088->71128 71090 1400bc5a5 71129 1400a08ac 7 API calls 2 library calls 71090->71129 71092->71045 71093->71049 71095 1400bbe24 71094->71095 71102 1400bbe3e 71094->71102 71095->71102 71130 140091b6c 6 API calls _get_daylight 71095->71130 71097 1400bbe33 71131 14008d6a8 41 API calls _invalid_parameter_noinfo 71097->71131 71099 1400bbf12 71106 1400bbf6a 71099->71106 71136 1400b90b0 41 API calls 2 library calls 71099->71136 71100 1400bbebe 71100->71099 71134 140091b6c 6 API calls _get_daylight 71100->71134 71102->71100 71132 140091b6c 6 API calls _get_daylight 71102->71132 71105 1400bbf07 71135 14008d6a8 41 API calls _invalid_parameter_noinfo 71105->71135 71106->71052 71107 1400bbeb3 71133 14008d6a8 41 API calls _invalid_parameter_noinfo 71107->71133 71111 1400a078f 71110->71111 71112 1400a07b8 71111->71112 71114 1400a07bd 71111->71114 71115 1400a080e EnterCriticalSection 71111->71115 71137 1400a04bc 9 API calls 2 library calls 71112->71137 71114->71058 71115->71114 71116 1400a081d LeaveCriticalSection 71115->71116 71116->71111 71117->71057 71118->71083 71119->71067 71120->71057 71121->71057 71122->71079 71123->71057 71124->71074 71125->71075 71126->71083 71127->71078 71128->71090 71129->71087 71130->71097 71131->71102 71132->71107 71133->71100 71134->71105 71135->71099 71136->71106 71137->71114 71139 140040886 71138->71139 71140 140040763 71138->71140 71139->71140 71142 140040893 71139->71142 71141 1400a9aa0 _Strcoll 3 API calls 71140->71141 71143 140040792 71141->71143 71205 140045220 43 API calls 3 library calls 71142->71205 71143->70863 71145 1400408b4 71146 1400ac0c8 Concurrency::cancel_current_task RaiseException 71145->71146 71147 1400408c5 71146->71147 71149 140088a14 71148->71149 71206 140091a64 71149->71206 71153 140088b21 71229 140075b50 71153->71229 71156 1400a9aa0 _Strcoll 3 API calls 71157 140085569 71156->71157 71158 140086680 71157->71158 71159 140086991 71158->71159 71162 1400866cb memcpy_s 71158->71162 71355 140089fe0 71159->71355 71403 140062d50 43 API calls 71162->71403 71163 140087120 43 API calls 71167 1400869d0 71163->71167 71165 14008671b 71169 140087120 43 API calls 71165->71169 71166 140040730 43 API calls 71176 140086b8c 71166->71176 71171 140066750 43 API calls 71167->71171 71200 140086ad8 _Receive_impl 71167->71200 71168 1400a9aa0 _Strcoll 3 API calls 71170 140086c1c 71168->71170 71180 140086737 71169->71180 71170->70867 71173 140086a43 71171->71173 71172 1400868c4 _Receive_impl 71174 1400868dd 71172->71174 71175 140086925 71172->71175 71178 140063430 43 API calls 71173->71178 71179 140040730 43 API calls 71174->71179 71182 1400868f8 _Receive_impl 71175->71182 71183 140040730 43 API calls 71175->71183 71177 140086c70 71176->71177 71176->71182 71476 140061f10 42 API calls 71177->71476 71190 140086a52 _Receive_impl 71178->71190 71179->71182 71180->71172 71404 140066750 71180->71404 71182->71168 71183->71182 71184 140086c88 71187 1400ac0c8 Concurrency::cancel_current_task RaiseException 71184->71187 71201 140086c98 71187->71201 71188 140086cb7 71192 1400ac0c8 Concurrency::cancel_current_task RaiseException 71188->71192 71189 1400867a9 71470 140063430 71189->71470 71191 1400aba10 __std_exception_destroy 7 API calls 71190->71191 71198 140086cc7 71190->71198 71190->71201 71194 140086aca 71191->71194 71192->71198 71196 1400aba10 __std_exception_destroy 7 API calls 71194->71196 71196->71200 71197 1400867ce _Receive_impl 71199 1400aba10 __std_exception_destroy 7 API calls 71197->71199 71197->71201 71202 140086839 71199->71202 71200->71166 71200->71176 71200->71177 71200->71198 71477 140061f10 42 API calls 71201->71477 71203 1400aba10 __std_exception_destroy 7 API calls 71202->71203 71204 140086847 _Receive_impl 71203->71204 71204->71172 71204->71201 71205->71145 71236 1400958c8 71206->71236 71211 140087120 71212 140087143 71211->71212 71216 140087190 71211->71216 71285 1400886d0 71212->71285 71214 1400886d0 43 API calls 71214->71216 71215 140087148 71215->71216 71217 1400886d0 43 API calls 71215->71217 71216->71214 71228 1400871e3 71216->71228 71218 140087157 71217->71218 71219 14008716d 71218->71219 71221 1400886d0 43 API calls 71218->71221 71220 1400a9aa0 _Strcoll 3 API calls 71219->71220 71223 14008718a 71220->71223 71222 140087166 71221->71222 71222->71216 71222->71219 71223->71153 71224 1400872e8 71225 1400a9aa0 _Strcoll 3 API calls 71224->71225 71226 14008743b 71225->71226 71226->71153 71227 1400886d0 43 API calls 71227->71228 71228->71224 71228->71227 71230 140075b87 71229->71230 71231 140075b5e 71229->71231 71230->71156 71231->71230 71354 14002c9d0 43 API calls 71231->71354 71233 140075bbe 71234 1400ac0c8 Concurrency::cancel_current_task RaiseException 71233->71234 71235 140075bcf 71234->71235 71237 1400958dd __std_fs_convert_narrow_to_wide 71236->71237 71238 140095909 FlsSetValue 71237->71238 71239 1400958ec FlsGetValue 71237->71239 71240 14009591b 71238->71240 71241 1400958f9 71238->71241 71239->71241 71242 140095903 71239->71242 71244 1400992a8 _get_daylight 6 API calls 71240->71244 71243 140095975 SetLastError 71241->71243 71242->71238 71245 140091a6d 71243->71245 71246 140095995 71243->71246 71247 14009592a 71244->71247 71278 140097b50 71245->71278 71283 140095298 41 API calls __std_fs_directory_iterator_open 71246->71283 71249 140095948 FlsSetValue 71247->71249 71250 140095938 FlsSetValue 71247->71250 71253 140095954 FlsSetValue 71249->71253 71254 140095966 71249->71254 71252 140095941 71250->71252 71257 140098c40 __free_lconv_num 6 API calls 71252->71257 71253->71252 71282 140095678 6 API calls _get_daylight 71254->71282 71257->71241 71262 14009596e 71266 140098c40 __free_lconv_num 6 API calls 71262->71266 71266->71243 71279 140088afa 71278->71279 71280 140097b65 71278->71280 71279->71211 71280->71279 71284 1400a0d14 41 API calls 2 library calls 71280->71284 71282->71262 71284->71279 71286 1400886f3 71285->71286 71289 1400886ed 71285->71289 71287 14008870a 71286->71287 71302 140051010 71286->71302 71287->71289 71291 1400887a4 71287->71291 71288 140088777 71288->71215 71289->71288 71321 140068e10 43 API calls 4 library calls 71289->71321 71322 14002c9d0 43 API calls 71291->71322 71293 1400887e6 71294 1400ac0c8 Concurrency::cancel_current_task RaiseException 71293->71294 71295 1400887f7 71294->71295 71296 140045670 43 API calls 71295->71296 71299 140088825 71295->71299 71296->71299 71297 1400888d0 71297->71215 71298 1400886d0 43 API calls 71298->71299 71299->71297 71299->71298 71300 140045670 43 API calls 71299->71300 71300->71299 71303 14005104d 71302->71303 71305 1400510c1 71303->71305 71306 1400510e3 71303->71306 71311 14005105d _Receive_impl 71303->71311 71304 1400a9aa0 _Strcoll 3 API calls 71307 14005128f 71304->71307 71323 14008c104 71305->71323 71309 14008c104 41 API calls 71306->71309 71307->71287 71315 140051111 ctype 71309->71315 71310 140051231 71310->71311 71313 140051317 71310->71313 71311->71304 71312 140045670 43 API calls 71312->71315 71314 140051344 71313->71314 71320 140051010 43 API calls 71313->71320 71314->71287 71315->71310 71315->71312 71317 14008c104 41 API calls 71315->71317 71319 1400512c7 71315->71319 71316 14005135b 71316->71287 71317->71315 71319->71310 71340 14008cbe4 41 API calls 2 library calls 71319->71340 71320->71316 71321->71288 71322->71293 71324 14008c120 71323->71324 71327 14008c13e 71323->71327 71347 140091b6c 6 API calls _get_daylight 71324->71347 71326 14008c125 71348 14008d6a8 41 API calls _invalid_parameter_noinfo 71326->71348 71328 14008c1f8 71327->71328 71330 1400952f0 _fread_nolock 41 API calls 71327->71330 71341 14008c0c0 71328->71341 71334 14008c15f 71330->71334 71332 14008c130 71332->71311 71333 14008c1cd 71349 140091b6c 6 API calls _get_daylight 71333->71349 71334->71328 71334->71333 71336 14008c1d2 71350 14008d6a8 41 API calls _invalid_parameter_noinfo 71336->71350 71338 14008c1dd 71351 1400abcf4 RtlUnwind 71338->71351 71340->71319 71342 14008c0cc 71341->71342 71346 14008c0dc 71341->71346 71352 140091b6c 6 API calls _get_daylight 71342->71352 71344 14008c0d1 71353 14008d6a8 41 API calls _invalid_parameter_noinfo 71344->71353 71346->71332 71347->71326 71348->71332 71349->71336 71350->71338 71351->71332 71352->71344 71353->71346 71354->71233 71356 14008a05d 71355->71356 71357 140066750 43 API calls 71356->71357 71358 14008ac92 71357->71358 71359 140063430 43 API calls 71358->71359 71360 14008aca2 71359->71360 71361 14008ad0d 71360->71361 71362 14008acad 71360->71362 71483 140061f10 42 API calls 71361->71483 71478 14002ead0 71362->71478 71364 14008ad19 71365 1400ac0c8 Concurrency::cancel_current_task RaiseException 71364->71365 71367 14008ad29 71365->71367 71484 140061f10 42 API calls 71367->71484 71369 14008ad36 71370 1400ac0c8 Concurrency::cancel_current_task RaiseException 71369->71370 71371 14008ad46 71370->71371 71485 140061f10 42 API calls 71371->71485 71373 14008ad53 71375 1400ac0c8 Concurrency::cancel_current_task RaiseException 71373->71375 71374 14008acc1 71376 1400a9aa0 _Strcoll 3 API calls 71374->71376 71377 14008ad63 71375->71377 71378 1400869c4 71376->71378 71486 140068510 42 API calls 71377->71486 71378->71163 71380 14008ad70 71381 1400ac0c8 Concurrency::cancel_current_task RaiseException 71380->71381 71382 14008ad80 71381->71382 71487 140061f10 42 API calls 71382->71487 71384 14008ad8d 71385 1400ac0c8 Concurrency::cancel_current_task RaiseException 71384->71385 71386 14008ad9d 71385->71386 71488 140061f10 42 API calls 71386->71488 71388 14008adaa 71389 1400ac0c8 Concurrency::cancel_current_task RaiseException 71388->71389 71390 14008adba 71389->71390 71489 140061f10 42 API calls 71390->71489 71392 14008adc7 71393 1400ac0c8 Concurrency::cancel_current_task RaiseException 71392->71393 71394 14008add7 71393->71394 71490 140061f10 42 API calls 71394->71490 71396 14008ade4 71397 1400ac0c8 Concurrency::cancel_current_task RaiseException 71396->71397 71398 14008adf4 71397->71398 71491 140061f10 42 API calls 71398->71491 71400 1400ac0c8 RaiseException Concurrency::cancel_current_task 71402 14008ae01 71400->71402 71401 140061f10 42 API calls 71401->71402 71402->71400 71402->71401 71403->71165 71405 1400667af 71404->71405 71492 140059ab0 10 API calls 2 library calls 71405->71492 71407 1400667c6 71408 14002e800 43 API calls 71407->71408 71410 140066802 _Receive_impl 71408->71410 71409 1400ab980 __std_exception_copy 42 API calls 71411 1400669b3 71409->71411 71410->71409 71415 140066a43 71410->71415 71412 140066a07 _Receive_impl 71411->71412 71411->71415 71413 1400a9aa0 _Strcoll 3 API calls 71412->71413 71414 140066a2c 71413->71414 71414->71189 71416 140066750 43 API calls 71415->71416 71417 140067722 71416->71417 71418 140063430 43 API calls 71417->71418 71419 140067732 71418->71419 71420 14006779d 71419->71420 71421 14006773d 71419->71421 71493 140061f10 42 API calls 71420->71493 71424 14002ead0 7 API calls 71421->71424 71423 1400677a9 71425 1400ac0c8 Concurrency::cancel_current_task RaiseException 71423->71425 71436 140067751 71424->71436 71426 1400677b9 71425->71426 71494 140061f10 42 API calls 71426->71494 71428 1400677c6 71429 1400ac0c8 Concurrency::cancel_current_task RaiseException 71428->71429 71430 1400677d6 71429->71430 71495 140061f10 42 API calls 71430->71495 71432 1400677e3 71433 1400ac0c8 Concurrency::cancel_current_task RaiseException 71432->71433 71434 1400677f3 71433->71434 71496 140068510 42 API calls 71434->71496 71438 1400a9aa0 _Strcoll 3 API calls 71436->71438 71437 140067800 71439 1400ac0c8 Concurrency::cancel_current_task RaiseException 71437->71439 71440 140067786 71438->71440 71441 140067810 71439->71441 71440->71189 71497 140061f10 42 API calls 71441->71497 71443 14006781d 71444 1400ac0c8 Concurrency::cancel_current_task RaiseException 71443->71444 71445 14006782d 71444->71445 71498 140061f10 42 API calls 71445->71498 71447 14006783a 71448 1400ac0c8 Concurrency::cancel_current_task RaiseException 71447->71448 71449 14006784a 71448->71449 71499 140061f10 42 API calls 71449->71499 71451 140067857 71452 1400ac0c8 Concurrency::cancel_current_task RaiseException 71451->71452 71453 140067867 71452->71453 71500 140061f10 42 API calls 71453->71500 71455 140067874 71456 1400ac0c8 Concurrency::cancel_current_task RaiseException 71455->71456 71457 140067884 71456->71457 71501 140061f10 42 API calls 71457->71501 71459 140067891 71460 1400ac0c8 Concurrency::cancel_current_task RaiseException 71459->71460 71461 1400678a1 71460->71461 71502 140061f10 42 API calls 71461->71502 71463 1400678ae 71464 1400ac0c8 Concurrency::cancel_current_task RaiseException 71463->71464 71465 1400678be 71464->71465 71503 140061f10 42 API calls 71465->71503 71467 1400678cb 71468 1400ac0c8 Concurrency::cancel_current_task RaiseException 71467->71468 71469 1400678db 71468->71469 71471 140063532 71470->71471 71474 140063486 71470->71474 71472 1400a9aa0 _Strcoll 3 API calls 71471->71472 71473 140063542 71472->71473 71473->71177 71473->71197 71474->71471 71475 140045670 43 API calls 71474->71475 71475->71474 71476->71184 71477->71188 71479 1400aba10 __std_exception_destroy 7 API calls 71478->71479 71480 14002eafe 71479->71480 71481 1400aba10 __std_exception_destroy 7 API calls 71480->71481 71482 14002eb0b 71481->71482 71482->71374 71483->71364 71484->71369 71485->71373 71486->71380 71487->71384 71488->71388 71489->71392 71490->71396 71491->71402 71492->71407 71493->71423 71494->71428 71495->71432 71496->71437 71497->71443 71498->71447 71499->71451 71500->71455 71501->71459 71502->71463 71503->71467 71504->70877 71505->70882 71506->70884 71507->70886 71509 1400414f7 71508->71509 71515 14002b5d0 43 API calls 71509->71515 71514->70901 71516 140044fe9 71518 14004500c 71516->71518 71521 14004504e 71516->71521 71517 1400a9be8 std::_Facet_Register 43 API calls 71525 140045034 ctype _Receive_impl 71517->71525 71519 140045041 71518->71519 71520 14004507d 71518->71520 71518->71521 71518->71525 71519->71521 71522 140045100 71519->71522 71523 1400a9be8 std::_Facet_Register 43 API calls 71520->71523 71521->71517 71526 14002b510 43 API calls 2 library calls 71522->71526 71523->71525 71526->71525 71527 140088226 71528 140088242 71527->71528 71529 140087df0 71528->71529 71530 1400886d0 43 API calls 71528->71530 71530->71529 71531 14004150a 71532 14004151b 71531->71532 71534 140041551 71531->71534 71532->71534 71535 140041589 71532->71535 71540 140041543 ctype 71532->71540 71533 1400a9be8 std::_Facet_Register 43 API calls 71533->71540 71534->71533 71537 140041600 71534->71537 71536 1400a9be8 std::_Facet_Register 43 API calls 71535->71536 71536->71540 71544 14002b510 43 API calls 2 library calls 71537->71544 71539 140041606 71541 1400415d7 _Receive_impl 71540->71541 71543 14002b5d0 43 API calls 71540->71543 71544->71539 71545 14007e98b RegOpenKeyExA 71546 14007e9b5 RegQueryValueExA 71545->71546 71552 14007e9f4 _Receive_impl 71545->71552 71546->71552 71547 14007ea84 RegCloseKey 71548 14007ea8a 71547->71548 71550 1400a9aa0 _Strcoll 3 API calls 71548->71550 71551 14007ea9d 71550->71551 71552->71547 71552->71548 71553 140041815 71554 1400a9be8 std::_Facet_Register 43 API calls 71553->71554 71555 140041827 71554->71555 71556 14003fcd0 43 API calls 71555->71556 71557 140041841 71556->71557 71558 1400a9aa0 _Strcoll 3 API calls 71557->71558 71559 140041923 71558->71559 71560 140035813 71566 14002d650 71560->71566 71562 140035846 FindNextFileW 71563 140035864 71562->71563 71564 1400a9aa0 _Strcoll 3 API calls 71563->71564 71565 14003588b 71564->71565 71567 14002d668 _Receive_impl 71566->71567 71567->71562 71568 1400412f6 71569 1400412fb _Receive_impl 71568->71569 71570 1400a9aa0 _Strcoll 3 API calls 71569->71570 71571 14004130f 71570->71571 71572 1400873fe 71577 140087cf0 71572->71577 71575 1400a9aa0 _Strcoll 3 API calls 71576 14008743b 71575->71576 71578 140087d16 71577->71578 71579 140087d42 71578->71579 71583 140068e10 43 API calls 4 library calls 71578->71583 71581 1400886d0 43 API calls 71579->71581 71582 140087406 71581->71582 71582->71575 71583->71579 71584 1400740c0 71648 1400773a0 GetCurrentProcess OpenProcessToken 71584->71648 71587 1400740e4 71826 1400776e0 44 API calls 2 library calls 71587->71826 71588 14007410e 71655 1400835b0 GetCurrentProcess OpenProcessToken 71588->71655 71592 1400740ee 71827 140082380 71 API calls _Strcoll 71592->71827 71593 1400835b0 8 API calls 71595 140074126 71593->71595 71663 14007fba0 71595->71663 71596 1400740f7 71598 140074102 ExitProcess 71596->71598 71598->71588 71599 140074130 71808 140074af0 71599->71808 71601 1400741b6 _Receive_impl 71602 1400741f4 OpenMutexA 71601->71602 71609 140074386 71601->71609 71603 14007422d ExitProcess 71602->71603 71604 140074239 CreateMutexA 71602->71604 71603->71604 71812 14006e7f0 71604->71812 71649 1400773f8 GetTokenInformation 71648->71649 71650 140077434 71648->71650 71649->71650 71651 140077441 CloseHandle 71650->71651 71652 14007744d 71650->71652 71651->71652 71653 1400a9aa0 _Strcoll 3 API calls 71652->71653 71654 1400740e0 71653->71654 71654->71587 71654->71588 71656 14008361b LookupPrivilegeValueW 71655->71656 71657 140083686 71655->71657 71656->71657 71658 14008363c AdjustTokenPrivileges 71656->71658 71659 14008369a 71657->71659 71660 14008368e CloseHandle 71657->71660 71658->71657 71661 1400a9aa0 _Strcoll 3 API calls 71659->71661 71660->71659 71662 14007411a 71661->71662 71662->71593 71828 14007e7e0 GetCurrentHwProfileW 71663->71828 71667 14007fca9 71668 14007fcf3 71667->71668 72140 14008b938 44 API calls 71667->72140 71850 140085190 71668->71850 71671 14007fd03 71673 14007fd4c 71671->71673 71675 14007fd7c ctype _Receive_impl 71671->71675 72141 1400946d0 71671->72141 71673->71675 71677 1400946d0 41 API calls 71673->71677 71674 1400a9aa0 _Strcoll 3 API calls 71678 14007fe6f 71674->71678 71676 14007fe4a _Receive_impl 71675->71676 71679 14007fe8c 71675->71679 71676->71674 71677->71673 71678->71599 71862 14007e0b0 71679->71862 71690 14007fba0 143 API calls 71691 14007ff2d 71690->71691 71905 14007db30 71691->71905 71693 14007ff37 71909 140052190 71693->71909 71695 14007ff61 71917 14003ec60 71695->71917 71697 14007ffbb 71698 14003ec60 43 API calls 71697->71698 71699 14007fffe 71698->71699 71700 140052190 43 API calls 71699->71700 71701 140080057 71700->71701 71702 14003ec60 43 API calls 71701->71702 71703 1400800a6 71702->71703 71704 14003ec60 43 API calls 71703->71704 71705 1400800f5 71704->71705 71706 140052190 43 API calls 71705->71706 71707 14008014e 71706->71707 71708 14003ec60 43 API calls 71707->71708 71709 14008019c 71708->71709 71710 14003ec60 43 API calls 71709->71710 71711 1400801eb 71710->71711 71712 140052190 43 API calls 71711->71712 71713 140080244 71712->71713 71714 14003ec60 43 API calls 71713->71714 71715 140080296 71714->71715 71716 14003ec60 43 API calls 71715->71716 71717 1400802e5 71716->71717 71718 140080315 GlobalMemoryStatusEx 71717->71718 71719 14008033e 71718->71719 71720 14003ec60 43 API calls 71719->71720 71721 1400803de 71720->71721 71722 14003ec60 43 API calls 71721->71722 71723 14008042e 71722->71723 71724 140052190 43 API calls 71723->71724 71725 14008048a 71724->71725 71726 14003ec60 43 API calls 71725->71726 71727 1400804d8 71726->71727 71728 14003ec60 43 API calls 71727->71728 71729 140080527 71728->71729 71730 140052190 43 API calls 71729->71730 71731 14008057d 71730->71731 71732 14003ec60 43 API calls 71731->71732 71733 1400805cb 71732->71733 71734 14003ec60 43 API calls 71733->71734 71735 14008068e 71734->71735 71931 14007d6e0 12 API calls 71735->71931 71741 140080704 71742 14003ec60 43 API calls 71741->71742 71743 140080752 71742->71743 71744 14003ec60 43 API calls 71743->71744 71745 14008080b _Receive_impl 71744->71745 71763 140081679 71745->71763 71966 14007d510 GetDesktopWindow GetWindowRect 71745->71966 71748 140042490 43 API calls 71749 1400808f5 71748->71749 71750 14003ec60 43 API calls 71749->71750 71751 140080943 71750->71751 71752 14003ec60 43 API calls 71751->71752 71753 140080a7d _Receive_impl 71752->71753 71753->71763 71976 140094130 GetSystemTimeAsFileTime 71753->71976 71755 140080afe 71978 14009527c 71755->71978 71757 140080b27 71758 140042490 43 API calls 71757->71758 71759 140080b76 71758->71759 71760 14003ec60 43 API calls 71759->71760 71761 140080bc4 71760->71761 71762 14003ec60 43 API calls 71761->71762 71764 140080c14 memcpy_s _Receive_impl 71762->71764 71764->71763 71765 140080ca7 GetModuleFileNameA 71764->71765 71766 140080cea 71765->71766 71767 1400421c0 43 API calls 71766->71767 71768 140080d23 71767->71768 71769 140042490 43 API calls 71768->71769 71770 140080d39 71769->71770 71771 14003ec60 43 API calls 71770->71771 71772 140080d87 71771->71772 71773 14003ec60 43 API calls 71772->71773 71774 140080e40 _Receive_impl 71773->71774 71774->71763 71981 14007f210 71774->71981 71776 140080f1f 71777 1400421c0 43 API calls 71776->71777 71778 140080f3d 71777->71778 71779 140042490 43 API calls 71778->71779 71780 140080f57 71779->71780 71781 14003ec60 43 API calls 71780->71781 71782 140080f9f 71781->71782 71783 14003ec60 43 API calls 71782->71783 71784 140080fe3 _Receive_impl 71783->71784 71784->71763 71785 1400421c0 43 API calls 71784->71785 71786 1400810dc 71785->71786 71787 140042490 43 API calls 71786->71787 71788 1400810f6 71787->71788 71789 14003ec60 43 API calls 71788->71789 71790 14008113e 71789->71790 71791 14003ec60 43 API calls 71790->71791 71792 1400811ea _Receive_impl 71791->71792 71792->71763 71793 140081280 71792->71793 71794 140081352 71792->71794 71796 140052190 43 API calls 71793->71796 71795 140040730 43 API calls 71794->71795 71797 140081363 71795->71797 71798 14008129d 71796->71798 71799 14003ec60 43 API calls 71797->71799 71800 14003ec60 43 API calls 71798->71800 71802 1400813ae 71799->71802 71801 1400812e8 71800->71801 71803 14003ec60 43 API calls 71801->71803 71804 14003ec60 43 API calls 71802->71804 71805 14008132c _Receive_impl 71803->71805 71804->71805 71805->71763 71809 140074b12 71808->71809 71809->71809 71810 140063560 44 API calls 71809->71810 71811 140074b26 71810->71811 71811->71601 71813 14006e821 71812->71813 72458 14006f5c0 43 API calls _Receive_impl 71813->72458 71815 14006ef3c 71816 1400414b0 43 API calls 71815->71816 71817 14006ef7f 71816->71817 72459 1400621c0 71817->72459 71819 14006efb7 71820 14003ec60 43 API calls 71819->71820 71821 14006f001 71820->71821 71822 140062300 44 API calls 71821->71822 71823 14006f011 71822->71823 71824 14003ec60 43 API calls 71823->71824 71825 14006f078 71824->71825 71826->71592 71827->71596 71829 14007e82a 71828->71829 71831 14007e889 71828->71831 72150 14006f8d0 71829->72150 71832 1400a9aa0 _Strcoll 3 API calls 71831->71832 71834 14007e901 71832->71834 71836 14007de00 71834->71836 71835 14007e839 71835->71831 72159 14008b938 44 API calls 71835->72159 72175 140077560 71836->72175 71840 14007dea3 memcpy_s _Receive_impl 71841 14007dfc7 71840->71841 71849 14007def1 71840->71849 72186 140070170 62 API calls 71840->72186 71842 1400a9aa0 _Strcoll 3 API calls 71843 14007dfae 71842->71843 71843->71667 71845 14007df2d 72187 1400702d0 62 API calls 2 library calls 71845->72187 71847 14007df54 72188 14003e020 71847->72188 71849->71842 71853 1400851d9 71850->71853 71861 1400852d8 71850->71861 71854 140085218 71853->71854 71855 14008523a ctype 71853->71855 71856 140085276 71853->71856 71857 1400a9be8 std::_Facet_Register 43 API calls 71854->71857 71859 140085231 71854->71859 71855->71671 71858 1400a9be8 std::_Facet_Register 43 API calls 71856->71858 71857->71859 71858->71855 71859->71855 72201 14002b510 43 API calls 2 library calls 71859->72201 72202 14002b5d0 43 API calls 71861->72202 71863 14007e109 memcpy_s 71862->71863 71864 1400a9be8 std::_Facet_Register 43 API calls 71863->71864 71865 14007e173 71864->71865 72203 140047890 71865->72203 71867 14007e1b8 EnumDisplayDevicesW 71869 14007e279 71867->71869 71874 14007e1d5 _Receive_impl 71867->71874 71868 14006f8d0 43 API calls 71868->71874 71871 1400a9aa0 _Strcoll 3 API calls 71869->71871 71872 14007e39e 71871->71872 71876 14007dfd0 RegGetValueA 71872->71876 71873 14007e241 EnumDisplayDevicesW 71873->71869 71873->71874 71874->71868 71874->71873 71875 14007e3bf 71874->71875 72213 140085880 43 API calls 2 library calls 71874->72213 71877 14007e04d 71876->71877 71878 1400a9aa0 _Strcoll 3 API calls 71877->71878 71879 14007e08f 71878->71879 71880 14007e3d0 71879->71880 71881 14007e45f _Receive_impl 71880->71881 71885 14007e7bb 71881->71885 72215 1400b82f4 GetNativeSystemInfo 71881->72215 71883 14007e553 72216 140063560 71883->72216 71886 14007e5f4 _Receive_impl 71886->71885 71887 1400a9aa0 _Strcoll 3 API calls 71886->71887 71888 14007e79e 71887->71888 71889 14007dcc0 71888->71889 72222 1400aa760 71889->72222 71892 14007dd0f 71893 14006f8d0 43 API calls 71892->71893 71894 14007dd1c 71893->71894 71895 1400a9aa0 _Strcoll 3 API calls 71894->71895 71896 14007dd4e 71895->71896 71897 14007dd60 71896->71897 71898 1400aa760 _Strcoll 71897->71898 71899 14007dd70 GetComputerNameW 71898->71899 71900 14007ddaf 71899->71900 71901 14007ddbc 71899->71901 71902 14006f8d0 43 API calls 71900->71902 71903 1400a9aa0 _Strcoll 3 API calls 71901->71903 71902->71901 71904 14007ddee 71903->71904 71904->71690 71906 14007dc30 71905->71906 72224 14007cdf0 71906->72224 71908 14007dc54 _Receive_impl 71908->71693 71910 1400521c3 71909->71910 71911 1400a9be8 std::_Facet_Register 43 API calls 71910->71911 71912 1400521d8 71911->71912 71913 14003fcd0 43 API calls 71912->71913 71914 1400521f5 71913->71914 71915 1400a9aa0 _Strcoll 3 API calls 71914->71915 71916 14005220e 71915->71916 71916->71695 71918 14003ec97 71917->71918 71920 14003ec9f 71917->71920 72271 1400448e0 43 API calls 2 library calls 71918->72271 71923 14003ed34 71920->71923 72261 1400447a0 71920->72261 71922 14003ecbd 71922->71923 71924 14003ecf0 _Receive_impl 71922->71924 71926 140044520 43 API calls 71923->71926 71925 1400a9aa0 _Strcoll 3 API calls 71924->71925 71927 14003ed1f 71925->71927 71928 14003ed69 71926->71928 71927->71697 71929 1400ac0c8 Concurrency::cancel_current_task RaiseException 71928->71929 71930 14003ed7a 71929->71930 71932 14007d898 71931->71932 71933 14007d830 SelectObject DeleteDC ReleaseDC DeleteObject 71931->71933 72273 1400764f0 71932->72273 71954 14007d890 71933->71954 71935 14007d945 EnterCriticalSection LeaveCriticalSection 72281 140076680 GetObjectW 71935->72281 71937 1400a9aa0 _Strcoll 3 API calls 71939 14007db05 71937->71939 71955 1400421c0 71939->71955 71942 14007d9d8 71943 14007da25 IStream_Read 71942->71943 71946 14007d9ca memcpy_s 71942->71946 72338 140088fa0 43 API calls 5 library calls 71942->72338 71944 14007da3a memcpy_s 71943->71944 72308 14003e0f0 71944->72308 71946->71943 71950 14007da7d SelectObject DeleteDC ReleaseDC DeleteObject 71951 14003e020 43 API calls 71950->71951 71952 14007daba 71951->71952 72329 1400765d0 71952->72329 71954->71937 71956 14003fb40 43 API calls 71955->71956 71957 14004222a 71956->71957 71958 14003fb40 43 API calls 71957->71958 71959 14004233d 71958->71959 71960 140042490 71959->71960 71961 1400424d4 71960->71961 71962 1400a9be8 std::_Facet_Register 43 API calls 71961->71962 71963 1400424e9 71962->71963 71964 1400a9aa0 _Strcoll 3 API calls 71963->71964 71965 14004253d 71964->71965 71965->71741 72392 140075670 71966->72392 71969 140075670 3 API calls 71970 14007d57e 71969->71970 72396 140086f00 71970->72396 71972 1400a9aa0 _Strcoll 3 API calls 71973 14007d6bb 71972->71973 71973->71748 71974 14007d6cc 71975 14007d5a2 _Receive_impl 71975->71972 71975->71974 71977 140094168 71976->71977 71977->71755 72410 140095110 71978->72410 71982 14007f451 memcpy_s 71981->71982 71983 14007f53c GetTimeZoneInformation 71982->71983 71984 140075670 3 API calls 71983->71984 71985 14007f57d _Receive_impl 71984->71985 71986 140075670 3 API calls 71985->71986 71994 14007fb50 71985->71994 71987 14007f6ac 71986->71987 72449 140071ce0 71987->72449 71989 14007f6c1 71990 140045670 43 API calls 71989->71990 71991 14007f70c _Receive_impl 71989->71991 71990->71991 71992 14007fb0f _Receive_impl 71991->71992 71991->71994 71993 1400a9aa0 _Strcoll 3 API calls 71992->71993 71995 14007fb2f 71993->71995 71996 14007e7e0 47 API calls 71994->71996 71995->71776 71997 14007fbe3 71996->71997 71998 14007de00 64 API calls 71997->71998 71999 14007fca9 71998->71999 72000 14007fcf3 71999->72000 72455 14008b938 44 API calls 71999->72455 72001 140085190 43 API calls 72000->72001 72003 14007fd03 72001->72003 72004 1400946d0 41 API calls 72003->72004 72006 14007fd4c 72003->72006 72008 14007fd7c ctype _Receive_impl 72003->72008 72004->72003 72005 14007fe4a _Receive_impl 72007 1400a9aa0 _Strcoll 3 API calls 72005->72007 72006->72008 72009 1400946d0 41 API calls 72006->72009 72010 14007fe6f 72007->72010 72008->72005 72011 14007fe8c 72008->72011 72009->72006 72010->71776 72012 14007e0b0 45 API calls 72011->72012 72013 14007feef 72012->72013 72014 14007dfd0 4 API calls 72013->72014 72015 14007fefc 72014->72015 72016 14007e3d0 45 API calls 72015->72016 72017 14007ff09 72016->72017 72018 14007dcc0 44 API calls 72017->72018 72019 14007ff16 72018->72019 72020 14007dd60 44 API calls 72019->72020 72021 14007ff23 72020->72021 72022 14007fba0 142 API calls 72021->72022 72023 14007ff2d 72022->72023 72024 14007db30 55 API calls 72023->72024 72025 14007ff37 72024->72025 72026 140052190 43 API calls 72025->72026 72027 14007ff61 72026->72027 72028 14003ec60 43 API calls 72027->72028 72029 14007ffbb 72028->72029 72030 14003ec60 43 API calls 72029->72030 72031 14007fffe 72030->72031 72032 140052190 43 API calls 72031->72032 72033 140080057 72032->72033 72034 14003ec60 43 API calls 72033->72034 72035 1400800a6 72034->72035 72140->71667 72142 14009470a 72141->72142 72143 1400946e9 72141->72143 72144 1400958c8 _Getctype 41 API calls 72142->72144 72143->71671 72145 14009470f 72144->72145 72146 140097b50 _Getctype 41 API calls 72145->72146 72147 140094728 72146->72147 72147->72143 72457 14009b4c4 41 API calls 3 library calls 72147->72457 72149 14009475e 72149->71671 72151 14006f91e 72150->72151 72157 14006f8ff _Receive_impl 72150->72157 72160 140034b20 72151->72160 72152 1400a9aa0 _Strcoll 3 API calls 72154 14006f9be 72152->72154 72154->71835 72155 14006f947 72172 14006f9e0 43 API calls 2 library calls 72155->72172 72157->72152 72158 14006f9cc 72157->72158 72159->71835 72163 140034b46 72160->72163 72170 140034c44 72160->72170 72162 140034b51 ctype 72162->72155 72163->72162 72164 140034c3f 72163->72164 72166 140034c02 72163->72166 72167 140034baa 72163->72167 72173 14002b510 43 API calls 2 library calls 72164->72173 72169 1400a9be8 std::_Facet_Register 43 API calls 72166->72169 72167->72164 72168 140034bb7 72167->72168 72171 1400a9be8 std::_Facet_Register 43 API calls 72168->72171 72169->72162 72174 14002b5d0 43 API calls 72170->72174 72171->72162 72172->72157 72173->72170 72192 140075980 72175->72192 72179 1400775ad 72180 140034b20 43 API calls 72179->72180 72184 1400776c2 72179->72184 72181 14007761e 72180->72181 72182 140077687 _Receive_impl 72181->72182 72181->72184 72183 1400a9aa0 _Strcoll 3 API calls 72182->72183 72185 1400776ac GetVolumeInformationW 72183->72185 72198 140075790 43 API calls Concurrency::cancel_current_task 72184->72198 72185->71840 72186->71845 72187->71847 72189 14003e068 72188->72189 72190 14003e0cc 72189->72190 72191 1400414b0 43 API calls 72189->72191 72190->71849 72191->72190 72193 1400759ff 72192->72193 72195 1400759e0 __std_fs_get_current_path 72192->72195 72193->72195 72199 1400454b0 43 API calls 4 library calls 72193->72199 72197 140075b15 72195->72197 72200 1400454b0 43 API calls 4 library calls 72195->72200 72197->72179 72199->72195 72200->72195 72201->71861 72204 1400478bc 72203->72204 72212 1400478e1 _Receive_impl 72203->72212 72205 1400479c2 72204->72205 72207 140047917 72204->72207 72208 1400478ee 72204->72208 72204->72212 72214 14002b510 43 API calls 2 library calls 72205->72214 72210 1400a9be8 std::_Facet_Register 43 API calls 72207->72210 72208->72205 72209 1400478fb 72208->72209 72211 1400a9be8 std::_Facet_Register 43 API calls 72209->72211 72210->72212 72211->72212 72212->71867 72213->71874 72214->72212 72215->71883 72217 140063625 72216->72217 72220 140063590 ctype 72216->72220 72221 140067920 44 API calls 4 library calls 72217->72221 72219 14006363a 72219->71886 72220->71886 72221->72219 72223 14007dcd0 GetUserNameW 72222->72223 72223->71892 72223->71894 72225 14007d004 InternetOpenA 72224->72225 72226 14007ce52 72224->72226 72228 14007d04d InternetOpenUrlA 72225->72228 72233 14007d02a 72225->72233 72254 1400a9b70 AcquireSRWLockExclusive 72226->72254 72230 14007d0c0 HttpQueryInfoW 72228->72230 72228->72233 72232 14007d11d HttpQueryInfoW 72230->72232 72230->72233 72231 1400a9aa0 _Strcoll 3 API calls 72234 14007d40e 72231->72234 72236 14007d1a6 InternetQueryDataAvailable 72232->72236 72237 14007d17a 72232->72237 72233->72231 72234->71908 72239 14007d3a3 InternetCloseHandle 72236->72239 72245 14007d1c2 72236->72245 72259 1400919b0 41 API calls ProcessCodePage 72237->72259 72239->72233 72240 14007d18b 72240->72236 72242 14007d269 InternetReadFile 72244 14007d35d 72242->72244 72253 14007d21e memcpy_s ctype _Receive_impl 72242->72253 72244->72239 72247 14007d392 _Receive_impl 72244->72247 72251 14007d429 72244->72251 72245->72239 72245->72242 72248 1400a9be8 std::_Facet_Register 43 API calls 72245->72248 72245->72251 72245->72253 72246 1400a9be8 std::_Facet_Register 43 API calls 72246->72253 72247->72239 72248->72245 72250 14007d434 72260 14002b510 43 API calls 2 library calls 72251->72260 72252 14007d336 InternetQueryDataAvailable 72252->72239 72252->72253 72253->72242 72253->72244 72253->72245 72253->72246 72253->72251 72253->72252 72255 1400a9b86 72254->72255 72257 1400a9b90 SleepConditionVariableSRW 72255->72257 72258 1400a9b8b ReleaseSRWLockExclusive 72255->72258 72257->72255 72259->72240 72260->72250 72262 1400447c6 72261->72262 72263 1400448d3 72262->72263 72264 14004480c 72262->72264 72270 14004487f 72262->72270 72272 14002b5f0 43 API calls 72263->72272 72266 1400a9be8 std::_Facet_Register 43 API calls 72264->72266 72268 14004482a 72266->72268 72269 140040730 43 API calls 72268->72269 72269->72270 72270->71922 72271->71920 72274 140076510 72273->72274 72280 14007656f 72273->72280 72275 1400a9b70 3 API calls 72274->72275 72276 14007651c 72275->72276 72277 140076525 InitializeCriticalSectionEx 72276->72277 72276->72280 72278 14007654b __std_fs_convert_narrow_to_wide 72277->72278 72339 1400a9f1c 7 API calls 72278->72339 72280->71935 72282 1400766c4 72281->72282 72283 1400a9aa0 _Strcoll 3 API calls 72282->72283 72284 14007675b 72283->72284 72285 140076770 72284->72285 72286 1400764f0 11 API calls 72285->72286 72287 1400767a4 72286->72287 72288 1400767ad EnterCriticalSection 72287->72288 72289 1400767ec 72287->72289 72290 140076810 LeaveCriticalSection GdipGetImageEncodersSize 72288->72290 72291 1400767be GdiplusStartup 72288->72291 72293 1400a9aa0 _Strcoll 3 API calls 72289->72293 72290->72289 72294 14007682c 72290->72294 72291->72290 72292 1400767e2 LeaveCriticalSection 72291->72292 72292->72289 72295 1400767fd IStream_Size IStream_Reset 72293->72295 72297 140076848 _Strcoll 72294->72297 72340 140076280 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry _Strcoll 72294->72340 72295->71942 72295->71946 72298 1400768b0 GdipGetImageEncoders 72297->72298 72299 1400768a6 72297->72299 72298->72299 72300 1400768c4 72298->72300 72299->72289 72341 14008cab0 7 API calls 3 library calls 72299->72341 72300->72299 72302 1400769b8 GdipCreateBitmapFromHBITMAP GdipSaveImageToStream 72300->72302 72303 14007694d GdipCreateBitmapFromScan0 GdipSaveImageToStream 72300->72303 72304 140076a10 GdipDisposeImage 72302->72304 72305 1400769a8 GdipDisposeImage 72302->72305 72303->72305 72306 1400769b6 72303->72306 72304->72299 72305->72299 72306->72304 72309 140041960 62 API calls 72308->72309 72310 14003e1af 72309->72310 72342 140040c40 72310->72342 72313 1400738b0 72314 1400738ef 72313->72314 72317 140073904 72314->72317 72349 140046ce0 72314->72349 72315 140073937 72318 1400739e5 72315->72318 72320 1400739a3 72315->72320 72317->72315 72345 14003f550 72317->72345 72374 14002c9d0 43 API calls 72318->72374 72319 1400739b4 72319->71950 72320->72319 72373 1400477c0 43 API calls 2 library calls 72320->72373 72323 140073a27 72324 1400ac0c8 Concurrency::cancel_current_task RaiseException 72323->72324 72325 140073a38 72324->72325 72375 140073610 42 API calls 72325->72375 72327 140073a5b _Receive_impl 72327->71950 72330 1400765f4 DeleteObject 72329->72330 72331 140076619 72329->72331 72330->72331 72332 1400764f0 11 API calls 72331->72332 72333 14007661e EnterCriticalSection 72332->72333 72334 140076656 LeaveCriticalSection 72333->72334 72335 140076631 EnterCriticalSection 72333->72335 72334->71954 72336 140076643 GdiplusShutdown 72335->72336 72337 140076649 LeaveCriticalSection 72335->72337 72336->72337 72337->72334 72338->71946 72339->72280 72340->72297 72341->72299 72343 1400413b0 47 API calls 72342->72343 72344 14003e226 72343->72344 72344->72313 72346 14003f5e6 72345->72346 72347 14003f573 ctype 72345->72347 72346->72315 72347->72346 72376 14003f210 72347->72376 72350 140046da0 72349->72350 72351 140046d1e 72349->72351 72352 1400a9aa0 _Strcoll 3 API calls 72350->72352 72387 140046700 43 API calls 72351->72387 72354 140046dcd 72352->72354 72354->72317 72355 140046d2b 72356 140046d8d 72355->72356 72358 140046de2 72355->72358 72356->72350 72388 1400477c0 43 API calls 2 library calls 72356->72388 72389 14002c9d0 43 API calls 72358->72389 72360 140046e24 72361 1400ac0c8 Concurrency::cancel_current_task RaiseException 72360->72361 72362 140046e35 72361->72362 72363 140046e8b 72362->72363 72364 140046ce0 43 API calls 72362->72364 72365 140046f5a 72363->72365 72366 140046f98 72363->72366 72364->72363 72367 140046f6b 72365->72367 72390 1400477c0 43 API calls 2 library calls 72365->72390 72391 14002c9d0 43 API calls 72366->72391 72367->72317 72370 140046fda 72371 1400ac0c8 Concurrency::cancel_current_task RaiseException 72370->72371 72372 140046feb 72371->72372 72373->72319 72374->72323 72375->72327 72378 14003f238 72376->72378 72385 14003f23d ctype _Receive_impl 72376->72385 72377 14003f2f7 72379 1400a9be8 std::_Facet_Register 43 API calls 72377->72379 72378->72377 72380 14003f2b9 72378->72380 72382 14003f2c6 72378->72382 72378->72385 72379->72385 72380->72382 72383 14003f3fc 72380->72383 72381 1400a9be8 std::_Facet_Register 43 API calls 72381->72385 72382->72381 72382->72385 72386 14002b510 43 API calls 2 library calls 72383->72386 72385->72347 72386->72385 72387->72355 72388->72350 72389->72360 72390->72367 72391->72370 72393 1400756a1 72392->72393 72394 1400a9aa0 _Strcoll 3 API calls 72393->72394 72395 14007577d 72394->72395 72395->71969 72397 140086f4d 72396->72397 72401 14008707c 72397->72401 72402 140087023 72397->72402 72403 140086f52 ctype 72397->72403 72407 1400870e5 72397->72407 72400 1400a9be8 std::_Facet_Register 43 API calls 72405 140087039 72400->72405 72404 1400a9be8 std::_Facet_Register 43 API calls 72401->72404 72402->72400 72402->72405 72403->71975 72404->72403 72405->72403 72408 14002b510 43 API calls 2 library calls 72405->72408 72409 14002b5d0 43 API calls 72407->72409 72408->72407 72430 14008b768 72410->72430 72413 140095171 72438 140091b6c 6 API calls _get_daylight 72413->72438 72415 140095176 72439 14008d6a8 41 API calls _invalid_parameter_noinfo 72415->72439 72416 140095189 72440 140094e78 6 API calls 4 library calls 72416->72440 72418 140095181 72418->71757 72420 1400951b4 72422 1400951b8 72420->72422 72441 14009b5e0 72420->72441 72422->72418 72425 140098c40 __free_lconv_num 6 API calls 72422->72425 72423 14009521e 72428 140098c40 __free_lconv_num 6 API calls 72423->72428 72425->72418 72427 1400951ee 72427->72423 72446 140094ff4 6 API calls 3 library calls 72427->72446 72428->72422 72431 14008b78c 72430->72431 72432 14008b787 72430->72432 72431->72432 72433 1400958c8 _Getctype 41 API calls 72431->72433 72432->72413 72432->72416 72434 14008b7a7 72433->72434 72435 140097b50 _Getctype 41 API calls 72434->72435 72436 14008b7ca 72435->72436 72447 140097bbc 41 API calls TranslateName 72436->72447 72438->72415 72439->72418 72440->72420 72442 14009b5ef std::_Facet_Register wcsftime 72441->72442 72444 1400951c6 72442->72444 72448 140091b6c 6 API calls _get_daylight 72442->72448 72444->72423 72445 14009fcf8 51 API calls 4 library calls 72444->72445 72445->72427 72446->72423 72447->72432 72448->72444 72450 140071d97 72449->72450 72451 140071d06 72449->72451 72454 140071d15 memcpy_s ctype 72451->72454 72456 140072770 43 API calls 5 library calls 72451->72456 72453 140071d87 72453->71989 72454->71989 72455->71999 72456->72453 72457->72149 72458->71815 72460 140040730 43 API calls 72459->72460 72461 1400621f6 72460->72461 72466 1400653b0 72461->72466 72465 140062281 72465->71819 72467 1400653f4 72466->72467 72468 140091a64 41 API calls 72467->72468 72469 1400654cc 72468->72469 72519 140063650 72469->72519 72471 140062275 72472 140062510 72471->72472 72473 140062821 72472->72473 72475 14006255b memcpy_s 72472->72475 72474 140063650 43 API calls 72473->72474 72481 140062860 72474->72481 72543 140062d50 43 API calls 72475->72543 72477 1400625ab 72544 140065880 43 API calls 2 library calls 72477->72544 72479 1400625bb 72482 140063650 43 API calls 72479->72482 72480 140040730 43 API calls 72488 140062a1c 72480->72488 72485 140066750 43 API calls 72481->72485 72515 140062968 _Receive_impl 72481->72515 72491 1400625c7 72482->72491 72483 1400a9aa0 _Strcoll 3 API calls 72484 140062aac 72483->72484 72484->72465 72489 1400628d3 72485->72489 72486 1400627b5 72494 140062788 _Receive_impl 72486->72494 72495 140040730 43 API calls 72486->72495 72487 14006276d 72490 140040730 43 API calls 72487->72490 72492 140062b00 72488->72492 72488->72494 72493 140063430 43 API calls 72489->72493 72490->72494 72499 140066750 43 API calls 72491->72499 72517 140062754 _Receive_impl 72491->72517 72545 140061f10 42 API calls 72492->72545 72504 1400628e2 _Receive_impl 72493->72504 72494->72483 72495->72494 72497 140062b18 72500 1400ac0c8 Concurrency::cancel_current_task RaiseException 72497->72500 72503 140062639 72499->72503 72513 140062b28 72500->72513 72501 1400aba10 __std_exception_destroy 7 API calls 72505 14006295a 72501->72505 72502 140062b47 72506 1400ac0c8 Concurrency::cancel_current_task RaiseException 72502->72506 72507 140063430 43 API calls 72503->72507 72504->72501 72511 140062b57 72504->72511 72504->72513 72508 1400aba10 __std_exception_destroy 7 API calls 72505->72508 72506->72511 72509 140062649 72507->72509 72508->72515 72509->72492 72510 14006265e _Receive_impl 72509->72510 72512 1400aba10 __std_exception_destroy 7 API calls 72510->72512 72510->72513 72514 1400626c9 72512->72514 72546 140061f10 42 API calls 72513->72546 72516 1400aba10 __std_exception_destroy 7 API calls 72514->72516 72515->72480 72515->72488 72515->72492 72515->72511 72518 1400626d7 _Receive_impl 72516->72518 72517->72486 72517->72487 72518->72513 72518->72517 72520 140063673 72519->72520 72524 1400636c0 72519->72524 72538 140065080 43 API calls 72520->72538 72523 140063678 72523->72524 72539 140065080 43 API calls 72523->72539 72541 140063aa0 43 API calls 72524->72541 72525 1400637f7 72530 1400a9aa0 _Strcoll 3 API calls 72525->72530 72527 140063687 72528 14006369d 72527->72528 72540 140065080 43 API calls 72527->72540 72529 1400a9aa0 _Strcoll 3 API calls 72528->72529 72533 1400636ba 72529->72533 72534 1400638f5 72530->72534 72532 140063696 72532->72524 72532->72528 72533->72471 72534->72471 72535 140065080 43 API calls 72537 140063701 72535->72537 72537->72525 72537->72535 72542 140063aa0 43 API calls 72537->72542 72538->72523 72539->72527 72540->72532 72541->72537 72542->72537 72543->72477 72544->72479 72545->72497 72546->72502 72547 140050e60 72548 140050e78 72547->72548 72553 140050e84 ctype 72547->72553 72549 140050e95 ctype 72550 140050fce 72550->72549 72552 14008ced4 _fread_nolock 45 API calls 72550->72552 72552->72549 72553->72549 72553->72550 72554 14008ced4 72553->72554 72557 14008cef4 72554->72557 72556 14008ceec 72556->72553 72558 14008cf1e 72557->72558 72564 14008cf4d 72557->72564 72559 14008cf6a 72558->72559 72560 14008cf2d memcpy_s 72558->72560 72558->72564 72566 14008cc74 72559->72566 72581 140091b6c 6 API calls _get_daylight 72560->72581 72563 14008cf42 72582 14008d6a8 41 API calls _invalid_parameter_noinfo 72563->72582 72564->72556 72570 14008cc9b memcpy_s 72566->72570 72573 14008ccb5 72566->72573 72567 14008cca5 72603 140091b6c 6 API calls _get_daylight 72567->72603 72569 14008ccaa 72604 14008d6a8 41 API calls _invalid_parameter_noinfo 72569->72604 72570->72567 72570->72573 72579 14008cd12 memcpy_s ctype 72570->72579 72573->72564 72574 14008ce93 memcpy_s 72670 140091b6c 6 API calls _get_daylight 72574->72670 72575 1400952f0 _fread_nolock 41 API calls 72575->72579 72579->72573 72579->72574 72579->72575 72583 14009913c 72579->72583 72605 140091b6c 6 API calls _get_daylight 72579->72605 72606 14008d6a8 41 API calls _invalid_parameter_noinfo 72579->72606 72607 14009acf0 72579->72607 72581->72563 72582->72564 72584 140099159 72583->72584 72585 14009916e 72583->72585 72696 140091b6c 6 API calls _get_daylight 72584->72696 72589 1400991b1 72585->72589 72591 14009a6bc _fread_nolock 6 API calls 72585->72591 72597 140099169 72585->72597 72587 14009915e 72697 14008d6a8 41 API calls _invalid_parameter_noinfo 72587->72697 72590 1400952f0 _fread_nolock 41 API calls 72589->72590 72592 1400991c3 72590->72592 72591->72589 72671 14009abd4 72592->72671 72594 1400991d0 72595 1400952f0 _fread_nolock 41 API calls 72594->72595 72594->72597 72596 1400991f1 72595->72596 72596->72597 72598 1400952f0 _fread_nolock 41 API calls 72596->72598 72597->72579 72599 1400991fd 72598->72599 72599->72597 72600 1400952f0 _fread_nolock 41 API calls 72599->72600 72601 14009920a 72600->72601 72602 1400952f0 _fread_nolock 41 API calls 72601->72602 72602->72597 72603->72569 72604->72573 72605->72579 72606->72579 72608 14009ad2b 72607->72608 72609 14009ad13 72607->72609 72611 14009b10f 72608->72611 72621 14009ad7a 72608->72621 72715 140091b4c 6 API calls _get_daylight 72609->72715 72730 140091b4c 6 API calls _get_daylight 72611->72730 72613 14009ad18 72716 140091b6c 6 API calls _get_daylight 72613->72716 72614 14009b114 72731 140091b6c 6 API calls _get_daylight 72614->72731 72616 14009ad83 72717 140091b4c 6 API calls _get_daylight 72616->72717 72619 14009ad88 72718 140091b6c 6 API calls _get_daylight 72619->72718 72620 14009ad20 72620->72579 72621->72616 72621->72620 72624 14009adb1 72621->72624 72622 14009ad90 72732 14008d6a8 41 API calls _invalid_parameter_noinfo 72622->72732 72626 14009add7 72624->72626 72627 14009ae14 72624->72627 72628 14009ade6 72624->72628 72626->72628 72633 14009ae02 72626->72633 72629 14009b5e0 wcsftime 6 API calls 72627->72629 72719 140091b4c 6 API calls _get_daylight 72628->72719 72631 14009ae27 72629->72631 72634 140098c40 __free_lconv_num 6 API calls 72631->72634 72632 14009adeb 72720 140091b6c 6 API calls _get_daylight 72632->72720 72707 1400a4aa4 72633->72707 72637 14009ae31 72634->72637 72642 140098c40 __free_lconv_num 6 API calls 72637->72642 72639 14009adf2 72721 14008d6a8 41 API calls _invalid_parameter_noinfo 72639->72721 72640 14009af5d 72643 14009afbc ReadFile 72640->72643 72652 14009af67 _fread_nolock 72640->72652 72645 14009ae38 72642->72645 72646 14009afe3 72643->72646 72647 14009b0d5 __std_fs_convert_narrow_to_wide 72643->72647 72644 14009af49 GetConsoleMode 72644->72640 72648 14009ae5b 72645->72648 72649 14009ae40 72645->72649 72646->72647 72651 14009afab 72646->72651 72656 14009b0e0 72647->72656 72660 14009af8c __std_fs_convert_narrow_to_wide 72647->72660 72724 14009b3b4 41 API calls 2 library calls 72648->72724 72722 140091b6c 6 API calls _get_daylight 72649->72722 72658 14009b01e 72651->72658 72659 14009b043 72651->72659 72669 14009adfd 72651->72669 72652->72651 72652->72660 72654 140098c40 __free_lconv_num 6 API calls 72654->72620 72655 14009ae45 72723 140091b4c 6 API calls _get_daylight 72655->72723 72728 140091b6c 6 API calls _get_daylight 72656->72728 72726 14009a900 42 API calls 4 library calls 72658->72726 72664 14009b0c3 72659->72664 72659->72669 72660->72669 72725 140091ae0 6 API calls 2 library calls 72660->72725 72727 14009a728 42 API calls _fread_nolock 72664->72727 72665 14009b0e5 72729 140091b4c 6 API calls _get_daylight 72665->72729 72668 14009b0d0 72668->72669 72669->72654 72670->72569 72672 14009abfe 72671->72672 72673 14009ac16 72671->72673 72698 140091b4c 6 API calls _get_daylight 72672->72698 72675 14009acb8 72673->72675 72680 14009ac4e 72673->72680 72704 140091b4c 6 API calls _get_daylight 72675->72704 72677 14009ac03 72699 140091b6c 6 API calls _get_daylight 72677->72699 72678 14009acbd 72705 140091b6c 6 API calls _get_daylight 72678->72705 72681 14009ac6c 72680->72681 72682 14009ac57 72680->72682 72688 14009ac89 72681->72688 72689 14009ac9e 72681->72689 72700 140091b4c 6 API calls _get_daylight 72682->72700 72685 14009ac64 72706 14008d6a8 41 API calls _invalid_parameter_noinfo 72685->72706 72686 14009ac5c 72701 140091b6c 6 API calls _get_daylight 72686->72701 72702 140091b6c 6 API calls _get_daylight 72688->72702 72692 14009acf0 _fread_nolock 45 API calls 72689->72692 72695 14009ac0b 72692->72695 72693 14009ac8e 72703 140091b4c 6 API calls _get_daylight 72693->72703 72695->72594 72696->72587 72697->72597 72698->72677 72699->72695 72700->72686 72701->72685 72702->72693 72703->72695 72704->72678 72705->72685 72706->72695 72708 1400a4aad 72707->72708 72710 1400a4aba 72707->72710 72733 140091b6c 6 API calls _get_daylight 72708->72733 72711 14009af29 72710->72711 72734 140091b6c 6 API calls _get_daylight 72710->72734 72711->72640 72711->72644 72713 1400a4af1 72735 14008d6a8 41 API calls _invalid_parameter_noinfo 72713->72735 72715->72613 72716->72620 72717->72619 72718->72622 72719->72632 72720->72639 72721->72669 72722->72655 72723->72669 72724->72633 72725->72669 72726->72669 72727->72668 72728->72665 72729->72669 72730->72614 72731->72622 72732->72620 72733->72711 72734->72713 72735->72711 72736 14005f140 72737 14002e700 48 API calls 72736->72737 72738 14005f19f 72737->72738 72739 14002e700 48 API calls 72738->72739 72740 14005fa14 72739->72740 72751 14005fe36 _Receive_impl 72740->72751 72793 14002d0f0 72740->72793 72741 1400a9aa0 _Strcoll 3 API calls 72744 14005fe61 72741->72744 72750 14005fb1d 72750->72751 72752 14005fe7d 72750->72752 72751->72741 72753 140044520 43 API calls 72752->72753 72754 14005feba 72753->72754 72755 1400ac0c8 Concurrency::cancel_current_task RaiseException 72754->72755 72756 14005fecd 72755->72756 72819 14002dde0 72756->72819 72796 14002d119 72793->72796 72794 140034b20 43 API calls 72795 14002d1aa 72794->72795 72797 14002cf80 72795->72797 72796->72794 72798 14002cfb0 72797->72798 72825 1400b64a0 72798->72825 72800 14002d04a 72808 140061f50 72800->72808 72801 14002cfbc __std_fs_convert_wide_to_narrow 72801->72800 72802 14002d099 72801->72802 72804 14003fb40 43 API calls 72801->72804 72831 14002c140 RaiseException Concurrency::cancel_current_task 72802->72831 72806 14002d020 __std_fs_convert_wide_to_narrow 72804->72806 72806->72800 72830 14002c140 RaiseException Concurrency::cancel_current_task 72806->72830 72809 140061f76 72808->72809 72810 140063560 44 API calls 72809->72810 72811 14005fa6b 72810->72811 72812 140077470 72811->72812 72837 140076ba0 72812->72837 72815 1400421c0 43 API calls 72816 1400774ca 72815->72816 72817 1400a9aa0 _Strcoll 3 API calls 72816->72817 72818 14007754d 72817->72818 72818->72750 72820 14002ddf9 72819->72820 73147 14002d780 44 API calls _Receive_impl 72820->73147 72822 14002de30 72823 1400ac0c8 Concurrency::cancel_current_task RaiseException 72822->72823 72824 14002de41 72823->72824 72832 1400a1aa4 72825->72832 72828 1400b64bf 72828->72801 72829 1400b64b2 AreFileApisANSI 72829->72828 72833 1400958c8 _Getctype 41 API calls 72832->72833 72834 1400a1aad 72833->72834 72835 140097b50 _Getctype 41 API calls 72834->72835 72836 1400a1ac6 72835->72836 72836->72828 72836->72829 72838 14002e700 48 API calls 72837->72838 72841 140076bef memcpy_s 72838->72841 72839 140076c27 72840 14007733f 72839->72840 72875 140076c2f 72839->72875 72951 14002de50 44 API calls Concurrency::cancel_current_task 72840->72951 72841->72839 72845 140086ce0 76 API calls 72841->72845 72841->72875 72843 1400a9aa0 _Strcoll 3 API calls 72844 1400772d1 72843->72844 72844->72815 72844->72816 72846 140076c6e 72845->72846 72847 1400770c5 72846->72847 72848 140076cd1 72846->72848 72914 140054a40 72847->72914 72890 1400816e0 72848->72890 72850 140077356 72952 14002c9d0 43 API calls 72850->72952 72857 140077380 72860 1400ac0c8 Concurrency::cancel_current_task RaiseException 72857->72860 72858 1400770f1 72861 140054a40 44 API calls 72858->72861 72859 140076cf4 72862 140076d07 72859->72862 72863 140076ddc GetFileSize 72859->72863 72864 140077391 72860->72864 72865 14007712a 72861->72865 72862->72850 72866 140076d4e _Receive_impl 72862->72866 72867 140076e1d 72863->72867 72871 140076df8 memcpy_s 72863->72871 72933 1400852e0 72865->72933 72945 140051660 42 API calls 72866->72945 72867->72871 72872 1400457e0 43 API calls 72867->72872 72870 140076e82 SetFilePointer ReadFile 72880 140076fe2 72870->72880 72883 140076ed1 72870->72883 72871->72870 72872->72870 72874 140076d9f 72874->72875 72875->72843 72877 140077037 _Receive_impl 72947 140051660 42 API calls 72877->72947 72878 1400771bb 72882 1400771ed 72878->72882 72886 1400772ec 72878->72886 72879 140076f54 _Receive_impl 72946 140051660 42 API calls 72879->72946 72880->72850 72880->72877 72949 140051660 42 API calls 72882->72949 72883->72850 72883->72879 72950 14002c9d0 43 API calls 72886->72950 72888 14007732e 72889 1400ac0c8 Concurrency::cancel_current_task RaiseException 72888->72889 72889->72840 72891 14008172f 72890->72891 72892 140081765 RmStartSession 72890->72892 72894 1400a9b70 3 API calls 72891->72894 72893 14008178a RmRegisterResources 72892->72893 72898 140081891 72892->72898 72895 1400817b5 RmGetList 72893->72895 72896 140081888 RmEndSession 72893->72896 72897 14008173b 72894->72897 72900 1400818d5 72895->72900 72905 1400817f1 72895->72905 72896->72898 72897->72892 72901 140081744 GetCurrentProcess GetProcessId 72897->72901 72899 1400a9aa0 _Strcoll 3 API calls 72898->72899 72902 140076ce3 72899->72902 72903 1400818d8 RmEndSession 72900->72903 72904 1400a9b04 72901->72904 72944 1400818f0 56 API calls 6 library calls 72902->72944 72903->72898 72904->72892 72905->72900 72905->72903 72906 140081828 RmGetList 72905->72906 72907 1400818cd 72906->72907 72908 140081850 72906->72908 72954 14008cab0 7 API calls 3 library calls 72907->72954 72908->72907 72910 140081855 72908->72910 72910->72896 72911 1400818b8 72910->72911 72953 14008cab0 7 API calls 3 library calls 72911->72953 72913 1400818c0 RmEndSession 72913->72898 72915 140054a9d 72914->72915 72917 140054b83 72914->72917 72955 140055360 72915->72955 73022 14002c9d0 43 API calls 72917->73022 72918 140054ac2 72922 140054af9 72918->72922 73012 140050c10 72918->73012 72919 140054b50 72929 140054960 72919->72929 72921 140054bc5 72923 1400ac0c8 Concurrency::cancel_current_task RaiseException 72921->72923 72922->72919 73023 14002c9d0 43 API calls 72922->73023 72923->72922 72925 140054c1e 72926 1400ac0c8 Concurrency::cancel_current_task RaiseException 72925->72926 72927 140054c32 72926->72927 72930 140054990 72929->72930 72931 140055360 43 API calls 72930->72931 72932 14005499f 72931->72932 72932->72858 72934 14008533d 72933->72934 72936 140085357 72933->72936 72934->72936 72943 140051010 43 API calls 72934->72943 72935 1400853fa 72938 1400414b0 43 API calls 72935->72938 72939 140085405 _Receive_impl 72935->72939 72936->72935 73130 14008af60 72936->73130 72938->72939 72940 1400a9aa0 _Strcoll 3 API calls 72939->72940 72941 1400854c9 72939->72941 72942 14007718d 72940->72942 72942->72850 72948 140051d20 42 API calls 72942->72948 72943->72936 72944->72859 72945->72874 72946->72874 72947->72874 72948->72878 72949->72875 72950->72888 72952->72857 72953->72913 72954->72900 72956 1400553a0 72955->72956 72960 14005537d 72955->72960 72958 1400553ae 72956->72958 72959 140046ce0 43 API calls 72956->72959 72957 14005539a 72957->72918 72958->72918 72959->72958 72960->72957 73024 14002c9d0 43 API calls 72960->73024 72962 140055403 72963 1400ac0c8 Concurrency::cancel_current_task RaiseException 72962->72963 72964 140055414 _Receive_impl 72963->72964 72965 140055575 72964->72965 73025 140054120 43 API calls 4 library calls 72964->73025 72965->72918 72967 14005575c 73027 140054120 43 API calls 4 library calls 72967->73027 72970 140055729 72970->72967 72972 1400558e2 72970->72972 73026 14004b1d0 43 API calls _Strcoll 72970->73026 72971 14005577f 73028 14004b1d0 43 API calls _Strcoll 72971->73028 72974 14005590d 72972->72974 73032 140053fb0 43 API calls 2 library calls 72972->73032 72985 140055936 _Receive_impl 72974->72985 73033 140053b30 43 API calls 2 library calls 72974->73033 72977 140055a31 _Receive_impl 72987 1400a9aa0 _Strcoll 3 API calls 72977->72987 72978 140055943 72981 14005597b 72978->72981 73034 140053fb0 43 API calls 2 library calls 72978->73034 72979 140055796 72980 1400557cd 72979->72980 72979->72985 72993 1400557f9 72979->72993 73029 140053fb0 43 API calls 2 library calls 72979->73029 72980->72993 73030 140053b30 43 API calls 2 library calls 72980->73030 72981->72985 73035 140053b30 43 API calls 2 library calls 72981->73035 72985->72977 72989 140055a7a 72985->72989 72988 140055a5f 72987->72988 72988->72918 73036 1400579a0 43 API calls std::_Facet_Register 72989->73036 72990 14004b1d0 43 API calls 72990->72993 72992 140053fb0 43 API calls 72992->72993 72993->72978 72993->72985 72993->72990 72993->72992 73031 140053b30 43 API calls 2 library calls 72993->73031 72995 140055aae 73037 140058110 43 API calls 72995->73037 72997 1400571a8 72997->72918 72998 140057044 73039 14004b940 43 API calls 72998->73039 72999 140058110 43 API calls 73002 14005702c 72999->73002 73002->72997 73002->72998 73002->72999 73003 1400a9be8 std::_Facet_Register 43 API calls 73002->73003 73006 1400571ad 73002->73006 73007 140057292 73002->73007 73003->73002 73008 1400571e9 73006->73008 73010 1400a9be8 std::_Facet_Register 43 API calls 73006->73010 73038 14004b940 43 API calls 73007->73038 73008->72997 73011 1400a9be8 std::_Facet_Register 43 API calls 73008->73011 73010->73008 73011->72997 73013 140050c43 73012->73013 73021 140050c9b 73013->73021 73040 140051b30 73013->73040 73015 1400a9aa0 _Strcoll 3 API calls 73016 140050d09 73015->73016 73016->72922 73017 140050c66 73018 140050c86 73017->73018 73017->73021 73050 14008d1ec 73017->73050 73018->73021 73058 14008c804 73018->73058 73021->73015 73022->72921 73023->72925 73024->72962 73025->72970 73026->72970 73027->72971 73028->72979 73029->72980 73030->72993 73031->72993 73032->72974 73033->72985 73034->72981 73035->72985 73036->72995 73037->73002 73041 140051c02 73040->73041 73042 140051b53 73040->73042 73043 1400a9aa0 _Strcoll 3 API calls 73041->73043 73042->73041 73048 140051b5d 73042->73048 73044 140051c11 73043->73044 73044->73017 73045 140051ba1 73046 1400a9aa0 _Strcoll 3 API calls 73045->73046 73047 140051bbe 73046->73047 73047->73017 73048->73045 73067 14008c760 41 API calls ProcessCodePage 73048->73067 73051 14008d21c 73050->73051 73068 14008cf9c 73051->73068 73053 14008d235 73054 14008d25a 73053->73054 73075 14008b668 41 API calls 3 library calls 73053->73075 73057 14008d26f 73054->73057 73076 14008b668 41 API calls 3 library calls 73054->73076 73057->73018 73059 14008c82d 73058->73059 73060 14008c818 73058->73060 73059->73060 73061 14008c832 73059->73061 73104 140091b6c 6 API calls _get_daylight 73060->73104 73096 14009a618 73061->73096 73064 14008c81d 73105 14008d6a8 41 API calls _invalid_parameter_noinfo 73064->73105 73065 14008c828 73065->73021 73067->73045 73069 14008d006 73068->73069 73070 14008cfc6 73068->73070 73069->73070 73072 14008d00b 73069->73072 73083 14008d5d8 41 API calls 2 library calls 73070->73083 73077 14008d114 73072->73077 73074 14008cfed 73074->73053 73075->73054 73076->73057 73078 14008d153 73077->73078 73082 14008d13e 73077->73082 73084 14008d030 73078->73084 73080 14008d15d 73080->73082 73088 14008bd30 73080->73088 73082->73074 73083->73074 73085 14008d04a 73084->73085 73087 14008d0b0 73084->73087 73085->73087 73094 14009b3b4 41 API calls 2 library calls 73085->73094 73087->73080 73089 14008bd86 73088->73089 73090 14008bd55 73088->73090 73089->73082 73090->73089 73091 1400952f0 _fread_nolock 41 API calls 73090->73091 73092 14008bd76 73091->73092 73095 140098808 41 API calls 2 library calls 73092->73095 73094->73087 73095->73089 73097 14009a648 73096->73097 73106 14009a12c 73097->73106 73099 14009a661 73100 14009a687 73099->73100 73112 14008b668 41 API calls 3 library calls 73099->73112 73102 14009a69c 73100->73102 73113 14008b668 41 API calls 3 library calls 73100->73113 73102->73065 73104->73064 73105->73065 73107 14009a147 73106->73107 73109 14009a176 73106->73109 73126 14008d5d8 41 API calls 2 library calls 73107->73126 73114 14009a198 73109->73114 73111 14009a167 73111->73099 73112->73100 73113->73102 73115 14009a1dc 73114->73115 73116 14009a1b3 73114->73116 73118 1400952f0 _fread_nolock 41 API calls 73115->73118 73127 14008d5d8 41 API calls 2 library calls 73116->73127 73119 14009a1e1 73118->73119 73120 14009a25c 73119->73120 73121 14009a26c 73119->73121 73123 14009a1d3 73119->73123 73128 14009a43c 42 API calls 2 library calls 73120->73128 73121->73123 73129 14009a2e4 41 API calls _fread_nolock 73121->73129 73123->73111 73124 14009a26a 73124->73123 73126->73111 73127->73123 73128->73124 73129->73123 73141 14008ae90 73130->73141 73132 14008b172 73132->72935 73134 14008b1af 73146 14002b510 43 API calls 2 library calls 73134->73146 73136 14008ae90 43 API calls 73140 14008af9c ctype _Receive_impl 73136->73140 73137 14008b1b5 73138 14008b1a4 73145 14002b5d0 43 API calls 73138->73145 73139 1400a9be8 43 API calls std::_Facet_Register 73139->73140 73140->73132 73140->73134 73140->73136 73140->73138 73140->73139 73142 14008aea6 73141->73142 73143 14008aec3 73141->73143 73142->73143 73144 140051010 43 API calls 73142->73144 73143->73140 73144->73143 73146->73137 73147->72822 73148 140088114 73149 140087e79 73148->73149 73150 140087e65 73148->73150 73152 1400886d0 43 API calls 73149->73152 73151 140045670 43 API calls 73150->73151 73151->73149 73153 140087df0 73152->73153 73154 1400847f7 73155 140084801 73154->73155 73156 140084cf0 43 API calls 73155->73156 73157 140084810 73156->73157 73158 1400a9aa0 _Strcoll 3 API calls 73157->73158 73159 140084b53 73158->73159

                              Executed Functions

                              Function 000000014007D6E0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
                              • String ID:
                              • API String ID: 3214587331-3916222277
                              • Opcode ID: 10613e21fafc8436fd2f5221c2cf0da0956e339bc3aac913c20dfaf3faddebd0
                              • Instruction ID: e3a4c5f85f79ae008f32d04c9c86629b48b84cda880ff6005115b69435b4f830
                              • Opcode Fuzzy Hash: 10613e21fafc8436fd2f5221c2cf0da0956e339bc3aac913c20dfaf3faddebd0
                              • Instruction Fuzzy Hash: 33B10C72218BC086E761DB22F85439EB7A5F799BC0F409615EA8E43B69DF3CC085CB10
                              Function 00000001400B67F0 Relevance: 27.2, APIs: 18, Instructions: 229fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 40 1400b67f0-1400b6830 41 1400b6832-1400b6839 40->41 42 1400b6845-1400b684e 40->42 41->42 43 1400b683b-1400b6840 41->43 44 1400b686a-1400b686c 42->44 45 1400b6850-1400b6853 42->45 46 1400b6ac4-1400b6aea call 1400a9aa0 43->46 48 1400b6ac2 44->48 49 1400b6872-1400b6876 44->49 45->44 47 1400b6855-1400b685d 45->47 50 1400b685f-1400b6861 47->50 51 1400b6863-1400b6866 47->51 48->46 53 1400b687c-1400b687f 49->53 54 1400b694d-1400b6974 call 1400b6bc4 49->54 50->44 50->51 51->44 56 1400b6893-1400b68a5 GetFileAttributesExW 53->56 57 1400b6881-1400b6889 53->57 64 1400b6996-1400b699f 54->64 65 1400b6976-1400b697f 54->65 61 1400b68f8-1400b6907 56->61 62 1400b68a7-1400b68b0 call 1400d0160 56->62 57->56 59 1400b688b-1400b688d 57->59 59->54 59->56 63 1400b690b-1400b690d 61->63 62->46 74 1400b68b6-1400b68c8 FindFirstFileW 62->74 69 1400b6919-1400b6947 63->69 70 1400b690f-1400b6917 63->70 67 1400b6a53-1400b6a5c 64->67 68 1400b69a5-1400b69bd GetFileInformationByHandleEx 64->68 71 1400b698f-1400b6991 65->71 72 1400b6981-1400b6989 call 1400d0138 65->72 77 1400b6aab-1400b6aad 67->77 78 1400b6a5e-1400b6a72 GetFileInformationByHandleEx 67->78 75 1400b69bf-1400b69cb call 1400d0160 68->75 76 1400b69e5-1400b69fe 68->76 69->48 69->54 70->54 70->69 71->46 72->71 89 1400b6b05-1400b6b0a call 140095298 72->89 80 1400b68ca-1400b68d0 call 1400d0160 74->80 81 1400b68d5-1400b68f6 FindClose 74->81 101 1400b69de-1400b69e0 75->101 102 1400b69cd-1400b69d8 call 1400d0138 75->102 76->67 87 1400b6a00-1400b6a04 76->87 82 1400b6aeb-1400b6aef 77->82 83 1400b6aaf-1400b6ab3 77->83 85 1400b6a74-1400b6a80 call 1400d0160 78->85 86 1400b6a98-1400b6aa8 78->86 80->46 81->63 94 1400b6afe-1400b6b03 82->94 95 1400b6af1-1400b6afc call 1400d0138 82->95 83->48 91 1400b6ab5-1400b6ac0 call 1400d0138 83->91 85->101 111 1400b6a86-1400b6a91 call 1400d0138 85->111 86->77 96 1400b6a4c 87->96 97 1400b6a06-1400b6a20 GetFileInformationByHandleEx 87->97 114 1400b6b0b-1400b6b10 call 140095298 89->114 91->48 91->89 94->46 95->89 95->94 103 1400b6a50 96->103 106 1400b6a43-1400b6a4a 97->106 107 1400b6a22-1400b6a2e call 1400d0160 97->107 101->46 102->101 120 1400b6b17-1400b6b1f call 140095298 102->120 103->67 106->103 107->101 118 1400b6a30-1400b6a3b call 1400d0138 107->118 125 1400b6a93 111->125 126 1400b6b11-1400b6b16 call 140095298 111->126 114->126 118->114 130 1400b6a41 118->130 125->101 126->120 130->101
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
                              • String ID:
                              • API String ID: 2398595512-0
                              • Opcode ID: d85f8055f170a3e42cc2abc3b6e60dcf62aaf909d48f3642368a07fec51f6fb2
                              • Instruction ID: f30b710bc0a933ac4d5384297774a0afb11e9a7f35cb4894955e283119ac2b15
                              • Opcode Fuzzy Hash: d85f8055f170a3e42cc2abc3b6e60dcf62aaf909d48f3642368a07fec51f6fb2
                              • Instruction Fuzzy Hash: 9A915F32700E4146EA768FA7A8147AA27A4EB8D7F4F184725BBBA477F4DB3CC4458701
                              Function 000000014007F210 Relevance: 26.6, APIs: 4, Strings: 10, Instructions: 2133timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: InformationTimeZone
                              • String ID: %d-%m-%Y, %H:%M:%S$[UTC$computer_name$cpu$gpu$ram$system$time$timezone$user_name
                              • API String ID: 565725191-1610854563
                              • Opcode ID: db8b9a328984e2e15845eb184bc761b3fd5f1a319e063fc82474756fa5033a3d
                              • Instruction ID: d8a4adb988cae47952a421a4533d33faa55453df35c4720b85b424b72054d796
                              • Opcode Fuzzy Hash: db8b9a328984e2e15845eb184bc761b3fd5f1a319e063fc82474756fa5033a3d
                              • Instruction Fuzzy Hash: 37237C73614BC485EB22CB66E8403DE77A1F799798F405216FB9D17BA9EB78C290C700
                              Function 000000014007FBA0 Relevance: 22.5, APIs: 3, Strings: 9, Instructions: 1516COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Name$DevicesDisplayEnum$ComputerCurrentFileGlobalMemoryModuleProfileStatusUserValuewcsftime
                              • String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
                              • API String ID: 2509368203-1182675529
                              • Opcode ID: 58b1eb6f823cc91818667243d049fc5d6c5a301e581f7608c6d430d17837e0db
                              • Instruction ID: 49d42806534426b2957efd760b35444bd4990644153d0c1b518906e600f5a260
                              • Opcode Fuzzy Hash: 58b1eb6f823cc91818667243d049fc5d6c5a301e581f7608c6d430d17837e0db
                              • Instruction Fuzzy Hash: DEF26E73614BC485DB22CF66E8903DE77A1F799798F409216EB9D17BA9DB38C290C700
                              Function 000000014003B740 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1193 14003b740-14003b83f LoadLibraryA 1194 14003b845-14003bc00 GetProcAddress * 6 1193->1194 1195 14003c700-14003c70a 1193->1195 1194->1195 1198 14003bc06-14003bc09 1194->1198 1196 14003c70c-14003c70e 1195->1196 1197 14003c719-14003c71c 1195->1197 1196->1197 1199 14003c727-14003c756 call 1400a9aa0 1197->1199 1200 14003c71e-14003c721 FreeLibrary 1197->1200 1198->1195 1201 14003bc0f-14003bc12 1198->1201 1200->1199 1201->1195 1204 14003bc18-14003bc1b 1201->1204 1204->1195 1205 14003bc21-14003bc24 1204->1205 1205->1195 1207 14003bc2a-14003bc2d 1205->1207 1207->1195 1208 14003bc33-14003bc41 1207->1208 1209 14003bc45-14003bc47 1208->1209 1209->1195 1210 14003bc4d-14003bc59 1209->1210 1210->1195 1211 14003bc5f-14003bc68 1210->1211 1212 14003bc70-14003bc8b 1211->1212 1214 14003bc91-14003bcaf 1212->1214 1215 14003c6e7-14003c6f3 1212->1215 1214->1215 1218 14003bcb5-14003bcc7 1214->1218 1215->1212 1216 14003c6f9 1215->1216 1216->1195 1219 14003c6d3-14003c6e2 1218->1219 1220 14003bccd 1218->1220 1219->1215 1221 14003bcd2-14003bd23 call 1400a9be8 1220->1221 1226 14003bfa2 1221->1226 1227 14003bd29-14003bd30 1221->1227 1229 14003bfa4-14003bfab 1226->1229 1227->1226 1228 14003bd36-14003be2f call 14006f8d0 call 1400421c0 call 140042490 1227->1228 1255 14003be30-14003be38 1228->1255 1231 14003c221-14003c25d 1229->1231 1232 14003bfb1-14003bfb8 1229->1232 1240 14003c263-14003c271 1231->1240 1241 14003c4f7-14003c4f9 1231->1241 1232->1231 1234 14003bfbe-14003c0ab call 14006f8d0 call 1400421c0 call 140042490 1232->1234 1267 14003c0b2-14003c0ba 1234->1267 1244 14003c277-14003c27e 1240->1244 1245 14003c4f0-14003c4f3 1240->1245 1246 14003c6a5-14003c6bb call 14003e2c0 1241->1246 1247 14003c4ff-14003c628 call 1400300a0 call 14003ec60 call 1400300a0 call 14003ec60 call 140040ea0 call 1400a9be8 call 140058da0 1241->1247 1244->1245 1252 14003c284-14003c378 call 14006f8d0 call 1400421c0 call 140042490 1244->1252 1245->1241 1250 14003c4f5 1245->1250 1262 14003c6c1-14003c6cc 1246->1262 1263 14003bcd0 1246->1263 1343 14003c634-14003c647 call 140040730 1247->1343 1344 14003c62a-14003c62c 1247->1344 1250->1241 1283 14003c380-14003c387 1252->1283 1255->1255 1260 14003be3a-14003be94 call 1400300a0 call 140043770 call 140040ea0 1255->1260 1289 14003bec7-14003bef1 1260->1289 1290 14003be96-14003bea7 1260->1290 1262->1219 1263->1221 1267->1267 1272 14003c0bc-14003c115 call 1400300a0 call 140043770 call 140040ea0 1267->1272 1303 14003c148-14003c172 1272->1303 1304 14003c117-14003c128 1272->1304 1283->1283 1287 14003c389-14003c3e2 call 1400300a0 call 140043770 call 140040ea0 1283->1287 1352 14003c3e4-14003c3f5 1287->1352 1353 14003c415-14003c43e 1287->1353 1298 14003bef3-14003bf07 1289->1298 1299 14003bf29-14003bf4f 1289->1299 1294 14003bec2 call 1400a9ac0 1290->1294 1295 14003bea9-14003bebc 1290->1295 1294->1289 1295->1294 1301 14003c7b1-14003c7b6 call 14008d6c8 1295->1301 1306 14003bf22-14003bf27 call 1400a9ac0 1298->1306 1307 14003bf09-14003bf1c 1298->1307 1309 14003bf51-14003bf65 1299->1309 1310 14003bf87-14003bfa0 1299->1310 1314 14003c7b7-14003c7bc call 14008d6c8 1301->1314 1315 14003c174-14003c188 1303->1315 1316 14003c1aa-14003c1d0 1303->1316 1311 14003c143 call 1400a9ac0 1304->1311 1312 14003c12a-14003c13d 1304->1312 1306->1299 1307->1306 1307->1314 1320 14003bf67-14003bf7a 1309->1320 1321 14003bf80-14003bf85 call 1400a9ac0 1309->1321 1310->1229 1311->1303 1312->1311 1327 14003c7c3-14003c7c8 call 14008d6c8 1312->1327 1322 14003c7bd-14003c7c2 call 14008d6c8 1314->1322 1330 14003c1a3-14003c1a8 call 1400a9ac0 1315->1330 1331 14003c18a-14003c19d 1315->1331 1324 14003c1d2-14003c1e6 1316->1324 1325 14003c208-14003c21a 1316->1325 1320->1321 1320->1322 1321->1310 1322->1327 1335 14003c201-14003c206 call 1400a9ac0 1324->1335 1336 14003c1e8-14003c1fb 1324->1336 1325->1231 1342 14003c7c9-14003c7ce call 14008d6c8 1327->1342 1330->1316 1331->1330 1331->1342 1335->1325 1336->1335 1347 14003c7cf-14003c7d4 call 14008d6c8 1336->1347 1342->1347 1366 14003c64b-14003c657 1343->1366 1354 14003c632 1344->1354 1355 14003c75d-14003c7aa call 1400408f0 call 140044450 call 140044520 call 1400ac0c8 1344->1355 1374 14003c7d5-14003c7da call 14008d6c8 1347->1374 1363 14003c3f7-14003c40a 1352->1363 1364 14003c410 call 1400a9ac0 1352->1364 1357 14003c474-14003c49a 1353->1357 1358 14003c440-14003c454 1353->1358 1354->1366 1388 14003c7ab-14003c7b0 call 14008d6c8 1355->1388 1372 14003c49c-14003c4b0 1357->1372 1373 14003c4d0-14003c4e9 1357->1373 1367 14003c456-14003c469 1358->1367 1368 14003c46f call 1400a9ac0 1358->1368 1363->1364 1363->1374 1364->1353 1370 14003c659-14003c67c 1366->1370 1371 14003c67e-14003c688 call 1400499d0 1366->1371 1367->1368 1378 14003c757-14003c75c call 14008d6c8 1367->1378 1368->1357 1381 14003c68d-14003c69e call 140040ea0 1370->1381 1371->1381 1383 14003c4b2-14003c4c5 1372->1383 1384 14003c4cb call 1400a9ac0 1372->1384 1373->1245 1378->1355 1381->1246 1383->1384 1383->1388 1384->1373 1388->1301
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressProc$Library$FreeLoad
                              • String ID: cannot use push_back() with $system$vault
                              • API String ID: 2449869053-1741236777
                              • Opcode ID: cf1552e1b7d9117c1af13d953b0fa66b1776464e6f3090e5b78dac3b4abb2142
                              • Instruction ID: e238341b761cbd504de5d878f5a533d9cd629839bec99a3b7c40a5bfdf261a8f
                              • Opcode Fuzzy Hash: cf1552e1b7d9117c1af13d953b0fa66b1776464e6f3090e5b78dac3b4abb2142
                              • Instruction Fuzzy Hash: 74925E32215BC489DB62CF66E8843DE73A0F749798F504216EB9C5BBA9EF74C694C700
                              Function 000000014007CDF0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 379networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1400 14007cdf0-14007ce4c 1401 14007d004-14007d028 InternetOpenA 1400->1401 1402 14007ce52-14007ce65 call 1400a9b70 1400->1402 1404 14007d04d-14007d066 1401->1404 1405 14007d02a-14007d048 1401->1405 1402->1401 1412 14007ce6b-14007cfcd 1402->1412 1406 14007d068 1404->1406 1407 14007d06b-14007d098 InternetOpenUrlA 1404->1407 1409 14007d3ff-14007d428 call 1400a9aa0 1405->1409 1406->1407 1410 14007d0c0-14007d0eb HttpQueryInfoW 1407->1410 1411 14007d09a-14007d0bb 1407->1411 1415 14007d11d-14007d178 HttpQueryInfoW 1410->1415 1416 14007d0ed-14007d118 1410->1416 1414 14007d3f6 1411->1414 1417 14007cfd4-14007cfdc 1412->1417 1414->1409 1420 14007d1a6-14007d1bc InternetQueryDataAvailable 1415->1420 1421 14007d17a-14007d190 call 1400919b0 1415->1421 1416->1414 1417->1417 1419 14007cfde-14007cfff call 1400300a0 call 1400a9f1c call 1400a9b04 1417->1419 1419->1401 1425 14007d3a3-14007d3f1 InternetCloseHandle 1420->1425 1426 14007d1c2-14007d1c7 1420->1426 1421->1420 1432 14007d192-14007d1a1 call 140044fc0 1421->1432 1425->1414 1427 14007d1d0-14007d1d6 1426->1427 1427->1425 1430 14007d1dc-14007d1f6 1427->1430 1433 14007d1f8-14007d1fe 1430->1433 1434 14007d269-14007d281 InternetReadFile 1430->1434 1432->1420 1437 14007d200-14007d207 1433->1437 1438 14007d22c-14007d22f call 1400a9be8 1433->1438 1441 14007d287-14007d28c 1434->1441 1442 14007d35d-14007d364 1434->1442 1444 14007d42f-14007d434 call 14002b510 1437->1444 1445 14007d20d-14007d218 call 1400a9be8 1437->1445 1453 14007d234-14007d264 call 1400bd2b0 1438->1453 1441->1442 1447 14007d292-14007d29d 1441->1447 1442->1425 1443 14007d366-14007d377 1442->1443 1450 14007d392-14007d39f call 1400a9ac0 1443->1450 1451 14007d379-14007d38c 1443->1451 1457 14007d429-14007d42e call 14008d6c8 1445->1457 1465 14007d21e-14007d22a 1445->1465 1448 14007d2cf-14007d2e9 call 140045990 1447->1448 1449 14007d29f-14007d2cd call 1400bcc10 1447->1449 1468 14007d2ea-14007d2f1 1448->1468 1449->1468 1450->1425 1451->1450 1451->1457 1453->1434 1457->1444 1465->1453 1470 14007d334 1468->1470 1471 14007d2f3-14007d304 1468->1471 1474 14007d336-14007d34c InternetQueryDataAvailable 1470->1474 1472 14007d306-14007d319 1471->1472 1473 14007d31f-14007d332 call 1400a9ac0 1471->1473 1472->1457 1472->1473 1473->1474 1474->1425 1476 14007d34e-14007d358 1474->1476 1476->1427
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Internet$Query$AvailableDataHttpInfoOpen$AcquireCloseConcurrency::cancel_current_taskExclusiveFileHandleLockRead
                              • String ID: 0Q>%&&
                              • API String ID: 3609429561-3488671784
                              • Opcode ID: 57ca7581aa671b4f5e8d6bcb6210d21ab16385bc4098e479ac351e805d702d63
                              • Instruction ID: 545cd8f60b377f538693443bd994a67682f78e99984eccf18132968f8f5fa667
                              • Opcode Fuzzy Hash: 57ca7581aa671b4f5e8d6bcb6210d21ab16385bc4098e479ac351e805d702d63
                              • Instruction Fuzzy Hash: 56024B32A14B9486EB11CB6AE84039E77B5F799B94F104216FF8C57BA9DF78C191CB00
                              Function 00000001400740C0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Process$Exit$MutexOpenToken$CloseCreateCurrentFileHandleInformationInitializeModuleName
                              • String ID: SeDebugPrivilege$SeImpersonatePrivilege
                              • API String ID: 4279366119-3768118664
                              • Opcode ID: 22102685a5f7e279fe00576c66398d0ccc8d38b604ca0999720ef11f553e0a09
                              • Instruction ID: 0dce43155375b8d528c185d9e4ebfb7a595039168db3da0343ae86ac4b3ee73c
                              • Opcode Fuzzy Hash: 22102685a5f7e279fe00576c66398d0ccc8d38b604ca0999720ef11f553e0a09
                              • Instruction Fuzzy Hash: 02617D32618A8481FB22AB66B4553EEA350FB8D7D0F405215FB8D47AFBDF3CC1458610
                              Function 000000014009DFA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335timeCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1635 14009dfa0-14009dfdb call 14009d640 call 14009d648 call 14009d6b0 1642 14009dfe1-14009dfec call 14009d650 1635->1642 1643 14009e205-14009e251 call 14008d6f8 call 14009d640 call 14009d648 call 14009d6b0 1635->1643 1642->1643 1649 14009dff2-14009dffc 1642->1649 1669 14009e38f-14009e3fd call 14008d6f8 call 1400a69c0 1643->1669 1670 14009e257-14009e262 call 14009d650 1643->1670 1651 14009e01e-14009e022 1649->1651 1652 14009dffe-14009e001 1649->1652 1655 14009e025-14009e02d 1651->1655 1654 14009e004-14009e00f 1652->1654 1658 14009e01a-14009e01c 1654->1658 1659 14009e011-14009e018 1654->1659 1655->1655 1656 14009e02f-14009e042 call 14009b5e0 1655->1656 1665 14009e05a-14009e066 call 140098c40 1656->1665 1666 14009e044-14009e046 call 140098c40 1656->1666 1658->1651 1662 14009e04b-14009e059 1658->1662 1659->1654 1659->1658 1677 14009e06d-14009e075 1665->1677 1666->1662 1687 14009e40b-14009e40e 1669->1687 1688 14009e3ff-14009e406 1669->1688 1670->1669 1678 14009e268-14009e273 call 14009d680 1670->1678 1677->1677 1680 14009e077-14009e088 call 1400a30f8 1677->1680 1678->1669 1690 14009e279-14009e29c call 140098c40 GetTimeZoneInformation 1678->1690 1680->1643 1689 14009e08e-14009e0e4 call 1400bd2b0 * 4 call 14009debc 1680->1689 1693 14009e410 1687->1693 1694 14009e445-14009e458 call 14009b5e0 1687->1694 1691 14009e49b-14009e49e 1688->1691 1748 14009e0e6-14009e0ea 1689->1748 1703 14009e2a2-14009e2c3 1690->1703 1704 14009e364-14009e38e call 14009d638 call 14009d628 call 14009d630 1690->1704 1696 14009e413 1691->1696 1699 14009e4a4-14009e4ac call 14009dfa0 1691->1699 1693->1696 1714 14009e45a 1694->1714 1715 14009e463-14009e47e call 1400a69c0 1694->1715 1701 14009e418-14009e444 call 140098c40 call 1400a9aa0 1696->1701 1702 14009e413 call 14009e21c 1696->1702 1699->1701 1702->1701 1708 14009e2ce-14009e2d5 1703->1708 1709 14009e2c5-14009e2cb 1703->1709 1716 14009e2e9 1708->1716 1717 14009e2d7-14009e2df 1708->1717 1709->1708 1721 14009e45c-14009e461 call 140098c40 1714->1721 1730 14009e480-14009e483 1715->1730 1731 14009e485-14009e497 call 140098c40 1715->1731 1728 14009e2eb-14009e35f call 1400bd2b0 * 4 call 1400a1aa4 call 14009e4b4 * 2 1716->1728 1717->1716 1724 14009e2e1-14009e2e7 1717->1724 1721->1693 1724->1728 1728->1704 1730->1721 1731->1691 1750 14009e0ec 1748->1750 1751 14009e0f0-14009e0f4 1748->1751 1750->1751 1751->1748 1753 14009e0f6-14009e11b call 1400919b0 1751->1753 1759 14009e11e-14009e122 1753->1759 1761 14009e131-14009e135 1759->1761 1762 14009e124-14009e12f 1759->1762 1761->1759 1762->1761 1764 14009e137-14009e13b 1762->1764 1766 14009e1bc-14009e1c0 1764->1766 1767 14009e13d-14009e165 call 1400919b0 1764->1767 1768 14009e1c2-14009e1c4 1766->1768 1769 14009e1c7-14009e1d4 1766->1769 1775 14009e183-14009e187 1767->1775 1776 14009e167 1767->1776 1768->1769 1771 14009e1ef-14009e1fe call 14009d638 call 14009d628 1769->1771 1772 14009e1d6-14009e1ec call 14009debc 1769->1772 1771->1643 1772->1771 1775->1766 1781 14009e189-14009e1a7 call 1400919b0 1775->1781 1779 14009e16a-14009e171 1776->1779 1779->1775 1782 14009e173-14009e181 1779->1782 1787 14009e1b3-14009e1ba 1781->1787 1782->1775 1782->1779 1787->1766 1788 14009e1a9-14009e1ad 1787->1788 1788->1766 1789 14009e1af 1788->1789 1789->1787
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                              • String ID: Eastern Standard Time$Eastern Summer Time
                              • API String ID: 355007559-239921721
                              • Opcode ID: 64857797be4b4bc743e53f8277ad21999e71f22f2571a5a646b81b6a6c0c373e
                              • Instruction ID: 57a15796427d9fcb09a0dbe4420b896af4f059e924f9dcb49e1fee42cb9384cd
                              • Opcode Fuzzy Hash: 64857797be4b4bc743e53f8277ad21999e71f22f2571a5a646b81b6a6c0c373e
                              • Instruction Fuzzy Hash: 6AD1A13660069086EB26EF27D9913EA77A1F79CBD4F448126FF49477A5EB38C881C740
                              Function 0000000140076BA0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1894 140076ba0-140076c25 call 14002e700 1897 140076c27-140076c29 1894->1897 1898 140076c31-140076c34 1894->1898 1899 140077340-140077356 call 14002de50 1897->1899 1900 140076c2f 1897->1900 1901 140076c47-140076c60 call 1400bd2b0 1898->1901 1902 140076c36-140076c42 1898->1902 1911 140077357-14007735c call 14008d6c8 1899->1911 1900->1902 1909 140076c65-140076ccb call 140086ce0 1901->1909 1910 140076c62 1901->1910 1903 1400772bf-1400772eb call 1400a9aa0 1902->1903 1918 1400770c5-1400770ff call 140054a40 call 140054960 1909->1918 1919 140076cd1-140076cd9 1909->1919 1910->1909 1917 14007735d-140077391 call 14002b7e0 call 14002c9d0 call 1400ac0c8 1911->1917 1935 140077101-140077112 call 140044fc0 1918->1935 1936 14007711e-140077188 call 140054a40 call 1400852e0 1918->1936 1922 140076cde call 1400816e0 1919->1922 1923 140076cdb 1919->1923 1929 140076ce3-140076d01 call 1400818f0 1922->1929 1923->1922 1938 140076d07-140076d1d 1929->1938 1939 140076ddc-140076df6 GetFileSize 1929->1939 1947 140077117 1935->1947 1956 14007718d-1400771ac 1936->1956 1943 140076d53-140076dd7 call 140051660 1938->1943 1944 140076d1f-140076d33 1938->1944 1945 140076df8-140076e1b 1939->1945 1946 140076e1d-140076e33 1939->1946 1963 1400772ab-1400772ba call 1400b7b6c 1943->1963 1949 140076d35-140076d48 1944->1949 1950 140076d4e call 1400a9ac0 1944->1950 1952 140076e82-140076ecb SetFilePointer ReadFile 1945->1952 1953 140076e65-140076e7d call 1400457e0 1946->1953 1954 140076e35-140076e63 call 1400bd2b0 1946->1954 1947->1936 1949->1911 1949->1950 1950->1943 1957 140076fe2-140077006 1952->1957 1958 140076ed1-140076f23 1952->1958 1953->1952 1954->1952 1956->1917 1962 1400771b2-1400771be call 140051d20 1956->1962 1969 140077008-14007701c 1957->1969 1970 14007703c-1400770c0 call 140051660 1957->1970 1972 140076f25-140076f39 1958->1972 1973 140076f59-140076fdd call 140051660 1958->1973 1977 1400771c0-1400771e7 1962->1977 1978 1400771ed-1400772a7 call 140051660 1962->1978 1963->1903 1974 140077037 call 1400a9ac0 1969->1974 1975 14007701e-140077031 1969->1975 1970->1963 1979 140076f54 call 1400a9ac0 1972->1979 1980 140076f3b-140076f4e 1972->1980 1973->1963 1974->1970 1975->1911 1975->1974 1977->1978 1984 1400772ec-1400772ef 1977->1984 1978->1963 1979->1973 1980->1911 1980->1979 1988 1400772f1-1400772f8 1984->1988 1989 1400772fa-14007730b 1984->1989 1991 14007730f-14007733f call 14002b7e0 call 14002c9d0 call 1400ac0c8 1988->1991 1989->1991 1991->1899
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: File$PointerReadSize
                              • String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 404940565-15404121
                              • Opcode ID: 2dee09089020d12bff93b15070664e9e72d6829c04d3fceb49d3c96b73ffa313
                              • Instruction ID: 40f04f2fdb195ee4abd318aa1af1c765dbd1d036b26c427fa27dbe08016d783e
                              • Opcode Fuzzy Hash: 2dee09089020d12bff93b15070664e9e72d6829c04d3fceb49d3c96b73ffa313
                              • Instruction Fuzzy Hash: 61320732611BC489EB22CF35D8807DD37A1F789B88F548216EB8D5BBA9EB74C645C701
                              Function 000000014009ACF0 Relevance: 10.8, APIs: 7, Instructions: 286COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1998 14009acf0-14009ad11 1999 14009ad2b-14009ad2d 1998->1999 2000 14009ad13-14009ad26 call 140091b4c call 140091b6c 1998->2000 2002 14009b10f-14009b11c call 140091b4c call 140091b6c 1999->2002 2003 14009ad33-14009ad3a 1999->2003 2018 14009b127 2000->2018 2022 14009b122 call 14008d6a8 2002->2022 2003->2002 2006 14009ad40-14009ad74 2003->2006 2006->2002 2009 14009ad7a-14009ad81 2006->2009 2010 14009ad9b-14009ad9e 2009->2010 2011 14009ad83-14009ad96 call 140091b4c call 140091b6c 2009->2011 2015 14009b10b-14009b10d 2010->2015 2016 14009ada4-14009ada6 2010->2016 2011->2022 2020 14009b12a-14009b139 2015->2020 2016->2015 2021 14009adac-14009adaf 2016->2021 2018->2020 2021->2011 2024 14009adb1-14009add5 2021->2024 2022->2018 2027 14009ae0a-14009ae12 2024->2027 2028 14009add7-14009adda 2024->2028 2029 14009ae14-14009ae3e call 14009b5e0 call 140098c40 * 2 2027->2029 2030 14009ade6-14009adfd call 140091b4c call 140091b6c call 14008d6a8 2027->2030 2031 14009addc-14009ade4 2028->2031 2032 14009ae02-14009ae08 2028->2032 2063 14009ae5b-14009ae85 call 14009b3b4 2029->2063 2064 14009ae40-14009ae56 call 140091b6c call 140091b4c 2029->2064 2061 14009af99 2030->2061 2031->2030 2031->2032 2033 14009ae89-14009ae9a 2032->2033 2036 14009aea0-14009aea8 2033->2036 2037 14009af21-14009af2b call 1400a4aa4 2033->2037 2036->2037 2040 14009aeaa-14009aeac 2036->2040 2048 14009af31-14009af47 2037->2048 2049 14009afb7 2037->2049 2040->2037 2044 14009aeae-14009aecc 2040->2044 2044->2037 2051 14009aece-14009aeda 2044->2051 2048->2049 2054 14009af49-14009af5b GetConsoleMode 2048->2054 2053 14009afbc-14009afdd ReadFile 2049->2053 2051->2037 2056 14009aedc-14009aede 2051->2056 2058 14009afe3-14009afeb 2053->2058 2059 14009b0d5-14009b0de call 1400d0160 2053->2059 2054->2049 2060 14009af5d-14009af65 2054->2060 2056->2037 2062 14009aee0-14009aef8 2056->2062 2058->2059 2066 14009aff1 2058->2066 2081 14009b0fb-14009b0fe 2059->2081 2082 14009b0e0-14009b0f6 call 140091b6c call 140091b4c 2059->2082 2060->2053 2067 14009af67-14009af8a call 1400d03b0 2060->2067 2070 14009af9c-14009afa6 call 140098c40 2061->2070 2062->2037 2069 14009aefa-14009af06 2062->2069 2063->2033 2064->2061 2073 14009aff8-14009b00f 2066->2073 2090 14009af8c call 1400d0160 2067->2090 2091 14009afab-14009afb5 2067->2091 2069->2037 2076 14009af08-14009af0a 2069->2076 2070->2020 2073->2070 2079 14009b011-14009b01c 2073->2079 2076->2037 2083 14009af0c-14009af1c 2076->2083 2088 14009b01e-14009b037 call 14009a900 2079->2088 2089 14009b043-14009b04b 2079->2089 2086 14009af92-14009af94 call 140091ae0 2081->2086 2087 14009b104-14009b106 2081->2087 2082->2061 2083->2037 2086->2061 2087->2070 2101 14009b03c-14009b03e 2088->2101 2097 14009b04d-14009b05f 2089->2097 2098 14009b0c3-14009b0d0 call 14009a728 2089->2098 2090->2086 2091->2073 2102 14009b061 2097->2102 2103 14009b0b6-14009b0be 2097->2103 2098->2101 2101->2070 2106 14009b067-14009b06e 2102->2106 2103->2070 2108 14009b0ab-14009b0b0 2106->2108 2109 14009b070-14009b074 2106->2109 2108->2103 2110 14009b091 2109->2110 2111 14009b076-14009b07d 2109->2111 2112 14009b097-14009b0a7 2110->2112 2111->2110 2113 14009b07f-14009b083 2111->2113 2112->2106 2114 14009b0a9 2112->2114 2113->2110 2115 14009b085-14009b08f 2113->2115 2114->2103 2115->2112
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: a4e148d3019c607eba337c575eb47066f6d9809a4559c3d9a9662e58cd0a8e9b
                              • Instruction ID: a61a03662d1ceb98f773c1fd4dd386c3faedb153c1a554d0ed1fc3a7b0e16e44
                              • Opcode Fuzzy Hash: a4e148d3019c607eba337c575eb47066f6d9809a4559c3d9a9662e58cd0a8e9b
                              • Instruction Fuzzy Hash: 0AC1ED722046889AEB639B63D4503EE77A0F78ABD4F454115FB5A073F2DB78C894C740
                              Function 000000014009E21C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                              • String ID: Eastern Standard Time$Eastern Summer Time
                              • API String ID: 3458911817-239921721
                              • Opcode ID: d74fe9053881973c1ea53b30896d127691720d56f467a61c309a8fd480ec90bc
                              • Instruction ID: 54eaaf3237c51ac38e9593f75949bc1a28ba80c68989b2b5926f1269b82db785
                              • Opcode Fuzzy Hash: d74fe9053881973c1ea53b30896d127691720d56f467a61c309a8fd480ec90bc
                              • Instruction Fuzzy Hash: B5514D3261068086E762EF23E9917DA77A0F79CBC4F445126BB4D87BB6DB38C941C740
                              Function 0000000140086680 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2193 140086680-1400866c5 2194 1400866cb-1400866f5 call 1400bd2b0 2193->2194 2195 140086991-1400869cb call 140089fe0 call 140087120 2193->2195 2200 140086704-14008673d call 140062d50 call 140089110 call 140087120 2194->2200 2201 1400866f7-140086700 2194->2201 2204 1400869d0-1400869d6 2195->2204 2233 140086743-1400867c8 call 1400300a0 call 140062eb0 call 140066750 call 140063430 2200->2233 2234 1400868d4-1400868db 2200->2234 2201->2200 2207 1400869dc-140086a5b call 1400300a0 call 140062eb0 call 140066750 call 140063430 2204->2207 2208 140086b67-140086b6b 2204->2208 2259 140086cab-140086cc7 call 140061f10 call 1400ac0c8 2207->2259 2260 140086a61-140086a69 2207->2260 2210 140086c39-140086c40 2208->2210 2211 140086b71-140086bce call 140040730 call 140040ea0 2208->2211 2213 140086c0d-140086c38 call 1400a9aa0 2210->2213 2214 140086c42-140086c57 2210->2214 2211->2213 2242 140086bd0-140086be5 2211->2242 2219 140086c59-140086c6c 2214->2219 2220 140086bfc-140086c08 call 1400a9ac0 2214->2220 2227 140086c6e 2219->2227 2228 140086c76-140086c7b call 14008d6c8 2219->2228 2220->2213 2227->2220 2244 140086c7c-140086c98 call 140061f10 call 1400ac0c8 2228->2244 2233->2244 2287 1400867ce-1400867d6 2233->2287 2239 1400868dd-140086923 call 140040730 2234->2239 2240 140086925-140086928 2234->2240 2262 140086970-14008697f call 140040ea0 2239->2262 2247 14008692a-14008696b call 140040730 2240->2247 2248 140086980-14008698c call 140062b70 2240->2248 2242->2220 2243 140086be7-140086bfa 2242->2243 2243->2220 2243->2228 2278 140086c99-140086c9e call 14008d6c8 2244->2278 2247->2262 2248->2213 2279 140086cc8-140086ccd call 14008d6c8 2259->2279 2267 140086a6b-140086a7c 2260->2267 2268 140086a9c-140086ae1 call 1400aba10 * 2 2260->2268 2262->2248 2273 140086a7e-140086a91 2267->2273 2274 140086a97 call 1400a9ac0 2267->2274 2295 140086ae3-140086af5 2268->2295 2296 140086b15-140086b28 2268->2296 2273->2274 2273->2279 2274->2268 2294 140086c9f-140086ca4 call 14008d6c8 2278->2294 2293 140086cce-140086cd3 call 14008d6c8 2279->2293 2291 14008680a-140086850 call 1400aba10 * 2 2287->2291 2292 1400867d8-1400867ea 2287->2292 2322 140086852-140086863 2291->2322 2323 140086883-140086895 2291->2323 2301 1400867ec-1400867ff 2292->2301 2302 140086805 call 1400a9ac0 2292->2302 2315 140086ca5-140086caa call 14008d6c8 2294->2315 2297 140086b10 call 1400a9ac0 2295->2297 2298 140086af7-140086b0a 2295->2298 2299 140086b2a-140086b3c 2296->2299 2300 140086b5c-140086b62 2296->2300 2297->2296 2298->2293 2298->2297 2307 140086b3e-140086b51 2299->2307 2308 140086b57 call 1400a9ac0 2299->2308 2300->2208 2301->2278 2301->2302 2302->2291 2307->2308 2313 140086c70-140086c75 call 14008d6c8 2307->2313 2308->2300 2313->2228 2315->2259 2324 14008687e call 1400a9ac0 2322->2324 2325 140086865-140086878 2322->2325 2326 1400868c9-1400868cf 2323->2326 2327 140086897-1400868a9 2323->2327 2324->2323 2325->2294 2325->2324 2326->2234 2329 1400868ab-1400868be 2327->2329 2330 1400868c4 call 1400a9ac0 2327->2330 2329->2315 2329->2330 2330->2326
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: __std_exception_destroy
                              • String ID: value
                              • API String ID: 2453523683-494360628
                              • Opcode ID: b171d2323bf2893a3ee67810772fca15aef2c8ea295963dbb2e0401c6901666c
                              • Instruction ID: b99257adfc3fe72b1b6041d942e319ffdfc58320064849e92109cd12b73f12f2
                              • Opcode Fuzzy Hash: b171d2323bf2893a3ee67810772fca15aef2c8ea295963dbb2e0401c6901666c
                              • Instruction Fuzzy Hash: 39027973624B8085EB128B76D4803ED6B61F7997E4F505712FBAE47AEADB38C185C700
                              Function 000000014003C7E0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2332 14003c7e0-14003c858 CreateToolhelp32Snapshot call 1400bd2b0 call 14003e0f0 2337 14003ca71-14003ca8d call 14003e020 2332->2337 2338 14003c85e-14003c874 Process32FirstW 2332->2338 2344 14003ca93-14003cb7a call 1400421c0 call 140042490 2337->2344 2345 14003ccd7-14003ccec call 1400d0138 2337->2345 2338->2337 2339 14003c87a 2338->2339 2341 14003c880-14003c89a call 14006f8d0 2339->2341 2350 14003c89c 2341->2350 2351 14003c89f-14003c8ca call 140048eb0 call 140043490 2341->2351 2366 14003cb80-14003cb88 2344->2366 2353 14003cd1e-14003cd72 call 14003cd90 call 1400a9aa0 2345->2353 2354 14003ccee-14003cd02 2345->2354 2350->2351 2373 14003c8d0-14003c8f7 2351->2373 2357 14003cd04-14003cd17 2354->2357 2358 14003cd19 call 1400a9ac0 2354->2358 2357->2358 2362 14003cd73-14003cd78 call 14008d6c8 2357->2362 2358->2353 2375 14003cd79-14003cd7e call 14008d6c8 2362->2375 2366->2366 2370 14003cb8a-14003cc2f call 1400300a0 call 14003ec60 2366->2370 2388 14003cc34-14003cc3b 2370->2388 2373->2373 2377 14003c8f9-14003c915 2373->2377 2387 14003cd7f-14003cd84 call 14008d6c8 2375->2387 2380 14003c917-14003c929 2377->2380 2381 14003c92b-14003c93d call 1400300a0 2377->2381 2385 14003c942-14003c9bb call 140048eb0 call 140043490 call 140041be0 call 140046e40 call 140046ce0 2380->2385 2381->2385 2414 14003c9ef-14003ca0d 2385->2414 2415 14003c9bd-14003c9cf 2385->2415 2396 14003cd85-14003cd8a call 14008d6c8 2387->2396 2388->2388 2391 14003cc3d-14003cc93 call 1400300a0 call 14003ec60 call 140040ea0 2388->2391 2409 14003ccc6-14003ccd3 2391->2409 2410 14003cc95-14003cca6 2391->2410 2409->2345 2412 14003ccc1 call 1400a9ac0 2410->2412 2413 14003cca8-14003ccbb 2410->2413 2412->2409 2413->2375 2413->2412 2417 14003ca43-14003ca6b Process32NextW 2414->2417 2418 14003ca0f-14003ca23 2414->2418 2419 14003c9d1-14003c9e4 2415->2419 2420 14003c9ea call 1400a9ac0 2415->2420 2417->2337 2417->2341 2421 14003ca25-14003ca38 2418->2421 2422 14003ca3e call 1400a9ac0 2418->2422 2419->2387 2419->2420 2420->2414 2421->2396 2421->2422 2422->2417
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID: [PID:
                              • API String ID: 420147892-2210602247
                              • Opcode ID: 29bff462b9a0cd84f036986d1846429dd02910c6ec44a41ca48570137e3960ba
                              • Instruction ID: b38ff16549ba1f11a6e6968b632c4904c7fd50b9942315672275084aeb0ad256
                              • Opcode Fuzzy Hash: 29bff462b9a0cd84f036986d1846429dd02910c6ec44a41ca48570137e3960ba
                              • Instruction Fuzzy Hash: 61E18C72614BC485EB22CB26E8803DE77A5F7897A8F504215FB9D47BA9DF38C291C700
                              Function 00000001400835B0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 3038321057-0
                              • Opcode ID: 29403cb97127691f287bd394a5f62fb3ebcddb21656a1aa952221290d0b63ec9
                              • Instruction ID: 29b34f3b368a7b7b08dc0a61096efbdd798a7df5e1e9600c8704bf8681a41008
                              • Opcode Fuzzy Hash: 29403cb97127691f287bd394a5f62fb3ebcddb21656a1aa952221290d0b63ec9
                              • Instruction Fuzzy Hash: 92214B32218B8096E7618B22F44439AB7A0FB8CBD0F559126FB8947B68DF7DC5558B40
                              Function 000000014007C5E0 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: recv$Cleanupclosesocket
                              • String ID:
                              • API String ID: 146070474-0
                              • Opcode ID: 1cb9a2f55eb7a1731417e4445776eee7ddd9fd51caeb430b5848111ad9bfac1a
                              • Instruction ID: eafd79885a64c3900f7ebaffd470ce8fdc6633dcc422e553d72d048b7a611f0d
                              • Opcode Fuzzy Hash: 1cb9a2f55eb7a1731417e4445776eee7ddd9fd51caeb430b5848111ad9bfac1a
                              • Instruction Fuzzy Hash: 79125D73628BC481EA229B16E4557DE6761F79D7E0F504216EBAD07AEADF7CC480CB00
                              Function 000000014003ABE0 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 671COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Cred$EnumerateFree
                              • String ID: cannot use push_back() with
                              • API String ID: 3403564193-4122110429
                              • Opcode ID: 5d5e629679f06e378ab227d13d1c908ce7cae262931ff94a6b5bddadf6b7fee5
                              • Instruction ID: b8981478b51ca5d0890c2abb008d1f65ae76408375637bccaff58bdcf3fe8ba2
                              • Opcode Fuzzy Hash: 5d5e629679f06e378ab227d13d1c908ce7cae262931ff94a6b5bddadf6b7fee5
                              • Instruction Fuzzy Hash: A5627172614BC489EB22CF65E8803DE7761F789798F505316EB9D17BA9DB38C284C700
                              Function 00000001400743A0 Relevance: 3.4, APIs: 2, Instructions: 391COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExecuteFileModuleNameShell
                              • String ID:
                              • API String ID: 1703432166-0
                              • Opcode ID: c5c4df2ba0c2f7c98eb0e27f9d344fa7fbd7b5d8e88954d453f4da2353b8da7d
                              • Instruction ID: 2bd182f3932b21625a389bd3f9c8cb9026c7739f8b6ceac0e40a61b3b544c7b5
                              • Opcode Fuzzy Hash: c5c4df2ba0c2f7c98eb0e27f9d344fa7fbd7b5d8e88954d453f4da2353b8da7d
                              • Instruction Fuzzy Hash: E1122872625F848AEB418F6AE88179EB3A4F788798F505215FFDD57B68EB38C150C700
                              Function 000000014006FB80 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CryptDataFreeLocalUnprotect
                              • String ID:
                              • API String ID: 1561624719-0
                              • Opcode ID: 7c7574550fc39d8b0a33bde6b28a20e688f0cf8f24e77118c322436bf9816072
                              • Instruction ID: 4eca3d6246eddbc7233f6218ad4025bd3c7ad5f366a7b9f67c01a1a686e41648
                              • Opcode Fuzzy Hash: 7c7574550fc39d8b0a33bde6b28a20e688f0cf8f24e77118c322436bf9816072
                              • Instruction Fuzzy Hash: 08414233614B80CAE3218F75E8403ED37A5F76978CF444629AB8C07E9ADB79C6A4D744
                              Function 000000014007EF60 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: DriveLogicalStrings
                              • String ID:
                              • API String ID: 2022863570-0
                              • Opcode ID: 2ecfcf8ec3355e95828c5702cb0626b7e0f13828b402b7b66e3bb95fa858c4cc
                              • Instruction ID: 7bd9b24b1647809e0778951e81701b119688313c090f26668272845d8869c3c0
                              • Opcode Fuzzy Hash: 2ecfcf8ec3355e95828c5702cb0626b7e0f13828b402b7b66e3bb95fa858c4cc
                              • Instruction Fuzzy Hash: 8A416D33A18B8086E711CF25E8803DEB774F799788F505216EB8823A79DB78D5D1DB40
                              Function 000000014007DCC0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: a200866481d5f490145c7cfb544eaa6f59862c73f3fa110e9056edbadfc7f145
                              • Instruction ID: d8acf5b1ef26c196afcc54b854055169309763f983814a9c25a6fac2079a55ec
                              • Opcode Fuzzy Hash: a200866481d5f490145c7cfb544eaa6f59862c73f3fa110e9056edbadfc7f145
                              • Instruction Fuzzy Hash: BB015E3221878086E7628F22E84039AB3A0FB9C788F540216B78D43659DBBCC194CB40
                              Function 0000000140076770 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 699 140076770-1400767ab call 1400764f0 702 1400767ad-1400767bc EnterCriticalSection 699->702 703 1400767ec 699->703 704 140076810-14007682a LeaveCriticalSection GdipGetImageEncodersSize 702->704 705 1400767be-1400767e0 GdiplusStartup 702->705 706 1400767f1-14007680f call 1400a9aa0 703->706 704->703 709 14007682c-14007683f 704->709 705->704 707 1400767e2-1400767e6 LeaveCriticalSection 705->707 707->703 710 140076841-14007684a call 140076280 709->710 711 14007687b-140076889 call 1400940fc 709->711 717 140076878 710->717 718 14007684c-140076856 710->718 719 140076890-14007689a 711->719 720 14007688b-14007688e 711->720 717->711 721 140076858 718->721 722 140076862-140076876 call 1400aa760 718->722 723 14007689e 719->723 720->723 721->722 725 1400768a1-1400768a4 722->725 723->725 726 1400768a6-1400768ab 725->726 727 1400768b0-1400768be GdipGetImageEncoders 725->727 729 140076a1e-140076a21 726->729 730 1400768c4-1400768cd 727->730 731 140076a09-140076a0e 727->731 734 140076a44-140076a46 729->734 735 140076a23-140076a27 729->735 732 1400768ff 730->732 733 1400768cf-1400768dd 730->733 731->729 738 140076906-140076916 732->738 736 1400768e0-1400768eb 733->736 734->706 737 140076a30-140076a42 call 14008cab0 735->737 739 1400768f8-1400768fd 736->739 740 1400768ed-1400768f2 736->740 737->734 742 140076918-140076929 738->742 743 14007692f-14007694b 738->743 739->732 739->736 740->739 744 1400769ad-1400769b1 740->744 742->731 742->743 746 1400769b8-1400769f7 GdipCreateBitmapFromHBITMAP GdipSaveImageToStream 743->746 747 14007694d-1400769a6 GdipCreateBitmapFromScan0 GdipSaveImageToStream 743->747 744->738 748 140076a10-140076a1d GdipDisposeImage 746->748 749 1400769f9 746->749 750 1400769a8-1400769ab 747->750 751 1400769b6 747->751 748->729 752 1400769fc-140076a03 GdipDisposeImage 749->752 750->752 751->748 752->731
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
                              • String ID: &
                              • API String ID: 1703174404-3042966939
                              • Opcode ID: ea4cfa494391b84614adf15e569615d49e1d486304e7799aebd586ce4898f67b
                              • Instruction ID: 4638b9f1ed191ead81af55374984443a6253b3e001763369ab5e9b0db0011ef1
                              • Opcode Fuzzy Hash: ea4cfa494391b84614adf15e569615d49e1d486304e7799aebd586ce4898f67b
                              • Instruction Fuzzy Hash: 84914932200B809AEB62DF32E8407D837A4F75DBD8F558215EB5A57BA4DF38C596C740
                              Function 0000000140077820 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 224networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1478 140077820-140077877 call 14007d440 1481 1400778bd-1400779a1 call 140052190 call 1400300a0 call 14003ec60 call 1400300a0 call 14003ec60 call 140040ea0 WSAStartup 1478->1481 1482 140077879-140077881 1478->1482 1495 140077a40 1481->1495 1514 1400779a7-1400779c7 socket 1481->1514 1484 140077885-14007788d 1482->1484 1486 140077892-1400778a2 1484->1486 1487 14007788f 1484->1487 1488 1400778b4-1400778bb 1486->1488 1489 1400778a4-1400778ae call 1400bd650 1486->1489 1487->1486 1488->1481 1488->1484 1489->1488 1489->1495 1497 140077a42-140077a4a 1495->1497 1499 140077a7d-140077ac1 call 1400a9aa0 1497->1499 1500 140077a4c-140077a5d 1497->1500 1502 140077a78 call 1400a9ac0 1500->1502 1503 140077a5f-140077a72 1500->1503 1502->1499 1503->1502 1506 140077bc4-140077bc9 call 14008d6c8 1503->1506 1515 140077bca-140077bcf call 14008d6c8 1506->1515 1516 140077a3a WSACleanup 1514->1516 1517 1400779c9-140077a27 htons inet_pton connect 1514->1517 1516->1495 1519 140077ac2-140077af3 call 140076a50 call 14003fa30 1517->1519 1520 140077a2d-140077a34 closesocket 1517->1520 1526 140077af5-140077b0b 1519->1526 1527 140077b2b-140077b48 call 140076a50 1519->1527 1520->1516 1528 140077b26 call 1400a9ac0 1526->1528 1529 140077b0d-140077b20 1526->1529 1532 140077b4d-140077b71 call 14003fa30 1527->1532 1528->1527 1529->1515 1529->1528 1535 140077b73-140077b89 1532->1535 1536 140077bad-140077bb9 1532->1536 1537 140077ba0-140077ba5 call 1400a9ac0 1535->1537 1538 140077b8b-140077b9e 1535->1538 1536->1497 1537->1536 1538->1537 1540 140077bbe-140077bc3 call 14008d6c8 1538->1540 1540->1506
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Info$CleanupFolderFreeKnownPathStartupTaskUserclosesocketconnecthtonsinet_ptonsocket
                              • String ID: geo$system
                              • API String ID: 469733038-2364779556
                              • Opcode ID: 8d373b034231c228b96861fcc9ebfa537825f0b970b577bdf6468f570e4dfbe5
                              • Instruction ID: 8e9467e575cce1f4fcad52bc0cce26140f8a2cb03e3f0a27ea38b4210fb68b06
                              • Opcode Fuzzy Hash: 8d373b034231c228b96861fcc9ebfa537825f0b970b577bdf6468f570e4dfbe5
                              • Instruction Fuzzy Hash: 44B16A72B11B4099FB02DBA6E4903DD3372A748BE8F415216EB5D2B6B9EB38C556C340
                              Function 00000001400BC218 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1790 1400bc218-1400bc28b call 1400bbdf8 1793 1400bc28d-1400bc296 call 140091b4c 1790->1793 1794 1400bc2a5-1400bc2af call 1400a076c 1790->1794 1799 1400bc299-1400bc2a0 call 140091b6c 1793->1799 1800 1400bc2ca-1400bc333 CreateFileW 1794->1800 1801 1400bc2b1-1400bc2c8 call 140091b4c call 140091b6c 1794->1801 1816 1400bc5e7-1400bc607 1799->1816 1804 1400bc3b0-1400bc3bb GetFileType 1800->1804 1805 1400bc335-1400bc33b 1800->1805 1801->1799 1807 1400bc40e-1400bc415 1804->1807 1808 1400bc3bd-1400bc3f8 call 1400d0160 call 140091ae0 call 1400d0138 1804->1808 1810 1400bc37d-1400bc3ab call 1400d0160 call 140091ae0 1805->1810 1811 1400bc33d-1400bc341 1805->1811 1813 1400bc41d-1400bc420 1807->1813 1814 1400bc417-1400bc41b 1807->1814 1808->1799 1838 1400bc3fe-1400bc409 call 140091b6c 1808->1838 1810->1799 1811->1810 1812 1400bc343-1400bc37b CreateFileW 1811->1812 1812->1804 1812->1810 1819 1400bc426-1400bc47b call 1400a0684 1813->1819 1821 1400bc422 1813->1821 1814->1819 1830 1400bc49a-1400bc4cb call 1400bbb80 1819->1830 1831 1400bc47d-1400bc489 call 1400bc004 1819->1831 1821->1819 1839 1400bc4cd-1400bc4cf 1830->1839 1840 1400bc4d1-1400bc514 1830->1840 1831->1830 1841 1400bc48b 1831->1841 1838->1799 1844 1400bc48d-1400bc495 call 140098db8 1839->1844 1845 1400bc536-1400bc541 1840->1845 1846 1400bc516-1400bc51a 1840->1846 1841->1844 1844->1816 1848 1400bc547-1400bc54b 1845->1848 1849 1400bc5e5 1845->1849 1846->1845 1847 1400bc51c-1400bc531 1846->1847 1847->1845 1848->1849 1851 1400bc551-1400bc596 call 1400d0138 CreateFileW 1848->1851 1849->1816 1855 1400bc5cb-1400bc5e0 1851->1855 1856 1400bc598-1400bc5c6 call 1400d0160 call 140091ae0 call 1400a08ac 1851->1856 1855->1849 1856->1855
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                              • String ID:
                              • API String ID: 1330151763-0
                              • Opcode ID: 6834bf7e2c5a4e43a5153222154aa821744e12b776a4e5df19d1db0543b86cff
                              • Instruction ID: 2400ce5abb7f630c19717e6ed24876b630cbd6c53283576e13b355a578458c61
                              • Opcode Fuzzy Hash: 6834bf7e2c5a4e43a5153222154aa821744e12b776a4e5df19d1db0543b86cff
                              • Instruction Fuzzy Hash: 29C17B36720E4486EB11CFAAD4917ED3771E78DBE8F014219EB2A9B7A4DB34C556C340
                              Function 00000001400816E0 Relevance: 13.6, APIs: 9, Instructions: 128COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1863 1400816e0-14008172d 1864 14008172f-140081742 call 1400a9b70 1863->1864 1865 140081765-140081784 RmStartSession 1863->1865 1864->1865 1876 140081744-140081760 GetCurrentProcess GetProcessId call 1400a9b04 1864->1876 1866 14008178a-1400817af RmRegisterResources 1865->1866 1867 140081891 1865->1867 1869 1400817b5-1400817eb RmGetList 1866->1869 1870 140081888-14008188b RmEndSession 1866->1870 1872 140081893-1400818b7 call 1400a9aa0 1867->1872 1874 1400817f1-1400817f6 1869->1874 1875 1400818d5 1869->1875 1870->1867 1874->1875 1878 1400817fc-140081822 call 1400940fc 1874->1878 1879 1400818d8-1400818e0 RmEndSession 1875->1879 1876->1865 1878->1879 1883 140081828-14008184a RmGetList 1878->1883 1879->1872 1884 1400818cd-1400818d0 call 14008cab0 1883->1884 1885 140081850-140081853 1883->1885 1884->1875 1885->1884 1887 140081855-14008185e 1885->1887 1887->1870 1888 140081860-140081867 1887->1888 1889 140081870-14008187f 1888->1889 1890 140081881-140081886 1889->1890 1891 1400818b8-1400818cb call 14008cab0 RmEndSession 1889->1891 1890->1870 1890->1889 1891->1867
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Session$ListProcess$AcquireCurrentExclusiveLockRegisterResourcesStart
                              • String ID:
                              • API String ID: 779856957-0
                              • Opcode ID: 8bb7912290508ce8e88e3aaa07301283af1f89745b5405751b14ca5c1f9e5710
                              • Instruction ID: 53b25bd5857afa0adccecd5323b097c20916bf7b3c0f165211610be25f83b61c
                              • Opcode Fuzzy Hash: 8bb7912290508ce8e88e3aaa07301283af1f89745b5405751b14ca5c1f9e5710
                              • Instruction Fuzzy Hash: 1251EA32B04A408AF715DFA6E4547ED73B5FB8C794F804529EB0A63BA8DE34C946CB50
                              Function 00000001400765D0 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                              • String ID:
                              • API String ID: 4268643673-0
                              • Opcode ID: d30fa97d25b30040903c896763b34352f449627e961995d8f8dec80d22df3c23
                              • Instruction ID: 8a8879636937726213d256da63e2acee3874314be20df8b71bbfc014c3c2afad
                              • Opcode Fuzzy Hash: d30fa97d25b30040903c896763b34352f449627e961995d8f8dec80d22df3c23
                              • Instruction Fuzzy Hash: 4911F532112B5081EB559F26F89439D73A4FB48FA8F684215EB6E076B4DF38C9A7C350
                              Function 00000001400773A0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                              • String ID:
                              • API String ID: 215268677-0
                              • Opcode ID: ef49ddb1ddd7164590c42208bf10f4cc77ba0bfa614ad2019f69ccc4385f50ed
                              • Instruction ID: 18b2a2583657b35ee9209c3dde09c8a115d2f9d62867d95ebc4690e525d54a35
                              • Opcode Fuzzy Hash: ef49ddb1ddd7164590c42208bf10f4cc77ba0bfa614ad2019f69ccc4385f50ed
                              • Instruction Fuzzy Hash: B611E932219B8086E7519F16F84078AB7A0FB89BC0F949126FB9D57B68CF3CC456CB40
                              Function 000000014007DFD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              • API String ID: 3702945584-1787575317
                              • Opcode ID: 576cd30aba55f3842207aa2485d313445215fb856a716db7fe162e5e19891f38
                              • Instruction ID: a4b0ef12f94d62d88fbacb8910d1321fab3fd413e5af6e1630ae25f216ec36bd
                              • Opcode Fuzzy Hash: 576cd30aba55f3842207aa2485d313445215fb856a716db7fe162e5e19891f38
                              • Instruction Fuzzy Hash: 8D112132618B8086EB218F22F44139AB3A4F79DB94F504215EB9847B69DFBCC195CB40
                              Function 000000014007C967 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Cleanupclosesocketrecv
                              • String ID:
                              • API String ID: 3447645871-0
                              • Opcode ID: c5f29a6f82e4cda5efd12a128531453d2ae7e63ca47262aae0ccc1e1a6d6ada8
                              • Instruction ID: eab709b2a91d71219dc338bdc8a0427637c2479730885535d0f181a11fd59591
                              • Opcode Fuzzy Hash: c5f29a6f82e4cda5efd12a128531453d2ae7e63ca47262aae0ccc1e1a6d6ada8
                              • Instruction Fuzzy Hash: 4D917CB3A14BC481EA228B66E4447DE6761E7997E0F504316EBAD17AEADF7CC480C700
                              Function 000000014007ECC1 Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseEnumOpen
                              • String ID:
                              • API String ID: 1332880857-0
                              • Opcode ID: 24e3e45b33dee53dd91fe293e1ba6f2dd892832e98d2f12ab480f34579417cf4
                              • Instruction ID: 00c63e96622fe58056b134ab382f664d7db465f44603d43fd8bfb30478044826
                              • Opcode Fuzzy Hash: 24e3e45b33dee53dd91fe293e1ba6f2dd892832e98d2f12ab480f34579417cf4
                              • Instruction Fuzzy Hash: D5717E72A04B8485EB21CB6AE44439EB761F7997E8F104316FBA917AE9DB78C1C1C700
                              Function 000000014007EC50 Relevance: 4.6, APIs: 3, Instructions: 96registryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: EnumOpen
                              • String ID:
                              • API String ID: 3231578192-0
                              • Opcode ID: dc2a33b660cd6048a5e7e075a00a4d1af131d9557838307254cbb15d219bc776
                              • Instruction ID: d99dd46795cba76a18b6d2adc5ebc249d08e68adb2bc3dba870c2fbf3ce0d704
                              • Opcode Fuzzy Hash: dc2a33b660cd6048a5e7e075a00a4d1af131d9557838307254cbb15d219bc776
                              • Instruction Fuzzy Hash: 2331AD32611B8486E722CFA2E850B9E7764F7887D8F600216EF9917BA4DF38C592C700
                              Function 000000014007E98B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 086936de3dea8a6f787c3973e262829973f2fb37e82d8b4b8157a7a5627c85f4
                              • Instruction ID: c3e250c8b4c2848e291f8a15b8f2a07f81789114fb1aa71ab368e6c187887dba
                              • Opcode Fuzzy Hash: 086936de3dea8a6f787c3973e262829973f2fb37e82d8b4b8157a7a5627c85f4
                              • Instruction Fuzzy Hash: 23218172715B8491EA62CB26E4503AEA760FBDD7D4F505212FB8D43AB9EE3CD184CB40
                              Function 000000014007D440 Relevance: 4.6, APIs: 3, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Info$User
                              • String ID:
                              • API String ID: 2017065092-0
                              • Opcode ID: dabddd6c895e2f52a57a7818505f9d76ff45043fc459ccda3d8ac0e690d592da
                              • Instruction ID: 90fee48f990a536c98e20aba751c2c9c04ba674589e67a0b677829bb88304ab3
                              • Opcode Fuzzy Hash: dabddd6c895e2f52a57a7818505f9d76ff45043fc459ccda3d8ac0e690d592da
                              • Instruction Fuzzy Hash: A211C17261478183E7118F62F42475EB7A1FB84FC8F045225EB8903B69DF7CD4908B84
                              Function 000000014003F210 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID:
                              • API String ID: 118556049-3916222277
                              • Opcode ID: d1a363919dd19d68adbaa1824478dd39cb0e0911c99aa75ce560a6b8aa69075f
                              • Instruction ID: a981a205836d7b9725245c82c35ce7c20dd13c8e2bec3eb01c485d5cb054b2d7
                              • Opcode Fuzzy Hash: d1a363919dd19d68adbaa1824478dd39cb0e0911c99aa75ce560a6b8aa69075f
                              • Instruction Fuzzy Hash: 52513472304B4496EB168F2AD5943AE37A0F748BD4F984622EF5E47BA0CF78D5A1D300
                              Function 0000000140045670 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID: cannot use operator[] with a numeric argument with
                              • API String ID: 118556049-485864652
                              • Opcode ID: 79804f4a44a177bf13a4b8f88762019dc26778b0f8d53fd89d330793441b4ef7
                              • Instruction ID: 5ed39cd970f3da3471a7114cda8519d5d7bf48897c2ee1ddb565b91127a7abb1
                              • Opcode Fuzzy Hash: 79804f4a44a177bf13a4b8f88762019dc26778b0f8d53fd89d330793441b4ef7
                              • Instruction Fuzzy Hash: C731D272319B8085EE12AB27B5443DC6396E708BE5F590635FF6D0BBE6DA38C481C304
                              Function 000000014007E7E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CurrentProfile
                              • String ID: Unknown
                              • API String ID: 2104809126-1654365787
                              • Opcode ID: 84af72ff015fe5e630872b959f4c077e317d5b2c424c6600391211d0d1ad29ad
                              • Instruction ID: 2df4d503fb94b901bbb3591b6d9df59f6543af604a458be958b3d62f3549f16d
                              • Opcode Fuzzy Hash: 84af72ff015fe5e630872b959f4c077e317d5b2c424c6600391211d0d1ad29ad
                              • Instruction Fuzzy Hash: 01319E33628BC086E7528F22E5403DAA760F7DDB84F546215FBC917A6ADB7CC695CB00
                              Function 0000000140076A50 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: FolderFreeKnownPathTask
                              • String ID:
                              • API String ID: 969438705-0
                              • Opcode ID: 796d1de632755f28a7586c5e198064a8ea904def8bbd7f9ebb2a2b0b110e21d4
                              • Instruction ID: 08cddd457017ed9c72ba9d518141911ad73ee79bdddd2d4fd5b26cada53b40a9
                              • Opcode Fuzzy Hash: 796d1de632755f28a7586c5e198064a8ea904def8bbd7f9ebb2a2b0b110e21d4
                              • Instruction Fuzzy Hash: 73319372A14B8081E6218F26E48039EB360F79D7F4F505316FBAD43AA9DB7CC1818B40
                              Function 000000014008C104 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: 75dacb89e764ecf40af59fcee7c22e2fbf6e8ba84ae5c27b2747cb5a966399e9
                              • Instruction ID: 8be8243372e4bb7338c400875aec30a5fe64968161bb492a5739d17ce4fc8c58
                              • Opcode Fuzzy Hash: 75dacb89e764ecf40af59fcee7c22e2fbf6e8ba84ae5c27b2747cb5a966399e9
                              • Instruction Fuzzy Hash: 40217C3362064481EE56EB16E895BE93361F79ABD4F944216FB1A473F2EA39C259C300
                              Function 0000000140074FD0 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseOpen
                              • String ID:
                              • API String ID: 47109696-0
                              • Opcode ID: 7ec879cfecc611e1203277112fd56f06e17ca4e10c092f3590478b68c26c49ef
                              • Instruction ID: ec14ba0587e031e24ade476592ff76ecaadcb2d768a7e792e5b1a87d2e94dd26
                              • Opcode Fuzzy Hash: 7ec879cfecc611e1203277112fd56f06e17ca4e10c092f3590478b68c26c49ef
                              • Instruction Fuzzy Hash: 35219F72711A8046FA51AB23E8503DAA360EB9DBD4F585121FB4D43BA9DE7CC481C780
                              Function 000000014007428C Relevance: 3.1, APIs: 2, Instructions: 58synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
                              • String ID:
                              • API String ID: 420082584-0
                              • Opcode ID: 1e475a0fd37e72c571760871dcb9f9096f5c0b73a05df945e32f443ddcc6d7f4
                              • Instruction ID: 7b9fc5bf202d6c660958987423c1e07503b58d6b0919fc9b46d6a515e610c1ca
                              • Opcode Fuzzy Hash: 1e475a0fd37e72c571760871dcb9f9096f5c0b73a05df945e32f443ddcc6d7f4
                              • Instruction Fuzzy Hash: 96215871A5468081FB23BBB7A4163EE6351AF8E7D0F445612FB99476F7DF3C80818622
                              Function 00000001400742BD Relevance: 3.0, APIs: 2, Instructions: 47synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseHandleMutexReleaserecv
                              • String ID:
                              • API String ID: 2659716615-0
                              • Opcode ID: 688f010fb93d99a7170d6fa059f594efe689c9c1b67f65fa2a329f1f928e5df2
                              • Instruction ID: 6f94cae61cdad2189cef370b3ba5221df8fa11a5c37ea0c6658456750868d446
                              • Opcode Fuzzy Hash: 688f010fb93d99a7170d6fa059f594efe689c9c1b67f65fa2a329f1f928e5df2
                              • Instruction Fuzzy Hash: 14111871A1468181FB637B77A4063EE5250AB8E7D0F445611FB99476F7DF3CC1818611
                              Function 000000014009B264 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: 74fd80307102959cdb4bb45340283f0b27aee8fd65d2f6709d6669cbca38fe3f
                              • Instruction ID: e816577ed0fe5e9188ac3a7553593d5145fada9baf7cdf4296f147d26e6d8956
                              • Opcode Fuzzy Hash: 74fd80307102959cdb4bb45340283f0b27aee8fd65d2f6709d6669cbca38fe3f
                              • Instruction Fuzzy Hash: EE119E72314B8081EA518B26AA4439EA761E789FF4F544315FFB94B7F9CF78C0558740
                              Function 00000001400742E9 Relevance: 3.0, APIs: 2, Instructions: 37synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseHandleMutexRelease
                              • String ID:
                              • API String ID: 4207627910-0
                              • Opcode ID: 96d4f6a17b3e9df86ae38d560ee459ed41c223e123a4abdd348c551b97df98bf
                              • Instruction ID: 4df68b0ff96a1f532fb189d16ae1a04ce7a62c23901e90ecebd86e927d313f56
                              • Opcode Fuzzy Hash: 96d4f6a17b3e9df86ae38d560ee459ed41c223e123a4abdd348c551b97df98bf
                              • Instruction Fuzzy Hash: 6F017172B0068182FB62AB76B4053DD5250AB9D7E0F485311FBAD476F6DF3CC181C610
                              Function 00000001400A9BE8 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                              • String ID:
                              • API String ID: 1173176844-0
                              • Opcode ID: 6ffe177f5157f79d277372c6ea1b39799971d2e5a1b5546f7eb344a9914ef09c
                              • Instruction ID: 04523a235a29f71bc6c7b1a626fb6df20e7af0258fe547a34f32961bfb1e0df3
                              • Opcode Fuzzy Hash: 6ffe177f5157f79d277372c6ea1b39799971d2e5a1b5546f7eb344a9914ef09c
                              • Instruction Fuzzy Hash: 14E0177072150945FE2B22F318163E400801F6D3F0E2C1B207B750B2F3BE3488D58A20
                              Function 0000000140098C40 Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 485612231-0
                              • Opcode ID: 1eb1d4d919d340514f52b5ee7c14653ab2b68de4ee8aa6cf9f2209b3c6d7e0a2
                              • Instruction ID: b52fa26c04212aab859c5ae896bd543063644a9c8dd7e940ebd072c94055b3ed
                              • Opcode Fuzzy Hash: 1eb1d4d919d340514f52b5ee7c14653ab2b68de4ee8aa6cf9f2209b3c6d7e0a2
                              • Instruction Fuzzy Hash: D8E02BB4B0220142FF1B63F3A8983FD12815F9C7C0F040420BF0983372EE3888814714
                              Function 000000014008AF60 Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID:
                              • API String ID: 118556049-0
                              • Opcode ID: 87a6127ac30b23622a38d36947904b79f4457d1bf17aa16409fec1a630396561
                              • Instruction ID: da5433d3288cf5a0a526c1d61247c75615e0e3a88a26d8c87c4e36aa5818ab75
                              • Opcode Fuzzy Hash: 87a6127ac30b23622a38d36947904b79f4457d1bf17aa16409fec1a630396561
                              • Instruction Fuzzy Hash: 23619A73301A9084EA269F1BD1583AE27A1F749FD8F548611EF6D0B7E5DE39CA86D300
                              Function 000000014002DEB0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: __std_fs_directory_iterator_open
                              • String ID:
                              • API String ID: 4007087469-0
                              • Opcode ID: 10bc6e45562824c9429aa28f6b79c5e810a7c3ec3dde2378f92710a177f4f17f
                              • Instruction ID: 51c17bda5550c200c6a7833989ba10c1f01f7f1d71f016f092b22249ce240b3a
                              • Opcode Fuzzy Hash: 10bc6e45562824c9429aa28f6b79c5e810a7c3ec3dde2378f92710a177f4f17f
                              • Instruction Fuzzy Hash: 0A618072B50B8085EB12DBAAD4903DD23A1E74D7E8F40462AFF1957AE9DA74C9928340
                              Function 00000001400457E0 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID:
                              • API String ID: 118556049-0
                              • Opcode ID: 816848171f501418f89c1fc00c7346ea8877edef7841e76b7dc2ad7f2b5f6794
                              • Instruction ID: 88a164151cc8353faf59e75a2abb20e029c8a58e390f0121c60b982c8f58206e
                              • Opcode Fuzzy Hash: 816848171f501418f89c1fc00c7346ea8877edef7841e76b7dc2ad7f2b5f6794
                              • Instruction Fuzzy Hash: 5041BE72315B8481EA12AF53A5443DD6366F70DBE5F580626EFAD0B7A6DF38C8518304
                              Function 000000014007DE00 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: InformationVolume
                              • String ID:
                              • API String ID: 2039140958-0
                              • Opcode ID: 77f326bdaa11ce90973b30f54824d582fe677ebfc98509bce289812a65ce22c5
                              • Instruction ID: 8539878be2e9e902c4f952c8f8a1d6be5ec9f83221bb27399ebc538b0e08667e
                              • Opcode Fuzzy Hash: 77f326bdaa11ce90973b30f54824d582fe677ebfc98509bce289812a65ce22c5
                              • Instruction Fuzzy Hash: FE519C32A14B808AE712CF69E8403DD73B0F799798F504216EB8C57AA9DF78C685CB40
                              Function 000000014009913C Relevance: 1.6, APIs: 1, Instructions: 105COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: ce2a7ca0ea6091a407cf5a5e2992a57a6957e6733fb416fb02be9d1375c25114
                              • Instruction ID: e8858ff0fec7026d46d52c93e3e982fb4afd14998ecd62c25ef9218b9df49fb2
                              • Opcode Fuzzy Hash: ce2a7ca0ea6091a407cf5a5e2992a57a6957e6733fb416fb02be9d1375c25114
                              • Instruction Fuzzy Hash: 5141B83220060497EA769F6FE5803EA77A0E79ABD0F140205FB9A877F1CB38D442C750
                              Function 0000000140044FE9 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90cf54d8b55000f68581a76b622efabc5ffabb5784a99202e54d6246ecb7575a
                              • Instruction ID: b9f7c3d18e9fc718e9f68750a2dc55bbda92819f1f2dc940bfb1a0fb0abbe0fe
                              • Opcode Fuzzy Hash: 90cf54d8b55000f68581a76b622efabc5ffabb5784a99202e54d6246ecb7575a
                              • Instruction Fuzzy Hash: CF31BE72315B4095EE26AB53E5003EDA362E74CBD1F594632FB5D0BBE6EA38C091C348
                              Function 000000014003FCD0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::cancel_current_task.LIBCPMT ref: 000000014003FDD8
                                • Part of subcall function 000000014002B510: __std_exception_copy.LIBVCRUNTIME ref: 000000014002B558
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task__std_exception_copy
                              • String ID:
                              • API String ID: 317858897-0
                              • Opcode ID: d94b9a2a69c268f486b851b87e23473635957be695ff32d0151c61d1f870f8fb
                              • Instruction ID: 97e6037b4797a068ef0178edcbe608246ecf14e62a64900bd4ebe1e7e1eb7f9f
                              • Opcode Fuzzy Hash: d94b9a2a69c268f486b851b87e23473635957be695ff32d0151c61d1f870f8fb
                              • Instruction Fuzzy Hash: 2321D232711B4441EE1BAB56A5043FA2391EB58BE4F244721EB7C07BE2EB78C9D29300
                              Function 0000000140045C20 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID:
                              • API String ID: 118556049-0
                              • Opcode ID: 883f8dee6345f69cb4eab342b59d200f8ef62e680ec799e50a26f5bae46e1fb2
                              • Instruction ID: f990d13ba9b1995e0da5ed5b952a9ab2d7d17d4032307640e9227b63b4a75bcd
                              • Opcode Fuzzy Hash: 883f8dee6345f69cb4eab342b59d200f8ef62e680ec799e50a26f5bae46e1fb2
                              • Instruction Fuzzy Hash: BA31B132304A8485EA26AB63D8403ED6360E74CFE8F194631FF6D077E6DA78C4908348
                              Function 000000014004150A Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID:
                              • API String ID: 118556049-0
                              • Opcode ID: fc2b4e946975b34f834657763f6c9dc4389becda8e7e609fdc2d25f4694a940e
                              • Instruction ID: 9f065de02e8699617f9461a8276c790da32c661bada7c21a81a4ca73b2b8ce05
                              • Opcode Fuzzy Hash: fc2b4e946975b34f834657763f6c9dc4389becda8e7e609fdc2d25f4694a940e
                              • Instruction Fuzzy Hash: 1321E072311E6484FE16EB56D1543ED2281A788FD4F850621BB1E0BBE6EE38C4918348
                              Function 000000014009ABD4 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: c89b410e1389cb82359957a1d11d0eb726d726846ac3ab4cc0b188c027a385d4
                              • Instruction ID: 8c05ef98f207ced81cdebc3070fd8dbcc834d1fcd774f14c22416a124c273843
                              • Opcode Fuzzy Hash: c89b410e1389cb82359957a1d11d0eb726d726846ac3ab4cc0b188c027a385d4
                              • Instruction Fuzzy Hash: E3318DB221060086E753AF57C8413ED7A61A79DFE5F924209FB290B3F2DB78C485C765
                              Function 00000001400B9758 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: f7592383a6c98d4fba61f7e3dde42e88bd2e4ab2cac1154d67cb9460cc1e3cec
                              • Instruction ID: fc355d5895d30ffd1540380ba59b71e238b03132919f1238a9496d9e0c5d9a9e
                              • Opcode Fuzzy Hash: f7592383a6c98d4fba61f7e3dde42e88bd2e4ab2cac1154d67cb9460cc1e3cec
                              • Instruction Fuzzy Hash: B1118132214A4081EA62AF9394113EEA3B1BB9DBC0F544021FF8897BA7EB7DC5414B44
                              Function 00000001400BBABC Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: 0aa9ebfc6785f24b4eccfcde9967f66bba0269257cf9e3546546d224156ecbb2
                              • Instruction ID: 13e69ae66ec78af3e9e7ce95c97f7042131b8b179f5c5ad25fbf63c8b5fe202d
                              • Opcode Fuzzy Hash: 0aa9ebfc6785f24b4eccfcde9967f66bba0269257cf9e3546546d224156ecbb2
                              • Instruction Fuzzy Hash: 1E219332614A4087DB629F5AE4807A977B0F788BD4F644324FB5A876F9DB79C940CB00
                              Function 00000001400789B0 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: send
                              • String ID:
                              • API String ID: 2809346765-0
                              • Opcode ID: 6b025b54e0dcc84b3c2947f32e0b7f6b98a3280ab38bb9e29cf354069e188991
                              • Instruction ID: 72c448f64851b44ef0d47f291fbcb967c8de0864198b92fcea4cfbeab45c03dd
                              • Opcode Fuzzy Hash: 6b025b54e0dcc84b3c2947f32e0b7f6b98a3280ab38bb9e29cf354069e188991
                              • Instruction Fuzzy Hash: 97016D32715A8481EB618F1BB94075AA7A0F78CFD4F585135EF9D43B58EA38C8518740
                              Function 0000000140035813 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: FileFindNext
                              • String ID:
                              • API String ID: 2029273394-0
                              • Opcode ID: 19dd94a82b446fece43c3ec0608a8bfd2a43b21f44985dc4239452c70dc369fc
                              • Instruction ID: 46c86765a48e0a4325b0ce012d2570db63820add8cc189426e9b10953f9b7d6b
                              • Opcode Fuzzy Hash: 19dd94a82b446fece43c3ec0608a8bfd2a43b21f44985dc4239452c70dc369fc
                              • Instruction Fuzzy Hash: DB01FF36208A8085EA72DB56F85439B7364F78CBD5F904122DF8D53B69DE39C886CB00
                              Function 000000014008C804 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: 986c70b0d44c87641fd7a2bafc8596790e971a1da67f8b9ca5557413f7120d21
                              • Instruction ID: 850c00b336af4423b93af6fe604bf7543ad1d172a4ae1adb93c9bb4fdbaa00ec
                              • Opcode Fuzzy Hash: 986c70b0d44c87641fd7a2bafc8596790e971a1da67f8b9ca5557413f7120d21
                              • Instruction Fuzzy Hash: D2E0D83262564585EF266B7AE1817ED7260BB4C7F0F148322B734036E6DF3485644611
                              Function 00000001400B6700 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: FileFindNext
                              • String ID:
                              • API String ID: 2029273394-0
                              • Opcode ID: d1b5a534f5617b5a49bb6d6dbcc2222ff873ccf4461679138d58d7c7394b5d66
                              • Instruction ID: e5404252072970a5b390b8aee8604883d80fba1bc8fa2517f273712a18d22060
                              • Opcode Fuzzy Hash: d1b5a534f5617b5a49bb6d6dbcc2222ff873ccf4461679138d58d7c7394b5d66
                              • Instruction Fuzzy Hash: 9EC09B39F55902C1F65B1B736C4238F11E07B5D780F804021D30883170DD3C81D74721
                              Function 00000001400B82F4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: InfoNativeSystem
                              • String ID:
                              • API String ID: 1721193555-0
                              • Opcode ID: ebdd672c62679ada28959d0ce90671b441c0e42cbdf7fd0cd8041d2b6a409d03
                              • Instruction ID: c1f8abdfa3c11aa9de56e1ee108be8b74f057e80f86e55c58f9080c7b4b0d2de
                              • Opcode Fuzzy Hash: ebdd672c62679ada28959d0ce90671b441c0e42cbdf7fd0cd8041d2b6a409d03
                              • Instruction Fuzzy Hash: 4EB09276A148C0C3C652EB08F84274A7331FB98B08FD00014E38D43624CE2DCA2A8E10
                              Function 00000001400992A8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: 5961d92c925a179c987542017da37781590624abdb876bc94f4a0419ded4e0ce
                              • Instruction ID: 37cde42a088fce9459df54da6579d377b91e6ac98e04b7dd035e57d67dfb2eda
                              • Opcode Fuzzy Hash: 5961d92c925a179c987542017da37781590624abdb876bc94f4a0419ded4e0ce
                              • Instruction Fuzzy Hash: 42F05E7831220491FF575BABA8653E922856F9DBC0F4C8534BF0A877F1EE3CC9858224
                              Function 000000014009B5E0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: 2a123d78f4d769f4acf099b182ff40896aa8a4043ec30c81b9c6a49c6a9f5ef5
                              • Instruction ID: d17b2792fcd96ab1b0cd15c98c0f9a64d373f884e408e1771f1ce4653c2ec12c
                              • Opcode Fuzzy Hash: 2a123d78f4d769f4acf099b182ff40896aa8a4043ec30c81b9c6a49c6a9f5ef5
                              • Instruction Fuzzy Hash: 9AF01C3470160045FE5766B36A917F921809BDCBF1F494724BF3A872E1DA3CD4828610

                              Non-executed Functions

                              Function 00007FF7B8803C70 Relevance: 38.9, APIs: 12, Strings: 10, Instructions: 376libraryloadermemoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressProc$wcslen$CurrentPathProcessTempstrlen$LibraryLoadProtectVirtualmemcpy
                              • String ID: &*$4.&.Z{,-$:a.dll$B$LdrLoadDll$Z{,-$a.dll$basic_string: construction from null is not valid$basic_string::append$zSJlTWS\Execute
                              • API String ID: 61348399-2817582949
                              • Opcode ID: 1f8476c20039152cfcb428ce8fdaaa8aabe79512acdc6fe7479142b629008e3b
                              • Instruction ID: 4918ad2fc6817e1bd663775ab98959120967658cd985375c3d3901559d9192f4
                              • Opcode Fuzzy Hash: 1f8476c20039152cfcb428ce8fdaaa8aabe79512acdc6fe7479142b629008e3b
                              • Instruction Fuzzy Hash: A8F1C422619B8682DB24EB19E4403AAF7A1FB96B84FC04131DB9E47B9CDF3CD516C714
                              Function 000000014006CE40 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 329memorycomCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: String$Free$Byte$AllocInitialize$BlanketCreateInstanceProxySecurity
                              • String ID: @
                              • API String ID: 2330523681-2766056989
                              • Opcode ID: 7808df39fc3d1c8c3175c2955d2fb316d1299e2b7191dba5c9e33a0725925d41
                              • Instruction ID: 13c4367a43189977c099a5a69ece56d153c1723905f586f1ec0b8e4762b49491
                              • Opcode Fuzzy Hash: 7808df39fc3d1c8c3175c2955d2fb316d1299e2b7191dba5c9e33a0725925d41
                              • Instruction Fuzzy Hash: 5CE19C32B14B808AF7128B7AE8143ED7362F78DBD8F105616EF5D57AA9DB38C1858344
                              Function 00000001400818F0 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 361nativelibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Handle$Query$CloseInformationObjectProcessSystem$AcquireAddressCurrentDuplicateExclusiveFinalLockModuleNameOpenPathProc
                              • String ID: File$NtDuplicateObject$ntdll.dll
                              • API String ID: 2703470732-3955674919
                              • Opcode ID: c487b364e592e22f7ba79ca0058f4a32d8116046041e81eae2fb9bfd7e46abbb
                              • Instruction ID: 43999390ae97c19b914307d4292018259307d826750de190b016f2481e9a1557
                              • Opcode Fuzzy Hash: c487b364e592e22f7ba79ca0058f4a32d8116046041e81eae2fb9bfd7e46abbb
                              • Instruction Fuzzy Hash: 5CE17F72710A809AFB11DBA6D4543ED23A1FB89BD8F408625EF5D27BA9DB38C645C340
                              Function 0000000140072EC0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 434COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AcquireExclusiveExecuteLockShell
                              • String ID: .exe$.exe$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open$runas
                              • API String ID: 1402300192-2441601502
                              • Opcode ID: f0a6509ef0d1282a0180f37e88137c2549b25b58900e8fab1cdb085e038de08d
                              • Instruction ID: 642fec826a1e3fd6779540e5d4449cad4a9ba132e9692004461db3030459b409
                              • Opcode Fuzzy Hash: f0a6509ef0d1282a0180f37e88137c2549b25b58900e8fab1cdb085e038de08d
                              • Instruction Fuzzy Hash: 7B229C72610B8089EB01DF6AE8843DD77A1F7887A8F505226FB9D07AB9DF78C585C740
                              Function 00007FF7B881D367 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 431COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memset
                              • String ID: $P$P
                              • API String ID: 2221118986-3733749394
                              • Opcode ID: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
                              • Instruction ID: 3bd357a90efdfc30838ec67fa8bb92fd3805cbe79c008201424f2698b6ed4190
                              • Opcode Fuzzy Hash: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
                              • Instruction Fuzzy Hash: E612823292C28287E760BF29D0407BEF791FBAA744F804135DB4947689DF7CE4568B64
                              Function 00007FF7B88034D0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 406fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseFileHandle$CreateWritemallocmemcpywcslen
                              • String ID: basic_string::append
                              • API String ID: 3391094610-3811946249
                              • Opcode ID: 3bb7ded17062e4b397386a719e14fc132e9bd4a9d4ca7b8669ef49969fe5b065
                              • Instruction ID: ed15dc85ef61005fa8c36509a08e99bc5039d94839edadc931c99375928ea12b
                              • Opcode Fuzzy Hash: 3bb7ded17062e4b397386a719e14fc132e9bd4a9d4ca7b8669ef49969fe5b065
                              • Instruction Fuzzy Hash: 9F02967261DB8582EA24EB19E40076EE3A1FB96B90F808231DBAD4779CDF3CD455C718
                              Function 00000001400A3D50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorLastNameTranslate$CodePageValidValue
                              • String ID: utf8
                              • API String ID: 1791977518-905460609
                              • Opcode ID: 5d2d2426c5a5194a24175210fd8136765016d2f1f96d66db4b316bbcbea0d38c
                              • Instruction ID: 5cfce204ad3e52d521be1c37c867fcafba9ba4ef485f8ee24296846217238e8d
                              • Opcode Fuzzy Hash: 5d2d2426c5a5194a24175210fd8136765016d2f1f96d66db4b316bbcbea0d38c
                              • Instruction Fuzzy Hash: 01918C3260078087EB669F23E4417ED63A5E7ACBC0F448221FB59477E6DB39C992CB01
                              Function 00000001400A4784 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                              • String ID:
                              • API String ID: 2591520935-0
                              • Opcode ID: dc923a5d096c57da2041771729e7932b82461942625d63c848e344da9d183a2f
                              • Instruction ID: 16d93509c95003d09cb5a81faf5c145d79ac997122476c855c64cffa21997edd
                              • Opcode Fuzzy Hash: dc923a5d096c57da2041771729e7932b82461942625d63c848e344da9d183a2f
                              • Instruction Fuzzy Hash: 1B719D3A7007408AFB129F62E4517EE33A4BB9CBC4F444225EF5953AA5EB38C495CB50
                              Function 0000000140062510 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: __std_exception_destroy
                              • String ID: value
                              • API String ID: 2453523683-494360628
                              • Opcode ID: dd493a39fd7b242ac56ddcbf670e614fae96cd8153661b5f92dd6fe83371a34b
                              • Instruction ID: a0ee57199ec3ce90a2ea8f43caeda29c8c906ea7494d2c7ab5bc718b9e9dd556
                              • Opcode Fuzzy Hash: dd493a39fd7b242ac56ddcbf670e614fae96cd8153661b5f92dd6fe83371a34b
                              • Instruction Fuzzy Hash: DF028D32624BC085EB12CB76D8403ED6761E7997E4F605712FB9E17AEADB78C185C700
                              Function 00007FF7B88011D9 Relevance: 9.1, APIs: 6, Instructions: 130stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: malloc$ExceptionFilterUnhandled_inittermmemcpystrlen
                              • String ID:
                              • API String ID: 1260285541-0
                              • Opcode ID: 4903dc9185d39246619b425608e0136eb5eeb636e7dc1dfbaabc0c8552b91fbc
                              • Instruction ID: e846075dad57280cc034e7ed8b49260059151323c7c9adb4665fc3c62d1620d7
                              • Opcode Fuzzy Hash: 4903dc9185d39246619b425608e0136eb5eeb636e7dc1dfbaabc0c8552b91fbc
                              • Instruction Fuzzy Hash: 92517D39A2E64686FA11BF5DE841779E3D1AF22790FC44034DB1C4739DEE6CE4228728
                              Function 000000014008D3D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                              • String ID:
                              • API String ID: 1239891234-0
                              • Opcode ID: 62484be6782a1868f2aab5373510e50ea99112a482b5237f41028b796158fad6
                              • Instruction ID: ec7dd7c93c2cafcbf5452b660a6186fd6c71989d302a7769adecfa476ec907f4
                              • Opcode Fuzzy Hash: 62484be6782a1868f2aab5373510e50ea99112a482b5237f41028b796158fad6
                              • Instruction Fuzzy Hash: 73313F36214F8086EB61DF66E8443EE73A4F789794F540226EB9D43BA9DF38C555CB00
                              Function 00007FF7B881DA84 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 359COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: $!$P
                              • API String ID: 0-2344582389
                              • Opcode ID: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
                              • Instruction ID: 9ef4b1e6db54fe38d39d0e339fc83112036844567e9c950130fed250da0eafef
                              • Opcode Fuzzy Hash: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
                              • Instruction Fuzzy Hash: 09F1E33292C68587E770BF18D0443BAF7A2EBAA340F808135DB4953789DF7CE4568B24
                              Function 00000001400907A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 329COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpy_s
                              • String ID:
                              • API String ID: 1502251526-3916222277
                              • Opcode ID: 1b748593274e8ddd9ac1e908b2a22b3d8043b10f383cd2471e7c6bd1e5b959b4
                              • Instruction ID: 0c772acccd2561090ae59935be1b1d13ce4e89495d086943b039690d891e3a67
                              • Opcode Fuzzy Hash: 1b748593274e8ddd9ac1e908b2a22b3d8043b10f383cd2471e7c6bd1e5b959b4
                              • Instruction Fuzzy Hash: 84C11B727156C58BEB61CF1AE148B9EB7A1F7887C8F048225EB4A43B94DB3CD845CB40
                              Function 00000001400B8A44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001400B8AC7
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: DebugDebuggerErrorLastOutputPresentString
                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                              • API String ID: 389471666-631824599
                              • Opcode ID: add000f596c63ba9086890ad2e143c759155224b8522789efc4995f79ab0692a
                              • Instruction ID: b3baff55db2af0ef0d3f7f0b280b4444a411bf90a176b58064316404aa57ab54
                              • Opcode Fuzzy Hash: add000f596c63ba9086890ad2e143c759155224b8522789efc4995f79ab0692a
                              • Instruction Fuzzy Hash: 98115A32210B4097F7569B27EA453EE33A4FB48784F44812ADB4983AB0EF78D0B4C750
                              Function 0000000140094A30 Relevance: 6.1, APIs: 4, Instructions: 81memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Virtual$AllocInfoProtectQuerySystem
                              • String ID:
                              • API String ID: 3562403962-0
                              • Opcode ID: 321b67bc3dce9091cca3af2a8210c2363b0b24afac24e17171b156b639bc856e
                              • Instruction ID: 4258e1afaa6455873025acfe4853d78e6786f50bee1bce51619682f1dd863745
                              • Opcode Fuzzy Hash: 321b67bc3dce9091cca3af2a8210c2363b0b24afac24e17171b156b639bc856e
                              • Instruction Fuzzy Hash: 81312A32310A809EEB21DF36D8517D933A5FB4CB88F444126AB1E8BB68DF78D645C740
                              Function 0000000140066750 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 375COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: __std_exception_copy
                              • String ID: parse_error$value
                              • API String ID: 592178966-1739288027
                              • Opcode ID: 4326292a9e1bd08197330c810dc3064f2862c2b5b1b4a4d0327c770f3fb61afc
                              • Instruction ID: 421e330f328ad8b9b4ed95ecda8ee77e216b13cc7eff753dffc2ada38604a70e
                              • Opcode Fuzzy Hash: 4326292a9e1bd08197330c810dc3064f2862c2b5b1b4a4d0327c770f3fb61afc
                              • Instruction Fuzzy Hash: 8CF1AD72B20A8095EB12DB76E8413ED6362F7997D8F505712FB4D57AAAEF74C284C300
                              Function 00000001400B63B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: FormatInfoLocaleMessage
                              • String ID: !x-sys-default-locale
                              • API String ID: 4235545615-2729719199
                              • Opcode ID: 673506cb31d12670dfbde8b650ceb219f5d226973d02233bc6ec21ba9828e093
                              • Instruction ID: 6e8259666aaa04c0050ce825aa23775dbb0e3623261df5dc7e3128c0f8f5c655
                              • Opcode Fuzzy Hash: 673506cb31d12670dfbde8b650ceb219f5d226973d02233bc6ec21ba9828e093
                              • Instruction Fuzzy Hash: 90018072B04B8082E7528F63F8507EEA7A1F7887C4F484025EB4947BA8DB3CC5058B10
                              Function 0000000140099898 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx
                              • API String ID: 2299586839-2904428671
                              • Opcode ID: 287f50d5c011b399992cb6bab078c34d72dd0b19453a01a46759c6e23c60aea6
                              • Instruction ID: b8b15d082959550375d872d2b4a574b6c35111f93f95d4160ec2587d11962505
                              • Opcode Fuzzy Hash: 287f50d5c011b399992cb6bab078c34d72dd0b19453a01a46759c6e23c60aea6
                              • Instruction Fuzzy Hash: 33016235704A8086EB459B5BB5447CEA760EB9DBC0F584436BF4917BB6CE38C5428740
                              Function 0000000140035E00 Relevance: 3.1, APIs: 2, Instructions: 145encryptionCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CryptDataFreeLocalUnprotect
                              • String ID:
                              • API String ID: 1561624719-0
                              • Opcode ID: f21e6fa17400773df5219cb6799421ecb3cc2cfc6e973016af35922b380100ae
                              • Instruction ID: f86567b3b1ec8be5b490864e58408f9f676ebc34b96ddf5a885d773d0d40a402
                              • Opcode Fuzzy Hash: f21e6fa17400773df5219cb6799421ecb3cc2cfc6e973016af35922b380100ae
                              • Instruction Fuzzy Hash: 9A615832B14B809EE712DFB5E4403DD77A1E75878CF048225EB8917EAADB78C5A48340
                              Function 000000014006FEA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CryptDataFreeLocalProtect
                              • String ID:
                              • API String ID: 2714945720-0
                              • Opcode ID: 9f4b79a0373a1bb07a1f6d57d23aee76defce310f3f699e5fe1e45333d4ada4c
                              • Instruction ID: 67641ed3af448434e7319fa557c5d406fdc98635340749bb2cffd34bed4cf3a5
                              • Opcode Fuzzy Hash: 9f4b79a0373a1bb07a1f6d57d23aee76defce310f3f699e5fe1e45333d4ada4c
                              • Instruction Fuzzy Hash: 57413232614A80CAE3218F75E8403ED37A5F75978CF444629BB8C07E9ADB79C5A48744
                              Function 00000001400A409C Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystemValue
                              • String ID:
                              • API String ID: 3029459697-0
                              • Opcode ID: d452b71020bd1f022492bc6807cc192c2c9e031585c9895097b6e7427efa948c
                              • Instruction ID: 7ba68ebfd2e082917346c4e20934efbd0178457faff08846a1fb6ebd3dab0b21
                              • Opcode Fuzzy Hash: d452b71020bd1f022492bc6807cc192c2c9e031585c9895097b6e7427efa948c
                              • Instruction Fuzzy Hash: 8711B17BA046448AEB168F16D4807ED7BA1F7E8FE1F448225E765437E0DA74CAD1CB40
                              Function 00000001400A416C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystemValue
                              • String ID:
                              • API String ID: 3029459697-0
                              • Opcode ID: 8f5d73e62e28e10308f28ad075867fd029a0f79c06fa79334ee1fb58e0dcdad7
                              • Instruction ID: 650d51a00948b0b7b39d5f8c88aa00294e78a8c84a20bb39946b0cffb9075a66
                              • Opcode Fuzzy Hash: 8f5d73e62e28e10308f28ad075867fd029a0f79c06fa79334ee1fb58e0dcdad7
                              • Instruction Fuzzy Hash: 7801F776B0428086EB564F17E840BD976E2E7B8BE4F458322E77447AE4CB7888C5CB00
                              Function 0000000140099354 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: EnumLocalesSystem
                              • String ID:
                              • API String ID: 2099609381-0
                              • Opcode ID: 4f3cbd580663199aaccb01281376539d086b8c9a154dabf837bfd3fdbd7783f2
                              • Instruction ID: 1be20af52885482918bde62337cf613b9eed61835a97c3d623556c94da20431d
                              • Opcode Fuzzy Hash: 4f3cbd580663199aaccb01281376539d086b8c9a154dabf837bfd3fdbd7783f2
                              • Instruction Fuzzy Hash: 72F01472300B4483E606DB2AE8907D933A5FB9DBC0F548026EB4983375CF3CC6618300
                              Function 00000001400D0008 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65fcb47a17adf94f373ff647ddafb07328eb1c747429ddd71517b78256354565
                              • Instruction ID: eb586cb3a04548c0adbde56a04425d5c24b419a0c3385a8c7a4060bd729989ce
                              • Opcode Fuzzy Hash: 65fcb47a17adf94f373ff647ddafb07328eb1c747429ddd71517b78256354565
                              • Instruction Fuzzy Hash: A2F03667E1D7D46AF35356251C7E3CC1FA19BEAF62F4D804A9B48835D3D0160C079321
                              Function 00000001400D0390 Relevance: .0, Instructions: 17COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9c04fcbd4cbc17e70945f2da77b3784ade4ea1f45a3157327aa1bdcfb84fd8a
                              • Instruction ID: ce99406f94a506be7fc14bf9621620acf46de5d19b27089a98d71f3cef453814
                              • Opcode Fuzzy Hash: d9c04fcbd4cbc17e70945f2da77b3784ade4ea1f45a3157327aa1bdcfb84fd8a
                              • Instruction Fuzzy Hash: C5E06DA7B4EBC04EF31742622C3F74C2ED55B7AB15F0C808F9788032E3B4986D018221
                              Function 00000001400D0730 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc4e891a345a80b6ab1b330d4331481cb0b24106e9af9eabeca1d97d8aa99695
                              • Instruction ID: 2a683a8451ecbb56f980f0c9d1cc897f1c514a0917eb697a5ab48e58a866e488
                              • Opcode Fuzzy Hash: fc4e891a345a80b6ab1b330d4331481cb0b24106e9af9eabeca1d97d8aa99695
                              • Instruction Fuzzy Hash: D5E09B4758F3D01FC3538FB408A959C3F31849798839E918BEAD2E7297D44E495EC32A
                              Function 00000001400D02C8 Relevance: .0, Instructions: 5COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf1b8df624b78c9f13672db90697f33a184046833f8e29593a1d8da03b41296a
                              • Instruction ID: 3e52525d39e57bbbd7167a3d2a5026f39e520ea7036a62e7442895414421d68b
                              • Opcode Fuzzy Hash: bf1b8df624b78c9f13672db90697f33a184046833f8e29593a1d8da03b41296a
                              • Instruction Fuzzy Hash: 7DA002DBE99384ABCB1609700CE14E91F1679B2900395505EE351D33D3BC8D0A0B9522
                              Function 00000001400D0090 Relevance: .0, Instructions: 2COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f01a4154ba30de378ee8f3a0bf3b2dfb59d47392f9fc814d815bb3a6ccc76d7c
                              • Instruction ID: 72e6b94385144f95b9e78a3faebda30625cad88c0dbef41df5f82239e748c1b0
                              • Opcode Fuzzy Hash: f01a4154ba30de378ee8f3a0bf3b2dfb59d47392f9fc814d815bb3a6ccc76d7c
                              • Instruction Fuzzy Hash:
                              Function 00007FF7B881C1E0 Relevance: 33.1, APIs: 11, Strings: 11, Instructions: 88stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: alnum$alpha$cntrl$digit$graph$lower$print$punct$space$upper$xdigit
                              • API String ID: 1004003707-2937198513
                              • Opcode ID: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
                              • Instruction ID: 02e630f69285345c8a206e23744784a2df13370dbae9f189872e1d73f7e91f1e
                              • Opcode Fuzzy Hash: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
                              • Instruction Fuzzy Hash: 0D31EA64A2E20383FA54BF5F9801775D2465F6A380FC46031DB0D866CDEE5CE866E23D
                              Function 000000014006CB30 Relevance: 28.7, APIs: 19, Instructions: 177processCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CloseHandle$Process32Token$InformationNextOpenProcess$ConvertCreateErrorFirstLastSnapshotStringToolhelp32
                              • String ID:
                              • API String ID: 3925315391-0
                              • Opcode ID: 28d5614d1b63fd56c69144723d55c5c830bd806274e720f9e0f5563932fef6bd
                              • Instruction ID: 908b3fb2f10a476486f2afa562155bdad7c3f4e7f03717297370fe69586da0b9
                              • Opcode Fuzzy Hash: 28d5614d1b63fd56c69144723d55c5c830bd806274e720f9e0f5563932fef6bd
                              • Instruction Fuzzy Hash: 0D815B36214B8082EB528B67F8407AEA7A5FB8CBD4F504125EF8D57B68DF78C546CB00
                              Function 00007FF7B881B8D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExceptionRaiseUnwindabort
                              • String ID: CCG $CCG $CCG!$CCG!$CCG"
                              • API String ID: 4140830120-3297834124
                              • Opcode ID: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
                              • Instruction ID: 1d53d645c5d6e4cda7000674acce4fcea8d5104b57afb763fc25b23b7e491779
                              • Opcode Fuzzy Hash: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
                              • Instruction Fuzzy Hash: 0D51C632A14B8182E760AB59E4447A9B370F79EB84F505226EF8D13768EF3DD993C704
                              Function 00000001400958C8 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Value$ErrorLast$Heap$AllocFree
                              • String ID:
                              • API String ID: 570795689-0
                              • Opcode ID: 20a63ad23df30dbf7d704f8b82e78d7ac72f052c437d19d22c322cc3c85e3d6b
                              • Instruction ID: 28dcf10232930b1ea106eb9cf858801f198c52737c0ab290223808406cbb09f8
                              • Opcode Fuzzy Hash: 20a63ad23df30dbf7d704f8b82e78d7ac72f052c437d19d22c322cc3c85e3d6b
                              • Instruction Fuzzy Hash: 88416C3031560082FA6BBB7795663E956824F4DBF1F580729BB761B7F2EE38C8418301
                              Function 00007FF7B881FFD0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 446COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID: UUUU
                              • API String ID: 1992160199-1798160573
                              • Opcode ID: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
                              • Instruction ID: 1c6bcf170e97eebd1e41345d29a30d77e0b82f43322699474aeda622261c03f4
                              • Opcode Fuzzy Hash: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
                              • Instruction Fuzzy Hash: B5127772D2810287E765AF2DC150739F7E1EB66B58F948235CB0D466CCDA38E852CB68
                              Function 00007FF7B881ADC0 Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalSection$DeleteEnterErrorInitializeLastLeaveValuefree
                              • String ID:
                              • API String ID: 100439675-0
                              • Opcode ID: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
                              • Instruction ID: 7d992e43b2596a16d3dbbc4e9fc4816c17d4d064b4d823b47f4e26cc2158f521
                              • Opcode Fuzzy Hash: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
                              • Instruction Fuzzy Hash: D8412E21A2E50287FA55BB59E840678E250AF7BB91FDC4435CB0D47698EF3CE8538368
                              Function 0000000140072940 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name$false$true
                              • API String ID: 164343898-1062449267
                              • Opcode ID: ae88cd937f36c9743e4cf492e26538404faf03bacae6fdef2e26eed03261b8a2
                              • Instruction ID: e066986b790d9d11d0d243cedda6a3cc5bafb9ebfb83a164bf58ddc58a77a579
                              • Opcode Fuzzy Hash: ae88cd937f36c9743e4cf492e26538404faf03bacae6fdef2e26eed03261b8a2
                              • Instruction Fuzzy Hash: 35711932711B408AFB16DFA2E4503EC33B5EB98788F044529AF4927BAADF38C555D385
                              Function 0000000140090D64 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: 0$f$p$p
                              • API String ID: 3215553584-1202675169
                              • Opcode ID: 424b79af020e58dd710012948c1de64fe2c08c3ce7a620c69024c20bdefc1009
                              • Instruction ID: 7a1535432eec6c5026fa7d0a87deccdfacc68b181622ded096d4695016ab780a
                              • Opcode Fuzzy Hash: 424b79af020e58dd710012948c1de64fe2c08c3ce7a620c69024c20bdefc1009
                              • Instruction Fuzzy Hash: 1212D13270824296FB266B17E0547FEB6A2F3C87D4F988116F79647AE4D738C980CB50
                              Function 00007FF7B881A530 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: QueryVirtual
                              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                              • API String ID: 1804819252-1534286854
                              • Opcode ID: ba1ad689428b48396fa565d55f37374c51d177facfa230d2a8edbf84c3bf7fa1
                              • Instruction ID: 2bb0a85b859d337fd442fe8a9153b08bc7158dc2d9197c209f03f6e4d5b668cc
                              • Opcode Fuzzy Hash: ba1ad689428b48396fa565d55f37374c51d177facfa230d2a8edbf84c3bf7fa1
                              • Instruction Fuzzy Hash: AB51E872A1964682EA10BB59E800AA9F764FF6AB90FC44131DF4C07398EE3CE457C758
                              Function 00000001400993D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressFreeLibraryProc
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3013587201-537541572
                              • Opcode ID: ae679bdfceee675f1571733c1c63cbbbec3b6b3dc0e35fb4a25fe1e49f4f57a7
                              • Instruction ID: 76867b2f50e267d13f3c23fb1344ffb9304965bf71fdab833d42e5d4e69427de
                              • Opcode Fuzzy Hash: ae679bdfceee675f1571733c1c63cbbbec3b6b3dc0e35fb4a25fe1e49f4f57a7
                              • Instruction Fuzzy Hash: 01418172311A4082FB17DB1BA9147DA6395BB5DBE0F494229BF1D8B7A8EE3CC4468340
                              Function 00007FF7B8820800 Relevance: 12.4, APIs: 8, Instructions: 355COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
                              • Instruction ID: 61e25ce6bcb22854549b2a7df8ada9f839f9436a871eaf9d3151e7afb4576115
                              • Opcode Fuzzy Hash: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
                              • Instruction Fuzzy Hash: 6DE188B2A241018BE774AF29C150739F7E1EB66B58FA58235CB094778CDA38EC52CF54
                              Function 0000000140072D70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Internet$CloseFileHandleOpenRead
                              • String ID: File Downloader
                              • API String ID: 4038090926-3631955488
                              • Opcode ID: 210ff5028c4d6a4313cb91af622c9ef4241b8e7ae994910c4c878489564db72a
                              • Instruction ID: 5fa8a96f82adfbe2566a4b915101b8e54a631cf06f5522793a8622ffc361334d
                              • Opcode Fuzzy Hash: 210ff5028c4d6a4313cb91af622c9ef4241b8e7ae994910c4c878489564db72a
                              • Instruction Fuzzy Hash: 64312632214A8086EB228F26F95079EB7A0FB89BC4F545125FF8943B68DF7CC5958B00
                              Function 00007FF7B8802F30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProcwcslen
                              • String ID: 4.&.$J$TEMP$basic_string: construction from null is not valid
                              • API String ID: 1064947497-679671853
                              • Opcode ID: 2b3813a550977f849a814cab301f845937e69ffc04f6b1439139e8e5e0fef5e4
                              • Instruction ID: b8f04a880d77ab0e59db24c152d29ec9f335aa637cdc36f0a1e11ccb38eaad12
                              • Opcode Fuzzy Hash: 2b3813a550977f849a814cab301f845937e69ffc04f6b1439139e8e5e0fef5e4
                              • Instruction Fuzzy Hash: 8831E432619A8693EB12AB18E4006AAF760FB96B84FC04032DB9D17B5CDF3CD517C758
                              Function 00007FF7B881BBF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExceptionRaise$abort
                              • String ID: CCG $CCG"$CCG"
                              • API String ID: 3325032505-1179968548
                              • Opcode ID: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
                              • Instruction ID: 0b8a6adebb48c40bd0660d5dc0db1d1ed6ca430e3a10adc7277ace55c66f73e0
                              • Opcode Fuzzy Hash: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
                              • Instruction Fuzzy Hash: C7219133A25B8187E340DF58E4403A97760F7D9788F60A22AEA8D57764EF7AC1928700
                              Function 00007FF7B8825C10 Relevance: 11.5, APIs: 9, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalLeaveSectionfree
                              • String ID:
                              • API String ID: 1679108487-0
                              • Opcode ID: 95fe868276fcc675441e8b6bcbd2e592402446384d147c482bf95a0a74b21bb4
                              • Instruction ID: 1412ca6f12abc74460b03ead7f8725540503f0a1e29805ebfece82d622953c04
                              • Opcode Fuzzy Hash: 95fe868276fcc675441e8b6bcbd2e592402446384d147c482bf95a0a74b21bb4
                              • Instruction Fuzzy Hash: D0917331A5A64286EB94AF1DD945378E2A1BF26780FC44532CB0D0779CEF3CE4638368
                              Function 00007FF7B8802600 Relevance: 10.6, APIs: 7, Instructions: 105stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcpy_s$_strlwr$ByteCharMultiWidestrstr
                              • String ID:
                              • API String ID: 606828236-0
                              • Opcode ID: c9a725f9162f59c41cee2fa39016cf96b5296817a48e5951eed084d6514580bc
                              • Instruction ID: ed20c43e651065d40d348aacd5dd802e9c45fe48de6fde3cc156a905358ad263
                              • Opcode Fuzzy Hash: c9a725f9162f59c41cee2fa39016cf96b5296817a48e5951eed084d6514580bc
                              • Instruction Fuzzy Hash: 6F419362208BC1D6DB219F19E8407AAE7A5F79ABD4F804121EF4D17B98CF7CD142C704
                              Function 00007FF7B8804350 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 77stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: B$B$B$I^2$$h}/9
                              • API String ID: 1004003707-632112022
                              • Opcode ID: e456b41c8218c5c2878edad117f7d1c39dace70967b1e9da172d671df5be1f19
                              • Instruction ID: 76c101f178a4d2c4408261cccc7fcf3712666e2a7c6c2ebe59865dcfdf5d0fef
                              • Opcode Fuzzy Hash: e456b41c8218c5c2878edad117f7d1c39dace70967b1e9da172d671df5be1f19
                              • Instruction Fuzzy Hash: 61312772A0D78587DB219F29E0402AAFBA0E7A6788FC44135EB8D07B48DB7CC512CF54
                              Function 00000001400A77C8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                              • String ID: CONOUT$
                              • API String ID: 3230265001-3130406586
                              • Opcode ID: 6204a89cdd06f09cfc3486d0d96b2f463e47156f2c9ace21a11958914875a066
                              • Instruction ID: b2c7ae89afa13f93ab2f89b082ff298c5d837d5d0260bd35e7c271c2b071468c
                              • Opcode Fuzzy Hash: 6204a89cdd06f09cfc3486d0d96b2f463e47156f2c9ace21a11958914875a066
                              • Instruction Fuzzy Hash: E6116A32710A4086E7528B57F854B9DA2A1FB9CFE4F444224EB6D877A4DF3CC845CB50
                              Function 00007FF7B881F340 Relevance: 9.4, APIs: 6, Instructions: 414COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
                              • Instruction ID: 5236659b8bfcb8fb7feaf862593e814572aa2b847969d7f5805c4e7ff6bfd7ef
                              • Opcode Fuzzy Hash: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
                              • Instruction Fuzzy Hash: 60F1DA62E2858247E761BF2D9004739E691AB2A768F948234CB1D57BC8CE3CFC53C764
                              Function 00000001400B866C Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$CompareInfoString
                              • String ID:
                              • API String ID: 2984826149-0
                              • Opcode ID: 8e7ed421b9ab10fa64d8ac8429b202f25cf3c3f4c1382695c7f8b6ad37d36eca
                              • Instruction ID: 00de4b50e6229e7b19f2ebf843531fdc6470dc3cb5f6c1b8a30933229632cc52
                              • Opcode Fuzzy Hash: 8e7ed421b9ab10fa64d8ac8429b202f25cf3c3f4c1382695c7f8b6ad37d36eca
                              • Instruction Fuzzy Hash: D1A18E72214A808AEF338FA294543ED66A1F748BE8F584622FF59077F5EB38C945C341
                              Function 000000014006D2C0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ImpersonateLoggedRevertSelfUser
                              • String ID: APPB
                              • API String ID: 1724704203-1278849820
                              • Opcode ID: ae51c3e9b5de2dbc967a7b30e9ee5455ece37fadcc315d5563a607e0cb33d80c
                              • Instruction ID: cd5e0d61c4494fc0e7b834e799b1642ebb3b46db86928f36585c127bdd859749
                              • Opcode Fuzzy Hash: ae51c3e9b5de2dbc967a7b30e9ee5455ece37fadcc315d5563a607e0cb33d80c
                              • Instruction Fuzzy Hash: 4612AF72B2069089FB129BAAD8543DD3762E7497E8F605616FB6D17AFADF74C480C300
                              Function 00000001400B830C Relevance: 9.2, APIs: 6, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ByteCharMultiStringWide
                              • String ID:
                              • API String ID: 2829165498-0
                              • Opcode ID: aff1d1866dc12ffdbaee311dbe293056c30c40e0640524166ebc9974f98794e1
                              • Instruction ID: 8b8c5f4bf6079c73f73cf44f0fe3ced5764d8e641cf6acd2d34b214dda9e4180
                              • Opcode Fuzzy Hash: aff1d1866dc12ffdbaee311dbe293056c30c40e0640524166ebc9974f98794e1
                              • Instruction Fuzzy Hash: 6D817E72200B8086EB368FA6E84079972E5FB98BE8F544625FF5947BF8DB38C545C700
                              Function 00007FF7B8826EA0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
                              • String ID:
                              • API String ID: 2785433807-0
                              • Opcode ID: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
                              • Instruction ID: 62a70c5c421fe129b6ff5ccdad0238f9b936d3ebd1856f8d07055812e7f60570
                              • Opcode Fuzzy Hash: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
                              • Instruction Fuzzy Hash: C3314E23B192128BEB52AF19E800779E5506F627B8F844236EF68477C8DE3DD057C714
                              Function 00007FF7B8801E18 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: rand
                              • String ID: and $+-*/$Performing arithmetic operations on:
                              • API String ID: 415692148-3864222635
                              • Opcode ID: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
                              • Instruction ID: 4111870597fb064845dc8e3534a5d5ef0671d5b364bc2731dbf3a1dd748c6219
                              • Opcode Fuzzy Hash: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
                              • Instruction Fuzzy Hash: C5214902F1A61746EA15BA2E884527DD2926FD3B80FC89031DF1D0B39EDD3CE9028368
                              Function 0000000140095A40 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32 ref: 0000000140095A4F
                              • FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095A85
                              • FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095AB2
                              • FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095AC3
                              • FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095AD4
                              • SetLastError.KERNEL32 ref: 0000000140095AEF
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Value$ErrorLast
                              • String ID:
                              • API String ID: 2506987500-0
                              • Opcode ID: 53182a0231f8343e27079854997c91253693178c60a234920c20c6ea30be93b6
                              • Instruction ID: 4e56595a93ee8ec0115da1d98981107824e97e2991e46ab42691fcb503f31c77
                              • Opcode Fuzzy Hash: 53182a0231f8343e27079854997c91253693178c60a234920c20c6ea30be93b6
                              • Instruction Fuzzy Hash: 4E117F3030524042FA5B677756963ED65525F4C7F0F540729BB3647BF6EE38C4418302
                              Function 000000014002D8F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 281COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: __std_exception_destroy$ApisFile__std_fs_code_page
                              • String ID: ", "$: "
                              • API String ID: 741338541-747220369
                              • Opcode ID: 276e0ee92c9baf106450452eb8121fb477a8fed21e0a6bb784b23281ffa35dcc
                              • Instruction ID: 2f9f9c717eaa61eeb0c67eb9e7509bd531f61b69cecee47917d4c8967017d8a8
                              • Opcode Fuzzy Hash: 276e0ee92c9baf106450452eb8121fb477a8fed21e0a6bb784b23281ffa35dcc
                              • Instruction Fuzzy Hash: D6B18A72700A4096EB02DF66E4543EC3361E759BC8F508626EF5D57BAADF38C995C380
                              Function 00007FF7B8804480 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID: >$@$@$MF3A
                              • API String ID: 4139908857-2332176444
                              • Opcode ID: 328f68d8ccde1d471623e3a916f8d5002275435361e7f0ce1315f7b9a25dafef
                              • Instruction ID: 1c4fc895c93ca8fe385ae989af06836db4e5fc0da9a232b9b4f0a669a90514ef
                              • Opcode Fuzzy Hash: 328f68d8ccde1d471623e3a916f8d5002275435361e7f0ce1315f7b9a25dafef
                              • Instruction Fuzzy Hash: 6B41B132A09BC582DB219B18F0407AAF7A0F79A748FC14526DB8D03B5CEB7DD556CB44
                              Function 00007FF7B88F0A00 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: basic_string::_M_create
                              • API String ID: 0-3122258987
                              • Opcode ID: 44b85481758d657289992c4c4b478202b050daf0a3589029b5cd0d7c519323b4
                              • Instruction ID: 3d8c2585763da543424a8c75d215488018768c3fe1df2abff2dc060a936849f5
                              • Opcode Fuzzy Hash: 44b85481758d657289992c4c4b478202b050daf0a3589029b5cd0d7c519323b4
                              • Instruction Fuzzy Hash: 0EA1FD62B2564689ED24BF19D8400B8E251AF76BE4FD88631DF2D473D5DF2CE4A2C314
                              Function 00007FF7B881F9C0 Relevance: 7.8, APIs: 5, Instructions: 293COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
                              • Instruction ID: ea3a16e4bd8444678ebc841e2bf61648690cb61ee83fa8306aa05157ec32abb8
                              • Opcode Fuzzy Hash: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
                              • Instruction Fuzzy Hash: 93C16372E2915287E761BE28C014339F7A1EB69B58F998231CB0D57389CE3CEC52C764
                              Function 00007FF7B8803060 Relevance: 7.7, APIs: 5, Instructions: 231stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlen$CurrentPathProcessTempmemchrmemcpy
                              • String ID:
                              • API String ID: 1237187527-0
                              • Opcode ID: f4e7bedf47afd40fecaf14e77b810dd7dad75451e5cfdd79f2a6c94f68c429c1
                              • Instruction ID: 04ce81bc967ca1c5d2d944a41b424c57d0a0eccb9b6a6248310eabb2d85f633c
                              • Opcode Fuzzy Hash: f4e7bedf47afd40fecaf14e77b810dd7dad75451e5cfdd79f2a6c94f68c429c1
                              • Instruction Fuzzy Hash: C0A19322618B8582EB109B19E44036AE7A1FB96BD0F944235EFAD47BDCDF7CD016CB14
                              Function 000000014009CBF8 Relevance: 7.7, APIs: 5, Instructions: 196COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _set_statfp
                              • String ID:
                              • API String ID: 1156100317-0
                              • Opcode ID: f9d29a29cdd2ffd341ecb2d23d59fd5f68f4680a083a3d8e41450f0123bb1665
                              • Instruction ID: 51537d9657ec2fdfa4f10ec80af9299248d2a692f50d6fc6d23c4d355d044b15
                              • Opcode Fuzzy Hash: f9d29a29cdd2ffd341ecb2d23d59fd5f68f4680a083a3d8e41450f0123bb1665
                              • Instruction Fuzzy Hash: C881F4B2A24A8449F7778F3AA450BEABA60FB5D7D8F044315FB5A275F4DB34C5818A00
                              Function 00007FF7B88EE690 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpy
                              • String ID: Result of $basic_string::_M_create
                              • API String ID: 3510742995-1160149181
                              • Opcode ID: ecf818389d4a64880c138437d3c7078a4c229c0a1f64958101a06294d39f3f93
                              • Instruction ID: 48f197325ab64fe895bd921d12e11bba02ed8e223d36681de3f64f81ccde95b4
                              • Opcode Fuzzy Hash: ecf818389d4a64880c138437d3c7078a4c229c0a1f64958101a06294d39f3f93
                              • Instruction Fuzzy Hash: A8413826B1A69652EB21BA19844027AE351AB22BD9FD44933CF1C07B8CDF2CE413C324
                              Function 00000001400A8B70 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _set_statfp
                              • String ID:
                              • API String ID: 1156100317-0
                              • Opcode ID: ec8299edcefb6fa201b4cd1aeee9dcae6e47e61ba1c4a4a6e0c30bc807d4dc5c
                              • Instruction ID: 9eabe2c6862708b434ee5f188970f655e061dec2d8f65aedb1ea2276e73e5cc0
                              • Opcode Fuzzy Hash: ec8299edcefb6fa201b4cd1aeee9dcae6e47e61ba1c4a4a6e0c30bc807d4dc5c
                              • Instruction Fuzzy Hash: 6E11E5B2A60E0105F67A112BED463E925406B7C3F8F890725BF67072F68B38CCC18B24
                              Function 0000000140095B08 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • FlsGetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B27
                              • FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B46
                              • FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B6E
                              • FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B7F
                              • FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B90
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Value
                              • String ID:
                              • API String ID: 3702945584-0
                              • Opcode ID: 592592041d91ff65a3814a993f8ff53005f94ceea8684b4c31b9de786b746a68
                              • Instruction ID: 40ffcb6e7276c6b56e20ef340f0400dac99e19fffa2c2d3576c81a9cdb817faf
                              • Opcode Fuzzy Hash: 592592041d91ff65a3814a993f8ff53005f94ceea8684b4c31b9de786b746a68
                              • Instruction Fuzzy Hash: 5C118F7070924042FA5AAB77A6523E966825F8C7F0F444369BB3957BF6DF7CC4418701
                              Function 0000000140088BA0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 410COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID: 3G
                              • API String ID: 118556049-4175570335
                              • Opcode ID: ea31b47cca7f9941543477e0ef4a89234e63e907905875329dbbaa8dc0ab6de9
                              • Instruction ID: ecd787d7bad4783b418fa305d3fcccd9f8caea627933b618d2d429a6fbf68683
                              • Opcode Fuzzy Hash: ea31b47cca7f9941543477e0ef4a89234e63e907905875329dbbaa8dc0ab6de9
                              • Instruction Fuzzy Hash: B8E1AD73311B8485EA66DB66E4447AA73A4F758BE4F144725AFAD07BE5EF38C290C300
                              Function 00007FF7B881A710 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 250memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(00007FF7B8A9F060,00007FF7B8A9F068,00007FF7B8A9F0B0,?,?,?,?,00000001,00007FF7B8801244), ref: 00007FF7B881A8F3
                              Strings
                              • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7B881AA8A
                              • Unknown pseudo relocation bit size %d., xrefs: 00007FF7B881AA74
                              • Unknown pseudo relocation protocol version %d., xrefs: 00007FF7B881AA96
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                              • API String ID: 544645111-1286557213
                              • Opcode ID: e2176e22cacbc1e56bd42fc89a58474ee1bbcd1f4fcc8751c36bb341390877a3
                              • Instruction ID: b22edca21e3cda68762b358c09c0e83156e0363703058f9d460c6a84ee1230ee
                              • Opcode Fuzzy Hash: e2176e22cacbc1e56bd42fc89a58474ee1bbcd1f4fcc8751c36bb341390877a3
                              • Instruction Fuzzy Hash: BB91D726E2950247EA10775CD900679E361AF7A764F948231CB2D07BDCEE3CE8638328
                              Function 00000001400BAB50 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                              • API String ID: 3215553584-1196891531
                              • Opcode ID: 851a617801b4cfd31061c4c6c380f6ef5142011fd0a99ac6d62129d95d7a0a73
                              • Instruction ID: c25c3288be8e472c6befd42f9ca98e390cbf50fe56392b6ea39b80f7af3d53ba
                              • Opcode Fuzzy Hash: 851a617801b4cfd31061c4c6c380f6ef5142011fd0a99ac6d62129d95d7a0a73
                              • Instruction Fuzzy Hash: F8819DB2600A4086FB778FABC1507F93BB0A31ABC8F658005FB4667AB5D33DC9429711
                              Function 00000001400461F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$GetcollLocinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 1287851536-1405518554
                              • Opcode ID: a74d05edcc680aa49797f08e4eedccf6035f239cca559bda27cab53509a1a993
                              • Instruction ID: 2dd48ec296852500dd2f0364dd46106788e004d0cc0eadaa75e91df770a0f7fb
                              • Opcode Fuzzy Hash: a74d05edcc680aa49797f08e4eedccf6035f239cca559bda27cab53509a1a993
                              • Instruction Fuzzy Hash: 5C714B32702B408AFB16DFB6D4903DC3376AB48B98F044125EF592BBAADE348555D389
                              Function 0000000140059AB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: __std_exception_destroy
                              • String ID: at line $, column
                              • API String ID: 2453523683-191570568
                              • Opcode ID: 24fe7f42ac002282dae115578377fdd728047d5eb7b3d8577a3df730c4bd1d07
                              • Instruction ID: f5178fb3b268f0b48bb0946d76aaafe813ca48c51b666f22c5d6955aa079505b
                              • Opcode Fuzzy Hash: 24fe7f42ac002282dae115578377fdd728047d5eb7b3d8577a3df730c4bd1d07
                              • Instruction Fuzzy Hash: E851A072B04B8081EA11DB1AF58039EB761F799BD4F104212FBA907BAADF79C591C740
                              Function 000000014002C670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 1612978173-1405518554
                              • Opcode ID: b3b85aaa9564d3eb53080caaeaa34e3804193ba04b17ecad880dd215a6707056
                              • Instruction ID: 974744e1641dd82f39cde997d7380458ab7219ed9018711764406166cb430a43
                              • Opcode Fuzzy Hash: b3b85aaa9564d3eb53080caaeaa34e3804193ba04b17ecad880dd215a6707056
                              • Instruction Fuzzy Hash: A2512A36711B408AEB16DFB2E4907ED33B5FB48788F044429EB4A27AA5DF34C915D384
                              Function 000000014007EAB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Open
                              • String ID: ?
                              • API String ID: 71445658-1684325040
                              • Opcode ID: 9ce2cab3e5638af268662656aab553d784792685103362ac06a3506950342615
                              • Instruction ID: de8b63d0aba4a3d42243ea9766a5ca2326035d68d787c69f021cc9a1ee6e9200
                              • Opcode Fuzzy Hash: 9ce2cab3e5638af268662656aab553d784792685103362ac06a3506950342615
                              • Instruction Fuzzy Hash: 43418E72619B8482EA518B26F4803AEB760F79D7D4F105216FB9A43AA9DF3CC094CB40
                              Function 00007FF7B881AB00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: CCG
                              • API String ID: 0-1584390748
                              • Opcode ID: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
                              • Instruction ID: ab82929384c68d686b40af2b673ba23911195f0c40cd869c557a2fdf9b1a4957
                              • Opcode Fuzzy Hash: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
                              • Instruction Fuzzy Hash: 5D215E60F2918247FA68726DD151338E1829FAF760F984935C71D863DDDD1CA8E3413D
                              Function 00000001400B6450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: GetTempPath2W$kernel32.dll
                              • API String ID: 1646373207-1846531799
                              • Opcode ID: feccffff2a60b544ffbbbafe503937a9e42bf7f10482beb47b79b4c0f892a682
                              • Instruction ID: b479fef3ac197ef4dce19ec26a24247ec8550dec43ddafd548e24bb2c55acab6
                              • Opcode Fuzzy Hash: feccffff2a60b544ffbbbafe503937a9e42bf7f10482beb47b79b4c0f892a682
                              • Instruction Fuzzy Hash: 9EE01A75704B0582EE469B12F9987AD2361FF8CBC4F589029EB1E07334DE3CD4869B00
                              Function 00007FF7B881A070 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: freememcpystrlen
                              • String ID:
                              • API String ID: 2208669145-0
                              • Opcode ID: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
                              • Instruction ID: 9c5d4cdfd26ad83e7099dba629c5e9ec85fa04a65d3d3fea2497901b9ffe0062
                              • Opcode Fuzzy Hash: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
                              • Instruction Fuzzy Hash: A331ED61A2964287F9627E19EA00379D2515F66BE0F988230DF5E87BCCDE3CD4534314
                              Function 0000000140097F54 Relevance: 6.3, APIs: 4, Instructions: 305fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: FileWrite$ConsoleErrorLastOutput
                              • String ID:
                              • API String ID: 2718003287-0
                              • Opcode ID: 7f3eb5a86098c1c517e33af41decd246e6b98b795eba64b701eaa93da67d498f
                              • Instruction ID: a6b027b0e07357715d3c80cbbe1cd0166f8b724c902756b6abe27a254a4597ff
                              • Opcode Fuzzy Hash: 7f3eb5a86098c1c517e33af41decd246e6b98b795eba64b701eaa93da67d498f
                              • Instruction Fuzzy Hash: F1D1AB32714A808AEB22CF7AD4403EC37B5F358BD8F548216EF5997BA9DA34C556CB40
                              Function 00007FF7B880A8F8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 269stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlen
                              • String ID: t$ty$y
                              • API String ID: 39653677-1920740250
                              • Opcode ID: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
                              • Instruction ID: 9969eeaad12e045a87b017ed43eeb7b22423e61e7e0659d368b949abfa48d99c
                              • Opcode Fuzzy Hash: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
                              • Instruction Fuzzy Hash: 20E11D725087C2C6E7568F38C0143E87AA1EB2AF4CF4C8135CB990B799DBBE94959335
                              Function 0000000140098930 Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ConsoleErrorLastMode
                              • String ID:
                              • API String ID: 953036326-0
                              • Opcode ID: 0064717757fb816ba36e302a15913e1cbdafe464b3098268c38cec24d04983ad
                              • Instruction ID: e0bad62a638c68990d328d5793b8bdc1d639ed9625066bc4d5269d2327d8b571
                              • Opcode Fuzzy Hash: 0064717757fb816ba36e302a15913e1cbdafe464b3098268c38cec24d04983ad
                              • Instruction Fuzzy Hash: D991B1B261065089FB62CF6698807ED2BA0F74CBD8F48511AFF4A67BA5DB34C485CB11
                              Function 00007FF7B880CC9C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 211stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: (
                              • API String ID: 1004003707-3887548279
                              • Opcode ID: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
                              • Instruction ID: 94dabf9e697950c76e69a86c816919048374b30b2ab3230f57a4128bdee662db
                              • Opcode Fuzzy Hash: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
                              • Instruction Fuzzy Hash: A3A1A07261878682E715AF29C4043F9A7A1EB66F84F884032CF5E0B78ACF7DD495C364
                              Function 00007FF7B880BC30 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 205stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strlen
                              • String ID: a$a$rm
                              • API String ID: 39653677-3573517395
                              • Opcode ID: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
                              • Instruction ID: 9adbfd3911a9886e65eff134c8e9bb3d1b2a56ede65b5da16a9419f54562e62b
                              • Opcode Fuzzy Hash: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
                              • Instruction Fuzzy Hash: 7EB142725087C2C6E7569F28C0043E87A91EB2AF4CF5C8135CB890F799DFBE94569325
                              Function 00007FF7B88F5D20 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 185COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpy
                              • String ID: basic_string::_M_create
                              • API String ID: 3510742995-3122258987
                              • Opcode ID: 72179817af7f84d4777a76ac889e536a436144b296a5be41eac1759ee4653c10
                              • Instruction ID: 16ddf591df137dba9e0276584d9fd0432a390f2a622047c018f498a4474854b3
                              • Opcode Fuzzy Hash: 72179817af7f84d4777a76ac889e536a436144b296a5be41eac1759ee4653c10
                              • Instruction Fuzzy Hash: 8961E562A26A4592EA15AB19C4042B9E391EF32BD4FC48B31DB1D437D8EF3CE463C314
                              Function 00000001400BBDF8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$_get_daylight
                              • String ID:
                              • API String ID: 72036449-0
                              • Opcode ID: cbe6a422300ce47d191bfdaffd942f57c8d825da7a2edd8825320d75a71d5f2d
                              • Instruction ID: 4cef64af6a6c9a86ce83d0a7878914f71726a3e20492fbdc572d3d8bd7fdd1ae
                              • Opcode Fuzzy Hash: cbe6a422300ce47d191bfdaffd942f57c8d825da7a2edd8825320d75a71d5f2d
                              • Instruction Fuzzy Hash: D7510332604E0287F76B5EABD9013FD66A0E3487E4F198035BB16472F6D7B9CA40CB42
                              Function 00007FF7B881FE10 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ___lc_codepage_funcfputclocaleconv
                              • String ID:
                              • API String ID: 1339002523-0
                              • Opcode ID: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
                              • Instruction ID: 80d1493028db7d17207ab805f5678f7b4a451b6fcfd3f16cd66835cda06a12fe
                              • Opcode Fuzzy Hash: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
                              • Instruction Fuzzy Hash: 3D516073A255418AE720BF29D141369E7E1EB2AB58F944235EB0C4B38DCE28ED52C764
                              Function 0000000140081E60 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: EnvironmentInitStringStringsUnicode$Free
                              • String ID:
                              • API String ID: 2488768755-0
                              • Opcode ID: bcdf9e957b836fad2b9a144feaaed0332e88cebafea3e7606a3ee423db221a5a
                              • Instruction ID: 9735953dc97c4c7278c1d0ea2bf846f00a1df3506a1c5c193014c8045fd42382
                              • Opcode Fuzzy Hash: bcdf9e957b836fad2b9a144feaaed0332e88cebafea3e7606a3ee423db221a5a
                              • Instruction Fuzzy Hash: C3518932A18B80C2EB129F16E44039D7761FB98BD4F549215EB9D03BA6DF78D2E1C700
                              Function 000000014003FFA0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_RegisterSetgloballocalestd::locale::_
                              • String ID:
                              • API String ID: 3698853521-0
                              • Opcode ID: 5df3add741de15268a4c1c893243a82b2349d0c978b64c86d7b80c97edf7e36a
                              • Instruction ID: bc1c7009bf646980d28510eba16aabbeef68747b7b6e5d2c383e6a03373d8cef
                              • Opcode Fuzzy Hash: 5df3add741de15268a4c1c893243a82b2349d0c978b64c86d7b80c97edf7e36a
                              • Instruction Fuzzy Hash: 12414232210B4082EA16DF62E84479A73A4F78CBD0F591622FB9D077B6DF38C852C704
                              Function 00007FF7B88E9BF0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpymemmove
                              • String ID: basic_ios::clear$basic_string::_M_replace
                              • API String ID: 167125708-1781676995
                              • Opcode ID: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
                              • Instruction ID: d2edbde710f519c517ed686d39aa3e68f79ce87071c00dd12bda330f47981643
                              • Opcode Fuzzy Hash: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
                              • Instruction Fuzzy Hash: 23310A21B2965582EA207B29D9046B8F6909B72BD5FD44233EF6C077DECD6CE013C358
                              Function 00007FF7B880C01B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: $ : $new
                              • API String ID: 1004003707-2075650739
                              • Opcode ID: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
                              • Instruction ID: 5122e325eeb6711a9387a96b6b22c23d553d716c963f981806a41d3fcdacbead
                              • Opcode Fuzzy Hash: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
                              • Instruction Fuzzy Hash: FA41AF72B5474282E715BA1AE8003E9E751EBA7BD4F844032CF1E0B78ADE7CD492C364
                              Function 0000000140072620 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
                              • String ID:
                              • API String ID: 1168246061-0
                              • Opcode ID: 62bd9740c1c2a61441fbb226ba8157bed7cf0d9f22f07cc03869d12c08925ec8
                              • Instruction ID: be9d38ffdc7b6e85c66b2e680f8457809c6085b235bb2fc594de332f3a9dc2cf
                              • Opcode Fuzzy Hash: 62bd9740c1c2a61441fbb226ba8157bed7cf0d9f22f07cc03869d12c08925ec8
                              • Instruction Fuzzy Hash: 76414736214A8085FA26DF57E8543D967A0F38CBE4F581626AB8E477B6DE3CC542C700
                              Function 0000000140053690 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
                              • String ID:
                              • API String ID: 1168246061-0
                              • Opcode ID: ee9c97aff65a88c868663459daf74bfe0eb66c434d2bd69df478b3ba643f2863
                              • Instruction ID: 96bec1322d2bd20d32e2a3d0ca8a3050f366ed013bd88369537771368691d56a
                              • Opcode Fuzzy Hash: ee9c97aff65a88c868663459daf74bfe0eb66c434d2bd69df478b3ba643f2863
                              • Instruction Fuzzy Hash: 5B4159B6618A4481FB26DB56E4543D963A0F78DBE4F981622EB8E477B5DA38C4418700
                              Function 0000000140041CC0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
                              • String ID:
                              • API String ID: 1168246061-0
                              • Opcode ID: 430a7c7fba3e6cd772f167e092afeeab044c99694aa112083181d399e8b4a4ca
                              • Instruction ID: d98e3f844eaae0dbb3641ed48c0eccbc43257799aee9a4d2446aa5f2d7179b55
                              • Opcode Fuzzy Hash: 430a7c7fba3e6cd772f167e092afeeab044c99694aa112083181d399e8b4a4ca
                              • Instruction Fuzzy Hash: C2416576210A4081FA269F17E8503D967A4F78CBE4F581622EB8E07BB9DE38C442C704
                              Function 0000000140071DA0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
                              • String ID:
                              • API String ID: 1168246061-0
                              • Opcode ID: f56fe5ed18232deb18e968c14c5c3fe04522fd7049ad61aa0ad3329ac39ecee9
                              • Instruction ID: 66d9cf291a1fa9e9b9738823fb45094ee63abfac6f40b496fa964a1de3cbb30d
                              • Opcode Fuzzy Hash: f56fe5ed18232deb18e968c14c5c3fe04522fd7049ad61aa0ad3329ac39ecee9
                              • Instruction Fuzzy Hash: F9414436214A4081FA269F6AE8547E963A4F79DBE4F481622FB8D477F5DE38C442C700
                              Function 00007FF7B88BB7B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: memcpystrlen
                              • String ID: basic_string::_M_replace$basic_string::_S_construct null not valid
                              • API String ID: 3412268980-2381965344
                              • Opcode ID: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
                              • Instruction ID: 000e5a0bd3517947a470c0c333af9d323ad2361a663f37fa9a6cfbae63cf668e
                              • Opcode Fuzzy Hash: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
                              • Instruction Fuzzy Hash: 2921D221A0AA4685EA11BB1EE4501ADE760AF66BC4FC44431EB4C0B369DE3CD463C354
                              Function 00007FF7B8825680 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000,00000003,00007FF7B8A9F1A0,00007FF7B88257BF), ref: 00007FF7B88256B5
                              • InitializeCriticalSection.KERNEL32(00000000,00000003,00007FF7B8A9F1A0,00007FF7B88257BF), ref: 00007FF7B88256F8
                              • InitializeCriticalSection.KERNEL32 ref: 00007FF7B88256FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CriticalInitializeSection$Sleep
                              • String ID: *
                              • API String ID: 1960909292-3311777216
                              • Opcode ID: 8cc8789fdc81fa29067ac66dfc528fbecfa4c76c3f5a56aee71b84c1566e406d
                              • Instruction ID: 4e3571663c2437e79a311db085b789090eddd44914f885eea135ed8b0a523ab1
                              • Opcode Fuzzy Hash: 8cc8789fdc81fa29067ac66dfc528fbecfa4c76c3f5a56aee71b84c1566e406d
                              • Instruction Fuzzy Hash: 92214421A9D54286E7556B5CED505B8E760AB67750FC94431CF0D82299DE2CE892C328
                              Function 00000001400B6634 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide
                              • String ID:
                              • API String ID: 203985260-0
                              • Opcode ID: 200b3f1345e44cfc852f10eac067f1733b4bc9db33fdb8001f79150db3be88e0
                              • Instruction ID: 6b88c86b770a9c586cb1af37b28efd7b706573da5102e3c4f3865fff8226cb73
                              • Opcode Fuzzy Hash: 200b3f1345e44cfc852f10eac067f1733b4bc9db33fdb8001f79150db3be88e0
                              • Instruction Fuzzy Hash: D0212E76614B94C7E3618F22E44435EB7B4F79DBD4F540129EB8957B64DB39C8418B00
                              Function 00000001400B6B20 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
                              • String ID:
                              • API String ID: 156590933-0
                              • Opcode ID: a30d72a7a7c29de0c40d55f3abdf60503d6325bd51d8adae0c4a333c6577edac
                              • Instruction ID: 818140f3fab44495a555ab8a09c83194e8e23688ba8165b1c45cae0150ad504a
                              • Opcode Fuzzy Hash: a30d72a7a7c29de0c40d55f3abdf60503d6325bd51d8adae0c4a333c6577edac
                              • Instruction Fuzzy Hash: D6115132A14A4045EA565FB7A5847AA6671E7887F0F140614BB77C7AF5DF3CC4818B00
                              Function 00000001400AAB48 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: 6fe15b0c4e384d37091185729348d816b74690dfa4f443000fe0a912ec8efaa2
                              • Instruction ID: 7d6ebf1f97da6684202fd37eb3c70f695ff936aad7ae610a3630038643fe83ba
                              • Opcode Fuzzy Hash: 6fe15b0c4e384d37091185729348d816b74690dfa4f443000fe0a912ec8efaa2
                              • Instruction Fuzzy Hash: 38111532751B008AEB008B62E8543A833A4F71DBA8F441E25EB6D877A4DF78C1A58350
                              Function 00007FF7B8802590 Relevance: 6.0, APIs: 4, Instructions: 34stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _strlwrstrcpy_s
                              • String ID:
                              • API String ID: 3746470816-0
                              • Opcode ID: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
                              • Instruction ID: e30748ed539c7d1e61d913905733a7fe04082f4356b91869a9333246b0a0132f
                              • Opcode Fuzzy Hash: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
                              • Instruction Fuzzy Hash: C6F0EC6131468686FE11AB23BD007A983099B96FC0F8C00328E4D17B98CC3CE2878308
                              Function 0000000140054F60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 402COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID: invalid hash bucket count
                              • API String ID: 118556049-1101463472
                              • Opcode ID: cad2b4398f93dfe1a3b7e2b10d8947fc51ed9edd09650b80b454307351c134c9
                              • Instruction ID: 7dc8a75d286ccf3bbeaf8c8748fc2d8b425e50115ec36ebcf79158fb8b88f763
                              • Opcode Fuzzy Hash: cad2b4398f93dfe1a3b7e2b10d8947fc51ed9edd09650b80b454307351c134c9
                              • Instruction Fuzzy Hash: 70F17C72201B8482EB55EF12E46039D73A4F74CBE4F588526EFAD47BA5EB39C4A1C340
                              Function 000000014002E800 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID:
                              • String ID: [json.exception.
                              • API String ID: 0-791563284
                              • Opcode ID: 9d10d5961e257bc83ab52ab9107e09406af5a259c6370344c7be281104fa34b5
                              • Instruction ID: 9bfa3acb795d48fbdc46d00a55fcaaa28ed1048c95eca48bab4ec83af28bcc05
                              • Opcode Fuzzy Hash: 9d10d5961e257bc83ab52ab9107e09406af5a259c6370344c7be281104fa34b5
                              • Instruction Fuzzy Hash: F771F172B10B9085FB01CB7AE4413DD37A1E799BD8F54421AEF9917BAADB78C482C340
                              Function 0000000140072BA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 3988782225-1405518554
                              • Opcode ID: 8e48b185d2ad377adad793cb0c2e61843d436bf41b4dc4ce2b229c4423d5b721
                              • Instruction ID: b919e2adb03058459a08787be6f33273e8fd86740414413052806a2770abb456
                              • Opcode Fuzzy Hash: 8e48b185d2ad377adad793cb0c2e61843d436bf41b4dc4ce2b229c4423d5b721
                              • Instruction Fuzzy Hash: A8514C33311A408AEB16DFB2E4907EC33B4FB58B88F044425FB4A67AA5DE38C955D344
                              Function 0000000140054420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                              • String ID: bad locale name
                              • API String ID: 3988782225-1405518554
                              • Opcode ID: 80a5ced4145d21076f0491c6eeec770f45411c69c219c7bb2cb606199f338d71
                              • Instruction ID: e6e463b9e1f652434f87afe0abaeb0bd7d36a5076df94eceddc511b98dd6a078
                              • Opcode Fuzzy Hash: 80a5ced4145d21076f0491c6eeec770f45411c69c219c7bb2cb606199f338d71
                              • Instruction Fuzzy Hash: 96513B32312A408AEB16DFB2E4903EC33B4FB58788F044425FB8A67AA6DF34C525D344
                              Function 000000014009DEBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _get_daylight$_invalid_parameter_noinfo
                              • String ID: ?
                              • API String ID: 1286766494-1684325040
                              • Opcode ID: dec6d37dbd22f3a85d6b35a17a0feec669fea7c16c8a71b63241f9b5b8fbd9dc
                              • Instruction ID: b0c4c4f40001a5467877201c390160bb1bb914dd2c4e957f28464d23d5666058
                              • Opcode Fuzzy Hash: dec6d37dbd22f3a85d6b35a17a0feec669fea7c16c8a71b63241f9b5b8fbd9dc
                              • Instruction Fuzzy Hash: 0E41F83221478046FB669B27E5563FA67A0E798BE4F144226FF5947BF5EB38C881C700
                              Function 0000000140098600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ErrorFileLastWrite
                              • String ID: U
                              • API String ID: 442123175-4171548499
                              • Opcode ID: ff9670a3bdeea2dc0e04f94de2162aa67abd2fa7127bffc9359cf981a8e8ed7c
                              • Instruction ID: 8e4ab516b8a29dfabae5ee0ef9a54c4ba7fa48e80f278cd7ab75898e171abe9a
                              • Opcode Fuzzy Hash: ff9670a3bdeea2dc0e04f94de2162aa67abd2fa7127bffc9359cf981a8e8ed7c
                              • Instruction Fuzzy Hash: D841B332715A8086DB218F66E8443EAA7A0F79CBC4F904125EF4D877A8EB3CC441CB40
                              Function 000000014009D258 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: _set_errno_from_matherr
                              • String ID: exp
                              • API String ID: 1187470696-113136155
                              • Opcode ID: f45fae9e3f71500e5b5a591dcf295bfd7ffd6db6b8f160502000cbe5d4a7ff26
                              • Instruction ID: f5d0c8a78a0e6a8a4dd1fb3f21a071c67b80d90b3824bfa811f874e6c851eba2
                              • Opcode Fuzzy Hash: f45fae9e3f71500e5b5a591dcf295bfd7ffd6db6b8f160502000cbe5d4a7ff26
                              • Instruction Fuzzy Hash: 24212236A10A148EE751CF7AD8813EC33B0FB5C388F401626FB0AA7B5ADA38D5418B40
                              Function 00000001400AC0C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1896459053.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_140000000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: ExceptionFileHeaderRaise
                              • String ID: csm
                              • API String ID: 2573137834-1018135373
                              • Opcode ID: 2d42cdfcb1ff534642483aeaeae706dda7279a24a451ff2176392dab70bf652b
                              • Instruction ID: 7f42a9847f84888bb00b0fd94d9c5d46f3abea2284a8759a76045259342b16a3
                              • Opcode Fuzzy Hash: 2d42cdfcb1ff534642483aeaeae706dda7279a24a451ff2176392dab70bf652b
                              • Instruction Fuzzy Hash: E411FB32214B8482EB628B16F44079977E5FB99B98F594225EB8D07769DF3CC591CB00
                              Function 00007FF7B881A420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-3474627141
                              • Opcode ID: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
                              • Instruction ID: 3f889e3ac87623ed78a611fc70f7d890d33ea12766c05bb439bdc7913b6e7a15
                              • Opcode Fuzzy Hash: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
                              • Instruction Fuzzy Hash: 9201E562919E84C2D202AF1CD8411FAF374FFAA75AF645321EB8C26264DF29D553C704
                              Function 00007FF7B881A4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-4283191376
                              • Opcode ID: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
                              • Instruction ID: f2432d1bf54d572cf9840d31791f9a7637f2d6232bfb5de2b3d4112598f149c7
                              • Opcode Fuzzy Hash: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
                              • Instruction Fuzzy Hash: 0EF0AF52819E8882D202AF1CA4000ABF324FF9E789F681325EB8D26168DF28E5438714
                              Function 00007FF7B881A4C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-2713391170
                              • Opcode ID: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
                              • Instruction ID: a304c2a7c3383c22e66033ed15dbd16ddcbc8f45ac3130a88a2204468fde1acf
                              • Opcode Fuzzy Hash: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
                              • Instruction Fuzzy Hash: 12F0C252919E8882D202EF1CE4000EBF374FF9E789F681325EF8D26168DF28D5438714
                              Function 00007FF7B881A4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-2187435201
                              • Opcode ID: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
                              • Instruction ID: 47c98e2b87dfd7b212ccef89f7740a3053a11abf697651173c76498833394039
                              • Opcode Fuzzy Hash: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
                              • Instruction Fuzzy Hash: A7F0AF52819E8482D202AF1CA4000ABF324FF9E789F681325EB8D26168DF28D5438714
                              Function 00007FF7B881A4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-4064033741
                              • Opcode ID: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
                              • Instruction ID: 991735c550df227ff58a0fe34e4c697c695971ed2343a7135e675d856cb5e6d2
                              • Opcode Fuzzy Hash: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
                              • Instruction Fuzzy Hash: 9FF0C256819E8882D202EF1CE4000EBF374FF9E789F681325EF8D26168DF28D5439714
                              Function 00007FF7B881A500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-4273532761
                              • Opcode ID: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
                              • Instruction ID: 7cbcaeb4c041705d94570af20f1bd40bc1cb4ab3b74e58ad93d5983b38a79c46
                              • Opcode Fuzzy Hash: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
                              • Instruction Fuzzy Hash: 1BF0AF52819E8482D202EF1CA8000ABF324FF9E799F681325EB8D26168DF28D5438714
                              Function 00007FF7B881A458 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 383729395-2468659920
                              • Opcode ID: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
                              • Instruction ID: d9414889897181edb48c86ac07903b5a4de699689b73277313565bf6fe0c4944
                              • Opcode Fuzzy Hash: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
                              • Instruction Fuzzy Hash: 72F06256915E8882D202EF1CA4000ABF364FF5E799F545325EF8D2A164DF28D5438714
                              Function 00007FF7B8801294 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1898493187.00007FF7B8801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8800000, based on PE: true
                              • Associated: 00000001.00000002.1898459464.00007FF7B8800000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890D000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898606710.00007FF7B890F000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898697621.00007FF7B8911000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898825458.00007FF7B8AA0000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1898853129.00007FF7B8AA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_7ff7b8800000_phantomtoolsv2.jbxd
                              Similarity
                              • API ID: malloc$memcpystrlen
                              • String ID:
                              • API String ID: 3553820921-0
                              • Opcode ID: 4ee85fb58601ac7611963cd66a25d646a980d7074b0776cdd030191079d3958a
                              • Instruction ID: 517c292c76a2f95ecb518a089f383652a8b04a73aef38b547042cb0784babe93
                              • Opcode Fuzzy Hash: 4ee85fb58601ac7611963cd66a25d646a980d7074b0776cdd030191079d3958a
                              • Instruction Fuzzy Hash: 8A31A129A2E64686E711BF5DE851774E3D5AF63790FC44038CF1C07399EE2DA426C728